As you’re probably all bored of hearing by now, Working From Home/Remotely is the new norm for pretty much anyone that can. For those of us who’ve been doing this for a number of years we can kind of take this for granted asking ourselves “What’s the big deal?”. It’s actually been a recurring point of conversation amongst my colleagues friends and family and it got me thinking, initially all the talk has been about getting up and running, but what does this mean in security terms?
It’s always an interesting debate as Security is often seen as a constraint or cost so people bury their heads in the sand. I completely understand the need to get people connected and productive but it’s only a matter of time until this arms race bites us!
So what advice can I offer?
Well this comes in two flavours, advice for us as individuals in our day to day lives and advice to business owners. Arguably this advice will benefit both camps as good personal security habits naturally transfer into the work place and vice versa.
Before that though a word from our sponsor..
Before we get into the actual advice piece I’d like to cover what I believe are the most common security threats we need to consider:
Whilst there are numerous types of Cyber Criminals with differing motivations (and I won’t go into all of these here), the most likely variant are those motivated by money, we’ve already seen these guys trying to capitalise on the recent COVID-19 pandemic with fake news articles, information apps, testing kits, etc.
Ultimately these guys are just trying to get our money through deception and extortion.
Again this is a category which has multiple flavours, some insiders may be disgruntled with their employer and seek to cause them financial harm, others will actively steal information for profit especially as the COVID-19 pandemic is affecting everyone’s income and/or living costs (personally I’m one of the lucky few who is able to keep working but my food and utility bills are going through the roof!).
The last flavour is accidental (I won’t say negligent at this stage as it really depends on too many specific factors); by opening up our normal channels of access (using new tools, different devices and home networks) we increase the possibility that company data may get copied, transmitted or stored insecurely. This in turn opens us up to the Cyber Criminals as they seek to gain access.
For those of you who may not be aware/realise business security traditionally starts at the perimeter (firewalls, etc) with things like Intrusion Prevention, Gateway AV and over time as we’ve adopted more and more cloud services we’ve added to that perimeter by locking down access to only from the company premises or implementing DLP (Data Loss Prevention) which scans traffic and activity as it goes to and from the business premises. But in our haste to enable, have we thought about how we extend this to our users homes?
So What Can We Do?
For the individual
- Ensure you have a Good working environment – some of us have the luxury of a home office (sadly I am not one of the lucky ones), others have to share family spaces like the living room or dining room. Whichever camp you’re in ensure that you have your back to the wall and can see the room, this reduces the chances of those you live with seeing sensitive or confidential data over your shoulder. It’s also great for seeing the kids coming if you’re on a call or if they have a tendency to want to ‘work’ with you.
- Don’t share devices, again this can seem like a luxury as not all staff will be given a company device and on the flip side there is a growing trend for staff who do to use this device for everything rather than purchase a personal device but you really do not want to be sharing devices as it opens you up to the risk of files being accessed by others, login credentials being saved (in browsers most commonly) or malicious applications being installed (deliberately or by accident).
- Ensure your device is healthy:
- Make sure you keep up to date with updates and security patches, more often than not this should be on by default but take the time to check and manually kick off an update as soon as possible.
- Ensure you have Anti-Virus (AV) software installed, it’s up to date and that it’s scanning regularly. Most AV’s can run scheduled scans and you should have these running once a day; granted sometimes this can be a pain as it may really affect your device performance so schedule this outside your normal working hours.
- If you have any file sharing software (Peer-to-Peer) such as Bit Torrent, uninstall it, these types of applications are a hot bed for potential infections.
- Lock your screen when you get up, even if you’re just popping to the toilet or getting a cup of coffee, Windows Key + L (for more window shortcuts) to lock your machine, this helps mitigate risks while you’re away from your machine if you work with sensitive data or if you have ‘little helpers’ round the house.
- Do not store business data on your device, your company will no doubt provide you with a storage solution whether that be a hosted desktop, SharePoint/OneDrive, DropBox (etc) or a file share located on premise. Only store your data here, while this may be slower than usual to access it’s better than duplicating company data on your personal device. If you do inadvertently download a file or need to copy it local as an interim, ensure that you remove it immediately.
- Practice good password hygiene, we covered this in one of our previous blog’s so please check that out but in summary ensure that each account you have has a unique password, make sure the passwords are complex; linking words together into a phrase is a great way to achieve this and make them memorable; TobleroneRoloCombo is a good example (it’s a Ross Noble gag). If you have trouble with this look into password managers, there are plenty of free ones and they can really help you implement strong passwords without the headache of trying to remember them.
And lastly…wherever possible implement MFA (Multi-Factor Authentication), while there are no silver bullets in security MFA is the closest thing, it essentially combines a good password with a second separate factor or device (TXT message, mobile app) which industry research has shown stops around 97/98% of security breaches.
- With the lock down forcing more of us to work from home there has been an increase in Cyber Criminals attacking home routers, I won’t go too much into too much technical detail on how this is done or how the devices are identified but there are plenty of free tools such as Shodan. Essentially there are plenty of routers out there that have remote access enabled for one reason or another and where the default password or device firmware hasn’t been updated since it was installed. I won’t go through the specific steps on addressing this as it obviously varies from device to device but all manufacturers publish easy to follow instructions, make sure you update the default password to something strong and complex and ensure you are running the latest firmware for your device. If you want to take it a step further you can also update your WiFi password to kick off any old devices you’ve forgotten about or setup a separate network to keep your ‘work’ device separate from other devices in the house.
