Cybersecurity in the time of COVID 19
The arrival of COVID 19 to our shores and the advent of “Stay Apart to Stay Safe” means that even confirmed and self-proclaimed Luddites are having to embrace the digital age. More than ever before we must rely on digital solutions to work, teach, learn and communicate.
COVID 19 has also caused widespread fear and anxiety, often exacerbated by a constant stream of reports and updates (including fake news) on the global crisis. In a nutshell, the pandemic has caused a perfect storm for cybersecurity, a fact which is being exploited by cyber criminals.
Everyone should be suspicious of any email, message or call from anyone you don’t know. You should also be wary of communications from people you do know where they are asking you to provide them with anything out of the ordinary, or with something urgently. Cybersecurity is a particular issue for employers who may not have the resources, due to the urgency of the need to adapt to remote working, to address the cybersecurity risks and challenges presented by remote working.
The European Union Agency for Cybersecurity (ENISA) has published useful tips for employers and employees on working from home including:
Recommendations for employers
- Provide secure video conferencing.
- Business applications must be accessible only via encrypted communication channels (SSL VPN, IPSec VPN).
- Access to application portals should be safeguarded using multifactor authentication mechanisms i.e. users should only be granted access after presenting two or more pieces of evidence.
- Prevent direct internet exposure of remote system access interfaces (e.g. RDP).
- Mutual authentication is preferred when accessing business systems (e.g. client to server and server to client).
- Provide employees with corporate computers/devices where possible for remote working. Ensure that these computers/devices have up-to-date security software and security patch levels and that users are regularly reminded to check patch levels. A replacement scheme for failing devices should also in place.
- BYOD (Bring your own device) such as personal laptops or mobile devices should be vetted using NAC, NAP platforms (e.g. patch check, configuration check, AV check etc.)
- Ensure that adequate IT resources are in place to support staff in case of technical issues while working from home; provide relevant information, e.g. on contact points, to staff.
- Ensure policies for responding to security incidents and personal data breaches are in place and that staff are appropriately informed of them.
Recommendations for Employees
- Use corporate (rather than personal) computers where possible – unless BYOD has been vetted. As far as possible, do not mix work and leisure activities on the same device and be particularly careful with any mails referencing the corona virus.
- Connect to the internet via secure networks; avoid open/free networks. Most wifi systems at home these days are correctly secured, but some older installations might not be. With an insecure connection, people in the near vicinity can snoop your traffic (more technical people might be able to hijack the connection). The solution is to activate the encryption if it hasn’t been done already and/or to adopt a recent implementation. Note that this risk is somewhat mitigated by using a secure connection to the office.
- Avoid the exchange of sensitive information (e.g. via email) through possibly insecure connections.
- As far as possible use corporate intranet resources to share working files. On the one hand, this ensures that working files are up-to-date and at the same time, sharing of sensitive information across local devices is avoided.
- Be particularly careful with any emails referencing the corona virus, as these may be phishing attempts or scams (see below). In case of doubt regarding the legitimacy of an email, contact the institution’s security officer.
- Data at rest, e.g. local drives, should be encrypted (this will protect against theft / loss of the device).
- Antivirus / Anti-malware must be installed and be fully updated.
- The system (operating system and applications used, as well as anti-virus system) needs to be up to date.
- Lock your screen if you work in a shared space (you should really avoid co-working or shared spaces. Remember, social distancing is extremely important to slow down the spread of the virus).
- Do not share the virtual meeting URLs on social media or other public channels. (Unauthorised 3rd parties could access private meetings in this way).
Employers and employees must also remember that you have a legal obligation to report certain types of cyber incidents, and those obligations are not relaxed or suspended by the ongoing crisis. If you have not already done so, remind your employees of those obligations.
In summary, be clear what is expected of employees and have a simple reporting line for them for queries and any serious concerns they must report.