SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Fri, 29th May 2020
FYI, this story is more than a year old

The very rapid and extensive uptake of remote working precipitated by the COVID-19 pandemic has presented enormous challenges to organisations and their employees.

Simply getting the technology in place to make remote working possible has taken considerable resources. Ensuring this technology is secure, and keeping it that way, will require a vigilant approach by IT staff and employees alike.

Every employee-owned device and every third-party network employees use to work remotely becomes a new avenue of attack that can be exploited by cybercriminals.
Remote working greatly increases an organisation's attack surface, which can become difficult for IT staff to monitor and control.

Here's what you need to do to make your home working environment and systems secure, and protect yourself and your employer.

Lock down your device

If you are using a home PC that is shared among family members, make sure you have your own dedicated password-protected account that no-one else can access. Furthermore, make sure your password is strong and that none of your children has admin accounts.

Keep your device up to date

Corporate IT departments are religious in applying patches to software on corporate devices and installing software upgrades. Many patches are designed specifically to counter newly discovered vulnerabilities before hackers can exploit them. Corporate IT can't do this for your home PC, so you must. In particular, keep the operating system and your antivirus software up to date.

Secure your network

Have a strong password for your WiFi network, and make sure you are using WPA2 encryption, as the older versions of WPA and WEP are comparatively very insecure.

Make sure you change the admin password on your broadband modem/WiFi router. Many of these come with ‘user' and ‘admin' as the default settings and don't advise you to change them.

Furthermore, if you have home security systems and other devices such as baby alarms, cameras and remote lighting controls, put these on a separate WiFi network (most WiFi routers have the option of a guest network) so they cannot be exploited by hackers to access your computer, and subsequently your employer's network. Many of these devices have minimal security settings and use default passwords which make them prime targets for hackers.

Be alert for phishing attacks

‘Phishing' refers to emails that persuade the recipient to either access a URL that installs malware or to enter their username and password credentials into fake websites that mimic legitimate sites. This is one of the most common ways in which corporate email systems are breached.

Be very suspicious of any email that gives you a link to enter your username and password. Many of these phishing emails masquerade as coming from reputable organisations. In the current climate, organisations like the Center for Disease Control and the World Health Organization are especially popular with criminals.

Be especially aware of any emails pertaining to Coronavirus. Cybercriminals have seized on the fear, uncertainty, doubt and general thirst for information about the virus. Since the beginning of March, registrations for Coronavirus/COVID-19 related domain names have skyrocketed from 1000 to 6000 every day – and you can be sure most of those are not genuine.

Practice good passwording
The rules are quite simple: never use the same password on multiple sites; always use a mix of upper and lower case characters, numbers and symbols; and make sure all passwords are at least eight characters long.

Here's why - if you do all this, a hacker would need 57 days to crack your password. Drop just the numbers and symbols and they could crack your eight-digit password in just three hours.

While these requirements make remembering passwords very difficult, there are plenty of password manager programs available to fix this problem (some of which are even free). If you use your password on multiple sites, it only takes one password to be compromised to give the criminals access to your other accounts.

Use a virtual private network (VPN)

A VPN encrypts the data coming in and going out of your PC. If you use your employer's VPN then your data is encrypted all the way from your computer to your company's IT systems, but if you use one of the many publicly available VPNs, all your corporate communications pass through their systems where it is decrypted before being sent to its destination, thus leaving it open to compromise.

However, a VPN can sometimes create a false sense of security. If you've fallen for a phishing exercise and clicked on a link that has installed malware on your computer, that malware can use the corporate VPN to gain access to corporate systems and data.

Don't download corporate data

Working from home will give you access to all sorts of company data, but don't be tempted to download any of this to your home PC, even if that's possible. Doing this could expose the data to hackers and could well put you, and your employer, in breach of rules to protect personal data, such as the notifiable data breach rules in Australia's Privacy Act.

Access to such data should be strictly limited to those who need it, but many companies fail to do this. A recent global survey by IT security company Varonis found 53% of companies had more than 1000 sensitive files accessible by all employees.

Keep your devices close

If you work in public places such as cafes and trains, make sure you keep your devices close at all times, and be aware of anyone watching you. Shoulder surfing - someone looking over your shoulder to read the screen of your device - can reveal sensitive information.

Get ready for the new order

As COVID-19 restrictions ease, there will be a return to working on-premises but it's widely expected that the pandemic will produce a permanent increase in home and remote working. Every employee will have a role and responsibility in ensuring their set-up is secure.

To ensure corporate data is kept safe from attackers, every employee should have basic cybersecurity training. Courses such as RESILIA Frontline provide simple, practical guidance they need to make the right decisions at the right time in the face of sustained cyber-attacks and digital exploitation.

To find out more about cybersecurity awareness training, visit this website.