Tackling Remote Working Cyber Risks as Covid-19 Spreads
In insight / By Phil Muncaster / 20 March 2020
It takes a lot for corporate working practices to change almost overnight. But the spread of the Covid-19 coronavirus appears to be doing just that. At the time of writing, the disease had infected over 245,000 people globally, including over 3,000 in the UK, but the real total could be much higher. That’s why the government is recommending “social distancing” measures, which effectively means that the population should work from home where possible and avoid any non-essential contact with others.
Remote working has been taking hold for a number of years in the UK, but never on such a scale. Yet while there’s little doubt social distancing is an important strategy to help contain the virus, there may be unintended consequences. Cyber criminals are primed and ready to exploit any weaknesses in corporate cyber security plans that could result from mass home working.
Home Is Where The Laptop Is
Home working has been on the rise ever since flexible working regulations were introduced a few years ago. The benefits speak for themselves: cost savings linked to streamlined office facilities, and happier, more productive employees. A study of 7,000 workers last year revealed that they feel more productive because of fewer interruptions and experience less stress from commuting and office politics.
However, there has never been such demand to work from home on a national scale before. Sectors such as legal, recruitment and healthcare may have a greater burden given that these and other verticals have traditionally eschewed remote working. Some reports have even suggested that Covid-19 could lead to a permanent realignment of working patterns. If that turns out to be true, then it makes sense to start as you mean to go on, by understanding the cyber risks associated with home working and taking proactive steps to mitigate them.
A Cyber Pandemic
Phishing is perhaps the biggest threat to home workers. It has long been the method of choice for cyber criminals to deliver malware and trick employees into divulging their corporate log-ins. But in a home working environment, the risks are arguably multiplied by two factors: employees may not have sufficient anti-phishing protection installed on home machines; and they may be more easily distracted than in the office — potentially mixing work and personal email/browsing.
True to form, hackers have been quick to capitalise on widespread hunger for more news about the pandemic, delivering phishing emails spoofed to come from official bodies such as the World Health Organization (WHO). Many of these claim to contain new information and ‘tips’ on how to avoid infection via booby-trapped links and attachments. There have also been more coordinated attempts from nation state hackers to use the pandemic as a lure to spear-phish certain employees of targeted organisations.
Ransomware has swept across the globe in recent years, with cyber criminals focusing their efforts today almost exclusively on corporate targets. But the rise in remote working could provide another incentive to increase the volume of campaigns. As if organisations weren’t already reliant on web-based communications to run their business, the new state-of-play makes them even more vulnerable to any service disruption. If IT teams are focused primarily on supporting remote working en masse, there’s a risk that they may be distracted, allowing hackers to penetrate defences.
Unsecured endpoints are another common problem for corporate IT security managers. But it’s a challenge multiplied if overnight a huge number of extra endpoints in employee homes must be managed and protected. If just one of these is running outdated software or operating systems, it could provide a steppingstone for hackers to infiltrate corporate networks.
Smart home threats could also present a risk to corporate networks. Trend Micro has revealed in past research how smart speakers could be hijacked and used to access employer networks.
Taking Back Control
In the face of such an onslaught, smaller businesses may be particularly exposed to cyber risks as they’re forced to allow home working without being able to adequately secure users and connections. Some security vendors, including SentinelOne and Trend Micro, are offering their services for free for a limited time in order to help cushion the blow for these organisations.
Here’s a list of other steps that can help:
- Update security awareness programmes so home workers know all about the latest Covid-19 phishing scams doing the rounds
- Ensure home workers have updated their router and smart devices with new strong passwords
- Where possible, mandate only the use of corporate devices for home working (laptops, tablets etc)
- Require VPNs for secure communications with the corporate network
- Enforce a zero-trust policy for use of any business cloud applications. That means a “never trust, always verify” approach using multi-factor authentication (MFA)
- Don’t allow any devices to connect to the corporate network without checking they are adequately secured and running the latest OS version
- Make sure home workers’ friends and family aren’t using their work machine/device
- Urge home workers to regularly back-up
- Revisit access controls according to “least privilege” policy and consider placing more restrictions on sensitive accounts/systems as appropriate
- Update your incident response plan to take account of the new situation
The SANS Institute has created a handy five-point checklist for remote workers.
For more information about remote working and how you can successfully implement agile working practices in your business, check out this blog.