Staying secure while working from home – advice from our founders on The Lockdown Show

Pete and Roz appeared on the latest edition of The Lockdown Show to give businesses advice on staying secure with so many people working from home. Here’s an edited transcript of the points they made:

WFH – an opportunity and a threat

I think we all know why we are working from home and for some of us it might be an opportunity to look at the advantages of home working during this period of lockdown, and take time to reassess how we interact with clients, especially if they might be 200 miles away and we can make good use of video calls.

Certainly for us, we have been able to carry out remote assessments and continue to move cyber security forward for organisations who now have time to dedicate to this.

However other opportunists think slightly differently to this and many threat actors are already changing the way they exploit vulnerabilities in both people and companies’ external perimeters.

We are seeing a rise in cleverly crafted phishing emails, text message and even bogus phone calls as a way to communicate with potential victims and tricking them to take the bait.

Action Fraud – the National Reporting Centre for Fraud and Cybercrime – has already seen businesses lose £800K to Coronavirus scams. (remember, this only represents the ones that are reported – thought to be less than 15%). They typically relate to online shopping scams, charity fraud, and lender loan fraud. They go on to mention that coronavirus related fraud reports have seen an increase by 400% in March. This is at a time when not only have we moved to working from home but have increased our use of online shopping sites to reduce unnecessary journeys.

Google are reportedly blocking 18 Million hoax Covid-19 emails to Gmail users every day.

How are we all coping?

So how are we all coping? There was a tremendous initial effort by IT companies and IT departments to enable workforces to operate remotely, involving laptop purchases, and deployment on a large scale, adoption of Office 365 and other cloud services.

A lot of users will be using remote systems for the first time. It is possible that with the speed of deployment many users might not have some of the standard security measures fully implemented.

This may include having escalated privileges on your user account to get around some file restrictions whilst working from home.

You might have a temporary Fileshare location setup for all client activities, such as Dropbox, Google Drive, or Box for example, if you cannot connect to your usual client file directory from home.

As an organisation you are responsible for company data, and you still need to understand what information you have, where it is stored, who has access and whether it is being backed up.

Some of these cloud file services have Sync tools which store company files on to the desktop, is this a company device…or a personal device, and does it align to your company policy?

Maybe you have a direct internet connection to your office server, without the additional security of a Virtual Private Network (VPN) which effectively protects your connection through a ‘Secure Tunnel’. Without this additional security layer you may be vulnerable to unauthorised access.

Which threats should you be looking out for?

So what are the cyber threats to home working that you need to look out for?

  • The first thing to think about is that the office perimeter has extended to every employee’s home, so you need to be extra vigilant about your network and monitoring your system for unusual activity.
  • Ensure that employees understand what is acceptable use, how they should be using and storing data, and what rules you have around using their own devices. Do they have separate accounts for these, and can other people access the same devices?
  • Ensure there is a written policy that employees have read and signed regarding these points.

The highest vulnerabilities at the moment will come from your people and what they do, so you need to be mindful of the following:

  • Phishing Emails – be careful not to click on the links!
    • They may be Offering Financial help – Grants and loans available once you send over bank details
    • NHS Health scam – masks and PPE being ordered on bogus ecommerce sites
    • HMRC – Asking for payment or notifying of refunds.
  • Threatening Emails – using stolen email accounts and other data to convince a vulnerable person that they have access to your device, your camera and then asking for money (in bitcoin) otherwise, for example, they will infect you and your family with Coronavirus.
  • Text messages – do you know the sender?
    • Text messages appearing to be from the Government with links to pay fines of £30 for going outdoors more than once per day
    • Text messages from false utilities companies that contain links that look genuine, offering payment holidays on your bills
    • Also, messages from HMRC with links to claim lump-sum payments
  • Phone calls – Be careful if it is from an unrecognised number?
    • Calls from fake charities asking for donations
    • Calls from fake financial institutions asking for bank details so they can pay Covid-19 grant funds into your account
  • Video Calls – ensure you make these private, not public, and that the workspace that is visible does not give away any of your personal details.
  • CEO Fraud – With your accounts team working remotely, put in extra checks (a phone call to a known number) to make sure that payments are authorised and using the right payee details.  Don’t trust emails from senior team members asking for urgent payments, or suppliers changing payment details without confirming with a phone call as a minimum.
  • Ecommerce sites- are they trusted sites, are you sure it is the correct domain, is it Https:
    • use credit cards, rather than debit cards or bank transfer, to make payments as this adds an additional fraud protection layer.

And finally…

  • Threat actors are playing on our high stress levels and crafting very legitimate looking messages to leverage their gains.
  • Be extra vigilant for phishing emails
  • Use strong and unique passwords to protect your user accounts
  • Enable 2 factor, (MFA) authentication where possible to add an extra layer of account security
  • Keep your operating systems and software patched and up to date
  • Run regular virus scans, at least daily
  • Review your incident response plan so that staff know what to do and who to call if they do click on a link or see suspicious activity.
  • Did we mention – BE EXTRA VIGILANT FOR PHISHING EMAILS

Thanks to the Exeter Chamber and everyone who contributed to putting on the Lockdown Show and for inviting us to participate.

Up-to-date advice

We have more up-to-date Covid-19 cyber security advice with some further tips on how to stay cyber safe, including links to the National Cyber Security Centre, Action Fraud and other sources of legitimate information and can be found at securious.co.uk/covid19