Hitachi

U.S.A.

Hitachi Group Global Network

Americas

Asia

Europe

Middle East and Africa

Oceania

Close

High-Level Guidelines on Information Security when Working from Home
You are here: Home \ Coronavirus \ High-Level Guidelines on Information Security when Working from Home
Posted on Tuesday, March 24th, 2020 by

What guidelines should your organization be concerned with regarding information security when working from home? The world has entered “uncharted territory”. This was a statement from the World Health Organization (WHO) about the current COVID-19 pandemic. In reaction to this, companies across the world have fallen in line with health guidance on social distancing and self-isolation by allowing employees to work remotely. So, we find ourselves in unprecedented times in terms of work life.

Whilst this move is welcomed by those who are most at risk of becoming seriously ill and from healthcare professionals, companies must take stock of the security implications.

Here we look at some of the key security issues that affect remote workers and how to minimize their impact.

Security Concerns for Remote Workers and Companies

Cybercriminals are great at taking advantage of any situation and the COVID-19 or Coronavirus pandemic is like honey to a wasp in terms of attracting fraudsters. As expected, cybercriminals are setting the stage for cyber-attacks based on COVID-19. There are already multiple Coronavirus-related cybersecurity scams, many of which may affect remote workers out of reach of an internal IT team. A recent warning from the National Fraud Intelligence Bureau (NFIB) talks about increasing numbers of such scams.

Just a few examples:

  • COVID-19 phishing kits and hacking tools on the dark web

Security vendor, Checkpoint, recently discovered that Coronavirus-related domains were twice as likely to be malicious than other domains. The company also saw that cybercriminals were encouraging wannabe hackers on the dark web, by offering cheap phishing kits and other hacking tools using a COVID-19 discount code.

  • COVID-19-related Phishing emails

Several Coronavirus scams have been targeting users. One example is an email phishing campaign that uses the World Health Organization branding. The email uses social engineering in the form of fear and uncertainty to encourage the recipient to click a link that goes to a malicious website.

As well as targeted COVID-19 scams, other more general remote working security issues exist. These will continue to require serious consideration, even after the current pandemic settles. Security considerations include:

Increased insider threats

Both malicious and accidental insider threats should be anticipated because of remote working. Out of sight out of mind should be a consideration expressed in your remote working security policy. Much of this threat can be attributed to accidental data exposure from lost devices or insecure data sharing.

Secure connections

Secure connectivity outside of the corporate firewall can be an issue. Many home routers are potential sources of risk. The malware known as VPNFilter infected over 500,000 home office routers in 2019. Once infected, the malware is used to intercept data and steal personal information and login credentials, a so-called Man-in-the-Middle attack (MitM).

Insecure mobile devices

Mobile apps are renowned for being a risk to data. And the remote worker, outside of corporate control, may turn to a preferred app to work from. Many mobile apps are specifically designed for the remote worker; however, apps should be security assessed by your organization for compliance and data security.

In addition to the issues around compliance, mobile apps can also carry malware. In 2019, there was a 50% increase in smartphone and app-related cyber-attacks

Low-tech security and remote working

Low tech issues are also a concern for remote workers. From shoulder surfing by housemates to shared passwords and devices, critical and sensitive data can be at risk.

5 Ways to Make Remote Working Safer

The challenge of COVID-19 may have changed our working practices but it does not need to negatively impact our security hygiene. Whilst working from home, employees should be supported and encouraged to work safely. These 5 ways to do that can help to create a security culture, even outside the office:

1-   Remote working policy capture

Begin as you mean to go on by covering remote working in existing security policies. This is your chance to document the entire cycle of remote work needs. Typical items included in remote working security policy are:

  • Access rules for logging into a corporate resource – e.g., only allow access from an approved device
  • Controls over peripherals such as removable media
  • Rules on access to company resources, including emails and cloud apps from non-company devices

Remote working policies should also include any compliance considerations for home working. For example, you may need to extend a Data Privacy Impact Assessment (DPIA) to cover home working.

2-   Security awareness at home

Remote workers are at risk of social engineering by cybercriminals. Phishing awareness, in particular, is an important aspect of security awareness for the home worker. Remote security awareness training programs can be used for remote workers, to help them to spot the tricks of phishing and prevent malware infections on home as well as work devices.

In addition, security awareness training can ensure that staff understands the importance of security hygiene. This provides employees with an understanding of issues such as shoulder surfing, data exposure, and good password hygiene within a home and office environment.

3-   Security tools for the job

Whilst staff are working from home you should consider providing them with tools to help secure their devices and prevent data leaks. Some of the most useful for remote working include:

  • Full disk encryption – many home workers will work on highly sensitive data. If these data are based on a device, like a laptop, full disk encryption could help protect the data if it is lost or left in a shared house environment.
  • Endpoint protection – depending on your infrastructure, you may be able to take advantage of Endpoint Detection and Response software (EDR). EDR software monitors endpoints (computers and other devices). The software looks for unusual events and sends out an alert to a system administrator and/or the user.
  • Virtual Private Network (VPN): VPN software can prevent MitM attacks in remote locations such as a home or other remote network.
  • Secure communications: Ensure that any collaboration portal you choose has robust access control measures and places security as a priority.

If you need extra security for especially critical work, you could consider setting up a virtual environment for an employee. Whilst more work is required to set this up, a virtual machine (VM) is useful for creating a controlled environment and can reduce the exposure of the company network/data to the vagaries of a home environment.

4-   Sanction lists

Make lists of tools that are accepted for use by home workers. This should include tools that are used to generate and share data. For example, mobile apps and collaboration portals. Whilst you may potentially get some staff who flaunt this rule, you can incorporate it into your company security policy to help enforce it.

5-   Authentication and remote access

Having robust authentication to access company resources is always a best practice. However, in a home working situation, it is essential. Wherever possible, ensure that second-factor authentication is used for any corporate resource access.

In addition, the use of the principles of least privilege, if not already used in your company, should be seriously considered. From this, an application of Zero Trust identity policies can be used to control access and ensure that data is accessed on a need to know basis. This will reduce the risk of data leaks.

While this pandemic plays out across the world, we must all pull together to minimize its impact on our health. This may mean using methods of social distancing, including remote working. Once the virus has reduced in scale and scope, we may be able to go back into our offices and settle back down to ‘normal life’. However, this taste for working from home may well continue. We may be forced to take stock of our cybersecurity during COVID-19, but this is likely to stand us in good stead for the future too.

Related articles

https://www.hitachi-systems-security.com/beware-cyberattacks-targeting-victims-worldwide-and-capitalizing-on-covid-19-panic/

https://www.hitachi-systems-security.com/blog/a-guide-to-response-planning-for-covid-19/

New call-to-action

Avatar
About author:

Latest Webinars | Watch Now

Cybersecurity, Cyber Crime and Your Business — How to Strengthen Your Cybersecurity Posture – In collaboration with Cytelligence

Watch Now

Cybersecurity 101 for Credit Unions – In collaboration with the Caribbean Confederation of Credit Unions (CCCU)

Watch Now

Introduction to Technical Security Testing for Credit Unions – In collaboration with the Caribbean Confederation of Credit Unions (CCCU)

Watch Now