As more offices adopt remote working and ask their employees to work from home in response to the COVID-19 outbreak, security concerns have become a growing issue all over the world.
Due to the actions of criminals who are exploiting the coronavirus pandemic to target companies with cyberattacks, organisations and individuals have to make sure that they are working and meeting online securely and minimising their vulnerability to further disruption from online threats.
Potential data breaches would not only adversely affect a business’s reputation and revenue but also put customers at risk and consequently affect the quality of the service they receive.
Adapting to a new way of working
Social distancing to reduce the spread of COVID-19 has forced many businesses to quickly and unexpectedly shift their operations to remote working.
In the process, new security threats have surfaced as hackers are exploiting widespread panic and the time it takes for people to get accustomed to new conditions to steal valuable information.
Besides the online threats, companies have to contend with other issues that arise from having employees working at home, including a general lack of privacy and the transfer of data over unsecured networks and devices.
Guidelines for companies and employers
The European Union Agency for Cybersecurity (ENISA) has provided useful advice to companies and employers on how to manage more successfully the transition to telework as a result of COVID-19.
- Provide continuous feedback and guidance to staff on how to deal with the most common issues
- Use remote access solutions that offer at least authentication and secure working sessions with encryption.
- Offer training to understand the importance of basic online security, including strong passwords and two-factor authentication.
- Learn how to make web apps and virtual solutions for videoconferencing more secure by changing their settings and installing privacy tools and add-ons.
The increase of people who are working from home is expected to continue for the foreseeable future, most probably even after the coronavirus crisis. Therefore, investing in the infrastructure and expertise that allows people to work remotely will prepare businesses to grasp the opportunities that lie ahead.
Tips for employees
ENISA has also issued a separate set of recommendations for employees who are currently working from home.
This move from office to home can present both technical and personal difficulties to individuals, especially as the usual boundaries between the workplace and private life start to break down.
- Check that wireless connections are secure and where possible use of a virtual private network (VPN).
- Check that applications, particularly security software, are up-to-date. Browser extensions and privacy add-ons should also be frequently checked to ensure that the latest versions are installed.
- Check that people in your household cannot easily log into your accounts and see confidential work information, and avoid sharing devices or leaving them in places where others can use them.
Besides the technical considerations mentioned above, two other important factors that influence the risk of a cyberattack are the level of trust and responsibility shown by people in their new circumstances. It is essential to keep communication lines open at a time when people feel more isolated and distant from each other.
ISO certification and business information security
STEP helps companies to be in line with the ISO / IEC 27001:2013 standard concerning information security, and possibly go for certification.
During the consultancy or implementation phase, we help customers to “preserve the confidentiality, integrity and availability of information by applying a risk management process that gives confidence to interested parties that risks are adequately managed”.
We see which risks are applicable to a company, give them a rating, see whether these are acceptable or not, and if not, we see which controls need to be implemented. Further to that, we make sure that the control (such as the implementation of a particular policy) has been performed.
Teleworking is only one of many areas relating to business information security. During the process leading up to ISO 27001, we discuss and consider these areas too:
- Software use
- Information transfer within the team and among clients/suppliers
- IT equipment use and disposal
- Systems access
- Wi-Fi Access
- Remote working
- Incident Management, e.g. loss of a mobile phone, or an information breach
Preparing for what lies ahead
In these uncertain times, it is more important than ever for companies to put in place a recovery plan which details their response should they be targeted by a cyberattack arising from a work-from-home situation.
As companies adapt to this new reality, the guidelines and recommendations issued by authoritative bodies like NIST in the US and ENISA in Europe can be ideal starting points to help them implement and spread better data practices among employees.
Finally, exercising caution and maintaining good hygiene can help us stay safe both in the real and the virtual world.
Common-sense initiatives such as never sharing sensitive information online, verifying sources, using encrypted services and VPN, and installing the latest security updates for web apps used for online work can go a long way to ensuring a secure and successful teleworking experience.