Teleworking cybersecurity risks prevention guide in time of COVID-19

At this time, millions of people around the world are working from home to avoid contact with people infected with Covid-19. However, cybersecurity risks are opportunities for hackers. Because computers at home aren’t generally as well protected as those on company premises, hackers are sensing this opportunity. Here’s a guide to protect yourself against cyber risks:

1-  Bring home only the devices and information that are absolutely necessary

The best way to protect information or devices against loss is by not removing them from their accustomed company environment in the first place. This way, they won’t get lost in transit or in your home. So make sure you take home only the devices and information that you really need.

Ensure that adequate IT resources are in place to support staff in case of technical issues while teleworking; provide relevant information, e.g. on contact points, to staff.

Ensure policies for responding to security incidents and personal data breaches are in place and that staff is appropriately informed of them.

Ensure that any processing of staff data in the context of teleworking (e.g. time keeping) is in compliance with the legal framework on data protection.

Data at rest, e.g. local drives, should be encrypted (this will protect against theft / loss of the device).

2-  Safeguard your home network and communicate via secure connections

Because you’ll be using your private network at home, you’ll have to protect it accordingly, with strong WLAN encryption, a unique and complex password, and regular updates. Always work via a secure connection established by VPN, especially if you’re also exchanging sensitive information or are accessing the Intranet.

Ensure that the corporate VPN solution scales and is able to sustain a large number of simultaneous connections.

Provide secure video conferencing for corporate clients (both audio/video capabilities).

All the corporate business applications must be accessible only via encrypted communication channels (SSL VPN, IPSec VPN).

Access to application portals should be safeguarded using multifactor authentication mechanisms.

Prevent the direct Internet exposure of remote system access interfaces (e.g. RDP).

Mutual authentication is preferred when accessing corporate systems (e.g. client to server and server to client).

Connect to the internet via secure networks; avoid open/free networks. Most wifi systems at home these days are correctly secured, but some older installations might not be. With an insecure connection, people in the near vicinity can snoop your traffic (more technical people might be able to hijack the connection). That having been said, the risk is not that much higher than when using public 'open networks' except for the fact that presumably people will be in the same place for a long time. The solution is to activate the encryption if it hasn't been done already and/or to adopt a recent implementation. Note that this risk is somewhat mitigated by using a secure connection to the office.

Avoid the exchange of sensitive corporate information (e.g. via email) through possibly insecure connections.

As far as possible use corporate Intranet resources to share working files. On the one hand, this ensures that working files are up-to-date and at the same time, sharing of sensitive information across local devices is avoided.

3-  Keep the software on all your devices up to date

Working from home, company and personal devices use the same network. Data traffic passes through that same router that’s connected many other devices including various smart home appliances which, in the worst case, may not have any up-to-date protection. All these are potential gateways for hackers, which is why it’s recommended that you allow all your devices, whether company or personal, to update automatically.

Provide where possible corporate computers/devices to staff while on teleworking; ensure that these computers/devices have up-to-date security software and security patch levels and that users are regularly reminded to check patch levels. It is advisable that a replacement scheme for failing devices is also in place.

Antivirus / Antimalware must be installed and be fully updated.

The system (operating system and applications used, as well as anti-virus system) needs to be up to date.

4-  Don’t mix personal and business use of devices

Make a clear distinction between devices and information for business and personal use, and don’t transfer any work data to personal devices. This will prevent any unintended outflow of information. As a side effect, it also helps to psychologically separate the time you are “at work” from the time you are “at home".

BYOD (Bring your own device) such as personal laptops or mobile devices must be vetted from the security standpoint using NAC, NAP platforms. (e.g. patch check, configuration check , AV check etc.).

Use corporate (rather than personal) computers where possible - unless BYOD has been vetted as per relevant point above. As far as possible, do not mix work and leisure activities on the same device and be particularly careful with any mails referencing the corona virus.

It’s likely other members of your family are also being forced to remain at home, and they could be spending their time browsing the internet. During this time, they may be more susceptible to accidentally downloading a virus that can infect the entire network you are now trying to work on. Take inventory of the devices you use for work, and create a separate virtual network so that you are not on the same network as the rest of your family. Many routers offer the option to create these virtual networks. This is a more technical step, but is a great option for keeping your work traffic separate from the rest of your home’s traffic. A sample tutorial on how to do this can be found.

Voice assistants like Alexa and Siri listen to what’s being said in the room and transmit it to the provider. The possibility of these recordings falling into the wrong hands can’t be ruled out. So such devices have no business being in rooms where you discuss important matters, or should at least be switched off. And be sure to cover the webcam on your PC when you’re not using it and be careful what you share via the video function.

5-  Proactively identify all participants in online meetings 

Teleconferences and video conferences are an excellent substitute for in-person meetings. At the same time, however, it’s more difficult to verify whether everyone on the line has actually been invited. It’s especially easy for unauthorized persons who have acquired the dial-in data to sneak into large online meetings with lots of participants. That’s why everyone displayed in the meeting software needs to briefly identify themselves, particularly if you’re discussing sensitive topics and sharing presentations on the screen. 

Do not share the virtual meeting URLs on social media or other public channels. (Unauthorized 3rd parties could access private meetings in this way.

6-  Log off when you stop using your devices and store them securely

Even if you’re only taking a short break, lock the screen of your PC and mobile devices just as you would at work so that they aren’t accessible during your absence. And, of course, you also need to safeguard the devices themselves against unauthorized use or even theft when they’re in your home.

Lock your screen if you work in a shared space (you should really avoid co-working or shared spaces at this moment. Remember, social distancing is extremely important to slow down the spread of the virus).

7-  Be extremely wary of suspicious e-mails or attachments, particularly if you don’t know the sender 

Especially in the familiar environment of your home office, you need to be wary of suspicious e-mails. Studies show that the likelihood of falling victim to malicious intentions is particularly high in the home. In addition, do not be pressured by emails asking for immediate action or referring for example to the current Covid-19 crisis. Take your time and examine each e-mail thoroughly before you open it. 

Please try to verify the authenticity of the request through other means, do not click on suspicious links or open any suspicious attachments.:

Be particularly careful with any emails referencing the corona virus, as these may be phishing attempts or scams . In case of doubt regarding the legitimacy of an email, contact the institution’s security officer.

Be very suspicious of mails from people you don't know- especially if they ask to connect to links or open files (if in doubt phone your security officer).

Mails that create an image of urgency or severe consequences are key candidates for phishing - in these cases always verify via an external channel before complying.

Mails sent from people you know, but asking for unusual things are also suspect - verify by phone if possible.

In addition to risk prevention, we should assume that disruptions, data leakage or data compromising may happen any time and anywhere. Organizations should prepare more developed business plans taking into consideration cases like:

Teleworking + Power Cut or Internet downtime at home

Teleworking + SMS Gateway (2FA) failure

Teleworking + Ransomware Attack

Teleworking + Critical Staff illnesses (COVID-19 or Other)