Gareth Brown
Suddenly I’m WFH?
Except you’re probably not
Staff who usually work from home are prepared and set up with dedicated equipment, securely configured for remote access. Usually staff working from home are also supported with training, procedures and with various contacts in the office to assist.
However, whilst many people are at home and working, I’m keen to point out that the vast majority are better described as working, in a crisis, from home to help reduce the spread of COVID-19 Coronavirus.
As a result, we certainly have to adapt, cooperate and compromise. Working at home sharing Internet access and possibly computers with family members is necessary. Sharing means we must be more aware of the extra security risks of mixing business and personal activities.
Additional security risks
Semantics aside, there are additional security risks when working at home.
Firstly, fraudsters act quickly to exploit current news and events for profit. Secondly, criminals have adapted their malware and practices with new COVID-19 themes. Together targeting people working at home to exploit the weaknesses and gaps introduced into new business processes.
In summary, staying mindful of these additional threats, positively contributes to controlling the risk.
Most common cyber attacks
The most common cyber attacks continue to be phishing emails followed by malware from compromised websites. However, whilst both threats are often well controlled when working on business network computers in the office, the same protection may not be present when working at home.
With so many staff working at home, extra risks are exposed because the business IT security controls do not extend into our home networks and devices.
Increasingly, staff working at home also rely on their personal mobile phones to deal with business email and research. Mobile phones are being targeted with malicious text messages and links. However, you’ve probably not won a gift card from Tesco, sorry!”
Currently, the most common themes reference the Corona Virus pandemic directly. Many pretend to provide documents or impersonating government initiatives and support. It has become usual for these messages to use a blend of genuine and fake websites to create an enhanced illusion of authority.
Stay mindful that the goal of criminal Internet activity is to steal your access credentials or install malware on to your computer. Ultimately fraudsters and criminals have a single intent to damage and threaten damage to your data.
New and novel attacks
- Receiving an intriguing phone call to introduce a sales prospect, setting an expectation to expect an email from a previously unknown contact. Check your spam they advised.
- A caller pretending to be from ‘IT’ and offering to assist with working from home to ‘fix the issue you reported’ and speed up the connection.
In more normal times, organisations rely on processes to permit secure remote working, however the rapid change to working at home, presents new opportunities for criminals to deceive and gain access to our systems.
Guidance for video conference
Working at home likely includes now using remote conferencing tools from Zoom, WebEx and Microsoft; it’s important to know the risks
Collaboration tools generally require a more open system, you never know for sure who else is on the call and if the discussion is being recorded or monitored, these risks scale with size.
Confidential and sensitive information should not be shared openly on conference calls, and extra care must be taken with video calls.
My policy for video conference
- Ensure the device is current and using updated software
- Choose a web browser rather than an app
- If we must use apps, keep them updated
- Protect meeting links with passwords, shared by text message
- Share meeting details rather than shortcut links
- Agree a method to verify who is on the meeting
- Control who can share their camera and microphone
- Disable file sharing and chat until required
- Confirm at the start. that the meeting should not be recorded
- Do not allow remote control of your screen
Accessing company data
Data security is important. Don’t allow their urgent to squeeze out your important.
When working at home, separate your private activities from work tasks. Do not allow children to access your work data and protect work connections from inadvertent or accidental access.
Handle paper documents with care, resist ‘recycling’ confidential waste that would normally be shredded, in the recycle bin.
Where practical, avoid using shared family equipment for work.
When your organisation has to later respond to a GDPR related query or business investigation, your home computer may have to be checked if you’ve used it for work.
Final thoughts for Home Working
Ensure devices that access any personal data use a password or PIN to unlock and an inactivity timeout to automatically lock again.
At the end of each day, power off computers. Some devices only blank the screen, but it is possible that they remain online and connected to the Internet.
Where you use a shared computer, a separate and exclusive login should be used for work, and if not possible inform your manager or IT contact.
If you experience unexpected or an unusual network issues or receive unexpected calls document them and report to you manager
Why choose to work with Sytec?
- We focus on reducing risk
- Our work and checks are separated independent processes
- We consider compliance and security checks as the default
- You will know which engineer has access and when they took action
- You will have phone, email and face to face access to security certified engineers
About Sytec
Sytec provides IT networking, security, audit, consulting, and support services to a broad range of businesses. Based in Salisbury, engineers are available to respond on a same day basis to ad-hoc or emergency requests, and within minutes for customers with a prepaid pool of consultative support.
We enjoy representing many other IT companies who require responsive field engineers, sytec.co.uk/subcontract for more about our coverage and response.