- Be mindful of what internet content you access, a big attack vector for cyber criminals is phishing e-mail, specifically around COVID-19, with links to ‘information’ sites or sites which can sell you ‘cures’ or self-testing kits. If this is something you’re interested in go to your normal news and health care vendors site directly (BBC, CNN, NHS, etc).
Any site you do got to ensure that there is a padlock or green bar showing that the site is running a secure HTTPS connection, also make sure the address makes sense, attackers often use addresses which look similar to present false sites.
https://www.amazon.co.uk becomes http://www.amozon.co.uk very easily as an example.
You may also want to look at script blocking plugins for your browser, No Script is a good example. This can prevent scripts from compromised legitimate websites running on your machine. It can be a little annoying to the uninitiated as pages may not load properly until you approve the script(s) but once you get use to it, it can be a big help. Similarly if you visit a website which wants you to enable notifications say “No”, there have been cases where these pop-ups have been compromised and once approved can give attackers access to resources on your device such as your webcam.
- Practice Social-media distancing; attackers will often use social media as a means of sharing the aforementioned bad links with you or as a means of gathering personal information about you that they can use for identity fraud.
- Check your profile permissions and ensure you’re not publicising anything to anyone who isn’t a direct connection
- Have a look through your connection/friends list and trim off anybody you don’t know.
- Do not accept connection/friend requests from anyone you’ve never met in person or that doesn’t have a profile photo; it’s still possible to fake these but that’s a lot of effort so the chances are slim.
- Keep your meetings private; we’re all familiar with the current trend of Zoom Bombings so make sure whatever conferencing tool you use for your internal and client meetings, set either a pin or use a lobby system and admit each attendee.
For The Businesses
- Map out what tools and data your different departments/business units use. One of the best ways to provide access to company resources externally is through a VPN. VPN’s are great as they create a secure tunnel between your users and your business IT infrastructure. The downside however is a lot of businesses implement this VPN strategy too broadly. By default a device connected on a VPN and ‘see’ all the other devices on the network, this is great for initial setup and convenience but does open the business up to risks, especially if users are using their personal devices which haven’t enjoyed the same level of care and protection from the IT team as the business devices, this can include virus infection, ransomware or remote access to an attacker.
Instead VPN policies should be configured to only allow the users to access the resources relevant to their role, this may mean having different policies for different user types but the extra effort is well worth it.
- Ensure that MFA is enabled on everything that can be, regardless of whether or not you have strong password policies and don’t re-use passwords, it’s still a single factor that can be overcome with enough effort. MFA significantly reduces an attackers ability to compromise accounts and often adds little to no cost to the business. Ideally having a single MFA solution for all our your systems is best from a usability perspective for your users.
MFA can significantly improve your security without the need for complex VPN policies or VPN’s at all in some cases!
- Where possible extend your businesses Mobile Device Management (MDM) solution out to your users home devices. This will very quickly give you the ability to do a health check on the devices before allowing them access. Additionally this will help your IT team deploy applications to your users and setup devices or provide troubleshooting assistance
- Where possible extend your EndPoint protection solution to your remote devices (both business owned and personal). EndPoint Protection does include AV typically but can also include other features such as Content Filtering which can prevent users from accidentally (or deliberately) access inappropriate or malicious web content.
In some cases these solutions can also cover assessing the health of devices and isolate them if there are issues or infections detected through Treat Detection Response.
- Ensure that your users are aware of the tools they should be using within the business, this can be as simple as providing a list of URL’s and shortcuts so they don’t need to search for things on their own. One good example is explaining how SPAM is handled by the business. A common tactic among cyber criminals is to send e-mails posing as the businesses SPAM filter (some SPAM solutions deliver a daily digest which summarises all of the e-mails blocked for an individual); this usually involves providing a list of supposedly blocked e-mails with titles that suggest they are of importance:
- Latest COVID-19 Guidance
- Outstanding Invoice
- Parcel Tracking
And once you click on them to ‘release’ the e-mails actually take you to a malicious site to either infect your device or capture your login details.
So make sure your staff know if you use such tools or not, the best thing to do with any e-mail you’re unsure of or not expecting is delete it, NEVER open any attachments or links. If this is a contact you regularly deal with but sounds off/looks suspicious, pick up the phone and give them a call.
Additionally make sure your staff know how to report SPAM and Phishing, some solutions integrate directly into your e-mail client, others require you to send these on for analysis. NEVER forward SPAM or Phishing e-mails on, send a screen shot to your IT team to investigate, if they need the original they can explain to your users how to attach and share this safely.
- Implement e-mail tagging; most e-mail solutions allow you to label or tag e-mails that come from outside the business. This can include coloured banners across the top of the e-mail with reminders to be wary of links and attachments and are great for highlighting spoofed e-mails; an e-mail which has genuinely come from a colleague on the same e-mail system will never come from outside so if you get the typical request for money transfers and payments which is supposedly from a colleague or boss and it’s got this banner you can be pretty confident it’s fake.
- Branding is another great tool, if you have applications (web-based or otherwise) that support adding your company logo then do so, this can give your users a very obvious visual cue if they are greeted with a generic login for an application they frequently use and help to stop their login credentials being captured.
Select Webinar: Securing the new normal
Watch Russell, joined by Neil Tyson from Rightway Compliance discussing the issues surrounding cyber security in the current climate. What are the threats and risks, what are the solutions, and how can we protect ourselves.