Guidance on secure working

The Cybersecurity and Infrastructure Security Agency (CISA) has released guidance about securely working from home, including:

• Update, update, update:  Ensure any VPNs (definition below) and any devices being used for remote working are updated with the latest security configurations.
• Notify employees: Employees should be made aware of the expected rise in scam emails and ‘phishing’ attempts that may threaten security.
• Use Multi-Factor Authentication: Increase security by adding more stages to your logins, such as Google’s two-factor authentication. Alternatively, advise employees that they should use strong passwords.
• Test VPNs: Prepare your VPN for mass usage by testing it – you will need to consider the amount of bandwidth you will need for all your employees to access it easily.

What is a VPN?

A Virtual Private Network (VPN) creates a secure connection between home and office. For this to be secure, usually a firewall is used – not all firewalls have this VPN function, though, so double check with your IT provider before attempting to set it up. You will likely need licences from your firewall vendor to use a VPN, especially if every member of staff needs VPN access, as you’ll need more licences than usual.

VPN traffic is carried over your internet connection, so will require significant bandwidth to support all your staff. It’s important to consult with your IT support when arranging this, as you may come across issues such as internet connections struggling with upload speeds.

Security threats you should be looking out for

Forewarned is forearmed when it comes to internet security, so make sure you’re looking out for these signs of vulnerability:

• Suspicious remote access connections: VPN sessions should be carefully monitored by IT admins and security managers to detect suspicious connections.
• Cloud data access: Common cloud-based storage systems such as SharePoint make working from home feasible, however they are also vulnerable to cyberattacks when a whole team is accessing sensitive data. Be sure to inform your employees not to put convenience over security and refrain from loading documents directly onto their personal devices and jeopardising the security of those files.
• Privilege escalations in Microsoft Teams: Users in Teams may simply add co-workers into particular teams to give them access to certain files. Whilst this is convenient, it grants employees access to more files that they need to be seeing.
• Spike in failed login attempts: If you witness multiple failed attempts of a user logging in, it may be an outsider trying to gain access to sensitive data. Being more able to spot these attempts makes it easier to avoid such incidents in the future.

Be aware of vulnerable devices

Cybersecurity is not limited to your software – your devices also play an important part in preventing vulnerabilities.

These devices include:

• Printers: Some staff may prefer having hard copies of documents to hand, so use their home computer to print them. Warn your employees to avoid printing sensitive company projects and financial data and leaving them around the house.
• Personal devices: If your employees do not have company computers, they will have to access your network from their own devices. Be sure that these devices are clean of malware or viruses, and have anti-virus tools to ensure they stay clean. It is also advisable to have all devices used to access data that is protected under GDPR encrypted. Multi Factor Authentication can also make it much harder for third parties to access devices if they are lost or stolen.

Trading Standards warnings

Although there has been a tremendous outpouring of support and community during the coronavirus crisis, unfortunately scammers and hackers are seeing it as an opportunity for some easy wins, especially when people are already feeling anxious. Trading Standards around the country have issued warnings about new scams; many of these are being conducted on the doorstep, but among the warnings circulated by Kent Trading Standards are some that that could compromise your business’s cybersecurity:

• Emails claiming you can get a refund on taxes or utilities; they’re normally bogus and are just after your bank and personal details
• New mobile phone apps that claim to take you to updates on the virus , but which instead lock your phone and demand a ransom.

It’s worth alerting your staff to these scams and ensuring that they only use reliable sources for updates on the virus:

• Government WhatsApp Coronavirus Information Service: To access this free service simply add 07860 064422 in your phone contacts and then send the message ‘hi’ via WhatsApp.
• The government coronavirus website pages
• The NHS coronavirus website pages

National Trading Standards also provide free online training which should help you and your staff spot potential hoaxes at Friends Against Scams. 

With so many members of staff now working from home, your cybersecurity will be put to the test. Adopting the suggested measures will help ensure that you and your employees can work securely from home.

MEET THE EXPERT

Robert Best is marketing manager at Infotech, an independent IT support and service company based in Rochester, Kent.  Infotech has produced a checklist that will help you consider all aspects of the business and how they might be affected. You can download a copy here.

To find out how  Capital Space virtual offices or business premises

could benefit your growing business,

call 0800 107 3667