As the UK entered lockdown, there was a rapid rise in the number of people who were working from home – more than ever before. A long-term pivot to remote working presented a significant security challenge. From setting up cloud-based IT systems to ensuring that teams did, and do, not become victims to unscrupulous cyber criminals, COVID-19 resulted in several key considerations for businesses to ensure cyber security while at the same time managing a remote workforce.
With a large number of people working from home networks which often lack the advanced security devices found within the corporate environment there was an accompanying increase in the attack surface for cyber criminals to target.
Some workers may have been using their own home computers to access corporate data with no guarantee that those devices conform to corporate standards in areas such as anti-virus or security patches. There was a risk that an attacker could compromise a home-based worker’s computer and then use that as a pivot point to gain access to the corporate network.
Services like Zoom, apps like House Party and children learning from home are potentially huge threats to the IT environment and decentralisation also caused challenges. The full risks of security breaches due to the use of new web services is unknown, so where possible encrypted services should be used. For IT teams using threat intelligence services or working with Managed Security Service Providers (MSSPs) there will be regular updates listing malware and ransomware scams targeting employees, but hackers may also have been hunting down zero-day security vulnerabilities to exploit them later in a kind of sleeper attack that is almost impossible to detect in advance.
With working routines changing (remote/office/blended) – what do companies need to have in place right now? And in the future?
With working from home comes a collective responsibility for security. A ‘secure working from home guide’ should be issued to all employees, with clear procedures for protecting business data and reporting suspected attacks.
IT teams would have to manage devices accessing corporate data from a large number of different locations and devices over which they have little or no control. So, IT and cyber-security teams need to be extra vigilant for possible malicious activity. Ideally, any laptop and hardware devices should have hardware encryption.
Phishing attacks aiming to pull off Business Email Compromise (BEC) scams are a concern. Remote workers should be trained to spot suspicious emails and query them. It’s essential that remote workers double-check the authenticity of messages, emails and phone calls. If in any doubt, the exchange should be reported to an internal security team contact point, who should log and share attempts to warn other employees.
A corporate VPN is an essential security measure, especially for remote workers that may be using suspect connections. However, it is worth bearing in mind that more licences may be required to support larger numbers of remote workers, and that bandwidth may be restricted at certain concurrent user numbers. It is also particularly important that VPN endpoints are fully patched, as with any other software. VPN use should be subject to two-factor authentication (2FA), which is simply set up on VPNs from the likes of WatchGuard and Palo Alto Networks.
Mandating strong passwords (that are not shared with others) adds an extra layer of security and should be supported by two-factor authentication. Employees should install critical updates when prompted but must not visit illegal or inappropriate sites which pose significantly more risk of ransomware and malware infection.
Many businesses will already be familiar with elements of Microsoft’s Office 365, but by building on top of the usual desktop suite of Word, Excel, PowerPoint and beginning to take advantage of powerful collaboration tools such SharePoint and Teams not only saves service duplication, but also simplifies data security and policy enforcement.
Many businesses took the opportunity to issue remote workers with a dedicated laptop, which can be centrally managed and configured in accordance with internal data policies, as well as protected by the company’s choice of endpoint protection. If remote workers are using their own PC equipment from home, it is vital to ensure that they have installed reputable anti-virus tools, such as Kaspersky AV or Carbon Black, and that the AV is up to date with the latest signatures.
A common pitfall is for internal security teams to mandate tools and processes that are highly secure, commercially approved and a very poor fit for the processes that remote workers are required to carry out in the course of their everyday role. The result is typically a ‘workaround’, involving third-party services or USB drives, especially where data sharing and storage is concerned.
In this case, it is important to assess exactly what processes are required by workers and provide a solution that fits the bill. This might be in the form of approved cloud storage or file sharing tools that can ensure that data is properly encrypted and stored according to industry best practice.
Short term escalation of edge security to manage the enormous rise in employees accessing critical data through consumer level networking is necessary. It will be a challenge though, with many companies calling on MSSPs to ask how they build out VPN services quickly. Many don’t have biometrics or alternative measures in place for 2FA or hardened enterprise class security on the edge and putting those policies and practices in place can take time, but is necessary for the current crisis and any future pandemics.
The change in the way we work may never fully rebound so, for the future, ensure robust business continuity planning, secure remote working and the adoption of a cloud-first business model.
What technologies are needed?
There are a huge number of excellent remote working tools, from secure cloud storage services, Microsoft’s tools including Teams, Google’s G-Suite through to Zoom. However, not all will be a good fit for your business and processes, so don’t be blinded by the big names.
When looking for advice, a reputable IT services provider can help navigate the choices available today, while the UK’s National Cyber Security Centre (NCSC) has published best practice guidance designed to protect data in remote working environments.
