It’s been several weeks since many companies (mine included) implemented a remote working policy to keep our employees safe in light of the evolving COVID-19 situation.
As I’ve mentioned previously, it’s great to see a plethora of advice available online about how to protect our businesses as we transitioned to remote working, whilst maintaining productivity & team engagement levels. Experts like The Australian Cyber Security Centre (ACSC) have released comprehensive guides and useful tips on how to stay cyber secure during this period. Karl Hanmore, ACSC’s Acting Head recently advised that businesses need to “be cyber-alert, not cyber-alarmed” amid these uncertain times – and I can’t agree more with this.
But as weeks go on, new challenges and questions are arising everyday as employees struggle to practically keep their personal devices and infrastructure safe from cybercrime. For example, employees are dealing with the frustrations of no longer being able to physically turn to their organisation’s IT or support teams for help when they want to set up multi-factor authentication (MFA) on their devices or update their software and operating systems. This can be stressful – especially for cyber-resilient employees who’re working from home for the first time.
Most companies have (hopefully) released detailed resources and policies around how to remain cyber secure while working from home and have the necessary support systems in place to help their employees. To assist them further, we’ve compiled some of the most frequently asked questions (FAQs) we’ve heard from employees and some quick recommendations on how they can navigate cybersecurity challenges as they continue working from home. While this isn’t a comprehensive list, it’s a good summary that you can share with your teams as a quick reminder of the need to keep their cybersecurity hygiene up to scratch.
FAQs on remote working and cybersecurity:
Question: “Is it safe for me to use portable storage devices (e.g. USB drives) to store confidential company information (e.g. client contracts)?”
The simple answer is no. Refrain from saving any form of confidential data in devices that can be easily misplaced, lost and/or destroyed. In its new list of recommendations, the ACSC also recommends transferring files in more secure ways, such as your organisation's cloud storage or collaboration solutions.
Question: “Can I use my personal devices (e.g. home laptop) for professional tasks?”
As much as possible, try to not mix work and leisure activities on the same device. Personal devices are also often shared with other members of the household (e.g. spouses or kids). This increases the likelihood of your company data being accidentally deleted or shared. Your home devices may also not have the latest security patches and updates installed – increasing cyber risk.
Question: “How do I know if my available Wi-Fi networks are safe & trusted?”
While working from home, it’s generally safe to use your home internet or mobile internet service from your telecommunications provider. Avoid using public Wi-Fi networks – even those with names that look legitimate. For more information on the steps you can take to secure your Wi-Fi, see the ACSC’s recommendations on securing Wi-Fi and Internet Connections.
Question: “How can I keep my passwords secure?”
This is an important question, considering weak password hygiene and storage is still one of the top factors exploited by cybercriminals when they're looking to hack into accounts. Update your passwords frequently, use different passwords for different accounts and keep them strong and unique. Don’t be worried about not being able to come up with or remember complicated passwords - you can always use password generators that can manage and store your passwords in vaults, such as LastPass.
Question: “What steps can I take to set up and secure MFA on my device?”
Multi-factor authentication (MFA) is key in avoiding unwanted transactions and protecting your data. Most cloud or online services now provide a way to use your mobile device or other methods to protect your accounts in this way. Here’s some information on how to use Microsoft Authenticator and other guidance on this approach. ACSC also provides some recommendations on the different proofs of identity you can use when setting MFA up on your device.
Question: “How do I know if an email or attachment I receive is malicious?”
This can undoubtedly get tricky – cybercriminals are, in fact, coming up with new, innovative ways every day to deceive you into thinking a hoax email is a real one. Here are 6 different red-flags that you can look out for next time a suspicious email lands in your inbox. We advise all cyber users to be particularly vigilant when accessing their emails as cybercriminals are increasingly exploiting fears around COVID-19 to trick users – like these 5 type of Coronavirus-themed email scams we intercepted recently. For more information from the ACSC on how to identify and protect yourself from scams see: Threat Update: COVID-19 Malicious Cyber Activity and Detecting Socially Engineered Messages.
While companies are implementing and updating the necessary technical measures and controls to combat the rising number of cyber risks posed by remote working, we can’t ignore the people and process side of security. Amid all the digital disruptions of these uncertain times, questions will continue to be raised, errors will be made, and oversights will happen – and this happens even to the best of us. However, I hope that by educating our employees and periodically sharing tips on remaining cyber resilient, we can reduce the likelihood of cybercriminals successfully exploiting the vulnerable and be in a better position to defend our businesses from cybercrime.
If you or your team have any further questions about securing systems while working remotely, feel free to share these in the comments below. Alternatively, you can also reach out to my team for support at firstname.lastname@example.org
Please remain vigilant. Now is not the time for lax security.