On May 2020, Kaspersky published an interesting report entitled How COVID-19 changed the way people work, which illustrates a series of statistics that are anything but reassuring on the level of awareness achieved by Italy regarding cyber security. in smart working.
In this post we'll try to summarize the fundamental concepts expressed in the report and to integrate them with specific observations and recommendations for companies, IT managers and system administrators interested in providing their employees with the appropriate protection tools to defend themselves from the risks related to cyber attacks on your remote work systems.
Three out of four employees at risk
According to the data published in the report, almost three out of four employees (73%) among those who carry out smart working activities have never received specific information security training or guidance to protect themselves from the risks associated with that particular type of job. Moreover, there is no doubt that the good practices that allow you to work remotely safely differ significantly from the standard measures that are transmitted and put into practice in the workplace, both as regards individual awareness of the risks associated with their activities and at the level of the technological tools to be adopted; just think of the fact that, while in the company it is almost always possible to count on an appropriately trained ICT team that deals with providing help-desk operators and support on a daily basis, this type of infrastructure is very often absent, unforeseen or impossible to provide the same level of service for smart working stations.
The consequences of this "lack of attention" are also highlighted in the report, which shows that almost one in four (24%) employees claims to have received COVID-19 themed phishing emails.
Beware... the boss!
How can we defend ourselves against this type of risk? As a matter of fact the first step to take should be to provide specific training for all our employees (including managers and administrators) on IT security topics, with a specific focus on the risks connected to the remote working practices.
The emphasis placed on the executive roles is not accidental, as it is proven that management often tends to be guilty "exempted" from this type of training: such choice can definitely result in a serious mistake, since the executive roles are often subject to these kind of attacks since they do have a greater decision-making capacity and an authorization level tipically higher than the average employee. Moreover, they are also tipically most vulnerable to some sneaky social engineering techniques (such as spear phishing) as they are usually less used to read huge amounts of e-mail messages.
IT Security and "remote" threats
Ensuring the protection of employees from an IT point of view inside their homes is a task that can be demanding for any company: the countermeasures adopted within the company, which are often based (and tend to take for granted) on a fixed presence of security personnel and on an infrastructure physically contained within the company perimeter, could prove ineffective or insufficient for this purpose.
It is therefore essential to establish and implement specific security measures for remote working, which are able to offer sufficient guarantees of risk mitigation against modern attacks aimed at operators' personal tools, including:
- Spam and phishing emails received on desktop, mobile and web mail clients outside the company walls / network perimeter.
- Cyberattacks on domestic connection devices such as home routers, switches, public WiFi hot spots, etc.
- Abuse of remote connection tools based on known protocols (RDP, VNC, etc.) or through third party software (TeamViewer, AnyDesk, RAdmin, etc).
- Theft of devices assigned to users in BYOD (Bring Your Own Device) or COPE (Corporate Owned, Personal Enabled) mode.
The risks of "Shadow IT"
The overall picture is further complicated by the fact that some of these tools can be implemented or used by operators without the explicit approval of the company management or IT security staff: such phenomenon is known as Shadow IT, a bad practice according to which the employee adopts independently and uncontrolled one or more technological tools (software or infrastructures) in order to optimize or make their work easier.
Such event tends to be rather common in small and medium-sized companies that have not yet adopted a working methodology based upon policies, processes and procedures; it goes without saying that the current COVID-19 emergency has also greatly increased those practices in a dizzying way: according to the numbers collected by the Kaspersky survey made available in the report (6,000 workers worldwide) many employees declared they had eventually picked some "not explicitly authorized" software tools for either video conferences (35%), instant messaging (39%) and/or cloud file storage (35%).
Risk mitigation techniques
These troubling numbers can definitely help to understand the absolute importance of communicating to employees the existence and danger of the numerous IT risks associated with remote working and the necessary set of instructions, best practices and know-how on how to mitigate or avoid them.
To counter those dreadful scenarios, Kaspersky recommends the following guidelines, which can definitely help employers and businesses stay on top of any potential IT security issues and remain productive while staff are working from home:
- Ensure your employees have all they need to securely work from home and know who to contact if they face an IT or security issue.
- Schedule basic security awareness training for your employees. This can be done online and cover essential practices, such as account and password management, email security, endpoint security and web browsing. For that very reason, we suggest to take a look to the Stay Safe, Stay Secure initiative, a free online cybersecurity course offered by Kaspersky and Area9Lyceum to help employees to increase their remote working IT Security awareness and learn the best practices to mitigate the risks coming from the most common threats.
- Take key data protection measures including switching on password protection, encrypting work devices and ensuring data is backed up.
- Ensure devices, software, applications and services are kept updated with the latest patches.
- Install proven protection software on all endpoints, including mobile devices, and switch on firewalls.
- Ensure you have access to the latest threat intelligence to bolster your protection solution.
- Double check the protection available on mobile devices. For example, it should enable anti-theft capabilities such as remote device location, locking and wiping of data, screen locking, Two-Factor Authentication (2FA) and biometric security features like Face ID or Touch ID, as well as enable application controls to ensure only approved applications are used by employees. For additional info about these security measures, how they work and why is important to enable them, we strongly suggest to check out our free Two-Factor Authentication (2FA) Tutorial Guide.
- Ensure your router supports and works smoothly when transmitting Wi-Fi to several devices simultaneously, even when multiple workers are online and there is heavy traffic (as is the case when using video conferencing).
- Regularly update your router to avoid potential security issues.
- Set up strong passwords for your router, Wi-Fi network and all personal accounts. Moreover, be sure to always change the default passwords for all your devices, since they are most likely known by potential hackers that could use them to infiltrate through your system.
- If you can, only do work on devices provided by your employer. Putting corporate information on your personal devices could lead to potential security and confidentiality issues.
- Do not share your work account details with anybody else, even if it seems a good idea at the time.
- Always feel able to speak to your employer’s IT or IT security team if you have any concerns or issues when working from home.
That's it, at leat for the time being: we hope this brief guide will help companies and their IT managers and system administrators to provide comfortable protection tools to their employees and minimize the risks due to phishing and other cyber attacks to their "remote" workstations.