To ensure productivity, the key functions to cover include online meetings, document sharing, project management, telephony, security, backup, and cloud-based software and apps.
Cloud-based products like Microsoft’s Office 365 can keep employees connected from anywhere with a reliable internet connection and can offer them full access to workplace tools such as Word, Excel, PowerPoint, OneNote, Outlook, Publisher and Access.
Hosted desktops provide a good solution for businesses wanting to maintain central control of access to all critical business data and applications. Hosted desktops remove the need for maintaining individual high spec PCs pre-loaded with relevant applications and programs, as staff can use a laptop, smartphone, tablet or PC to access everything they need from the cloud, from any location with an internet connection.
If ever there was a time to ensure that data is backed up, it’s now. Saving and storing work is extremely important, so provide employees with software to ensure their critical documents are backed up to an approved external site that is not permanently connected to their device. At this time, cloud recovery solutions from reputable providers also offer a wealth of benefits ensuring your data is secure in high-tech UK data centres and recoverable within either seconds, minutes, hours or days depending on your needs.
Finally, do invest in cloud storage and backup data as this avoids files only being stored on remote devices.
Will we see AI, VR/AR being introduced sooner than expected as a result to help with things like training and meetings?
I believe that AR specifically will have a real drive in terms of interactive sessions when it comes to training (it would have been very effective in primary and secondary schools) and meetings as more and more organisations are realising the benefits of home working. I’m sure there would be strides in VR as well, however with the requirement for every attendee to have the required equipment (and hardware capable running said hardware) it may move somewhat slower than advances in AR.
AI may be driven more in assistance with research and possible automation of tasks, however again it’s whether it would be of greater benefit to aspects such as training and virtual meetings or not.
What are the biggest challenges COVID-19 has created for cyber security?
Phishing emails are by far the most common entry method we see. These are often designed to trick a user into divulging their login credentials for a particular service (e.g. Microsoft Office 365). Once an attacker has obtained these credentials, they will be used to attempt to access corporate data, such as email. Many of these types of phishing attacks lead to an attacker attempting some form of fraud, invoice fraud is a common technique where an attacker will request payment details be changed on a genuine invoice.
The second most common attacks we see is against services running within the corporate network which have been exposed to the Internet. The most common of these we see being targeted is the Microsoft Remote Desktop Protocol (RDP) where attackers attempt brute force attacks to try and login to the service by identifying weak credentials. There may be an increase in these types of attacks during the current period as organisations who had previously not offered staff a remote working method have exposed services such as RDP to the Internet to quickly allow access to home workers.
We see attacks taking place across all types of organisations. Many of these attacks are carried out in an automated manner against a large number of targets with the intention that a small number of them will be successful. Some industries, for example financials, will always face more targeted attacks due to the increased potential gains for the cyber-criminal. No business should assume they won’t be the target of an attack, cyber-criminals will happily ransomware the small business making widgets as they would a nationwide chain of solicitors.
What are the best practices for employees to follow?
Educate users on how to spot suspicious emails; a large number of attacks are initiated by exploiting humans, the weakest link in the security chain.
Ensure staff are using strong complex passwords which are unique to each service they login to. Password1 may meet the corporate password complexity policy, but isn’t going to offer much of a hurdle to an attacker.
Where possible enable a Two Factor Authentication (2FA) method on any internet-based services which users login to. This will offer protection should a user’s login name and password be compromised.
Ensure Anti-Virus is installed and up to date on devices. If a user is using their home PC to access corporate data, verify they have an up to date anti-virus product installed, if not offer guidance on installing an anti-virus product or utilising in-built products such as Microsoft Windows Defender on Windows 10.
Ensure latest security patches are installed, this is particularly important for any devices which are exposing services directly to the Internet.
Routers on home networks generally don’t have the same security features as corporate firewalls and may sometimes automatically expose devices on the home network to the Internet via Plug and Play technologies. Historically some brands of home routers have also had serious security vulnerabilities or have exposed a login page utilising default manufacturer credentials. In conjunction with users it would be possible to identify any such devices which offer a substantial risk.
Patterns of what is classed as normal behaviour will have changed as more staff work remotely. Wherever possible monitor activity and look for suspicious patterns of behaviour, for example if your users are all UK based look for remote access connections originating from outside of the UK. If your organisation utilises a Security Information and Event Management (SIEM) solution these can help to spot these unusual patterns of behaviour as well as the next-generation AV products
To stay up to date on the latest, trends, innovations, people news and company updates within the global security market please register to receive our newsletter here.
Rebecca Morpeth Spayne,
Editor, Security Portfolio
Tel: +44 (0) 1622 823 922