Cyber Security Guidance For Home Workers
Editor’s note: This article has been written to provide insurance brokers with guidance. You should refer to your own cyber insurance cover when considering this.
The UK’s work pattern has changed considerably in the previous few days. Working from home in the past was seen as an occasional perk for most employees, helping them to strike a work/life balance. However, working from home now has become vital in the fight against COVID-19, and to keep the economy going.
At present, no one really knows how long social distancing measures will last or when people will be able to return to their offices. Here at Pen, our Cyber Insurance team understands the added disruption and anxiety that could result from a successful cyberattack or loss of sensitive data during a time when business operations and defences are already fragile. We have therefore prepared the following guidance to help people to protect their company’s network resources and its sensitive information while working remotely.
The key points covered are:
-
A summary of threats to systems and data to help you remain aware of potential issues and recognise potential attacks, especially when working remotely.
-
Simple steps you can take to minimise risk to systems and data, which will help to ensure that systems remain operational and you protect both your client’s and your own data from loss or exposure.
Know the Risks: Increased Chance of Cyberattacks and Data Loss
The pandemic and the unprecedented shift to remote working will present new and evolving security challenges.
Phishing and “watering-hole” attacks. Just days after the crisis took hold, we saw criminals and nation-state actors launched attacks using pandemic-related phishing emails and watering-hole attacks.
Phishing emails use a lure ‒ typically a message about an urgent or inviting issue ‒ to trick users into taking some immediate detrimental action. Those actions might include opening a malicious email attachment, clicking a malicious link within an email, or taking some other action that may reveal sensitive credentials or information. Phishing emails tied to disasters and crises are common, and the pandemic has been no exception.
Attackers use watering-hole attacks to compromise users’ systems when they visit a site configured with malicious code. The code runs in the background and compromises vulnerable systems, often with no other action required by the user beyond visiting the site. Attack sites may be malicious sites set up to lure victims (such as the malicious COVID-19 tracking maps that recently appeared online) or legitimate sites, such as a popular news site, that an attacker has compromised and added malicious code too.
Both attacks could cause data loss or a network-crippling attack such as ransomware, which would be catastrophic for any company during this crisis.
Remote work leads to data sprawl. Employees working from remote locations are more likely to take risky actions that place data outside the firm’s defences and control. For example:
-
An employee trying to print or share a sensitive file may send the file to his or her personal email address, exposing the data to loss.
-
An employee may transfer files to an insecure portable storage device, such as a USB stick, that is easily lost, misplaced, or forgotten.
-
An employee may transfer or share files through unapproved cloud-storage or file-sharing solutions, exposing the data to loss and discovery.
All these actions lead to unmanageable data sprawl that places data outside the firm’s defences and retention practices.
Increased risk of attacks on remote access. Although we have taken steps to secure the network from unauthorised remote access, the unprecedented level of remote work increases the risk that attackers will gain entry to the network. Attackers may try to collect user credentials for email, virtual private network (VPN), and other remote access systems through phishing emails designed to harvest users’ credentials. They may also try to bypass multifactor authentication controls by tricking users into approving an authorisation request. Many attackers have successfully bypassed multifactor authentication by repeatedly trying to log in to a system until a distracted or confused user approves the access by mistake.
Increased risk from connections to insecure networks or work in shared spaces. Connections to insecure networks (whether at home or in public locations) can expose systems and data to attack. This can occur, for example, when using home routers with insecure settings or open public networks.
Steps to Minimise Risk
To help minimise risk to your firm’s network and data, we suggest taking these actions while working remotely.
Phishing, watering-hole, and other “social engineering” attacks
-
Remember that technical defences, while good, cannot fully protect you or your organisation. Attackers know that employees are often a weak link in security and will most often target you to get what they want. You and your actions remain the best defence against these attacks.
-
Beware of unexpected multifactor authentication requests if you use this form of security. If you receive a request to approve a connection you did not start, do not approve the request. Report the unexpected request in the usual way to your IT helpdesk or other resource performing that role.
-
Do not click on untrusted links or open attachments. These links and attachments can be very convincing. If unsure, confirm with the sender or ask the helpdesk for assistance.
-
Beware of emails and other messages that relate to some breaking news, surprising information, or other urgent message ‒ especially related to COVID-19 ‒ to entice you to act now.
-
Visit only trusted websites for information on the pandemic. Beware of sites advertised in social media posts or sites luring visitors through urgent or inflammatory messages.
-
Because even legitimate sites may become compromised and used to distribute malicious software, limit unnecessary browsing on company assets. Do not allow family members to use your company equipment for personal use, which can expose the system to unexpected browsing activity.
Controlling data sprawl and loss
-
Use only approved solutions to transfer data:
-
For internal and external collaboration, conferencing and file sharing, only use company approved file-sharing and collaboration tools.
-
Do not use unauthorised file-sharing sites (e.g. Box, Dropbox).
-
Do not email data to your personal email account or transfer data to unapproved portable storage devices (e.g. USB memory stick)
-
Do not email unencrypted sensitive data to external parties. If you send an individually encrypted file, secure it with a strong password, and do not send the password by email. Better still, use the approved transfer solutions identified above.
Protecting data on remote networks
-
Use secure, known networks. Use a company-provided VPN wherever possible ‒ the VPN offers an added layer of protection for possible insecure networks.
-
If you or a family member has the technical ability to do so, ensure your home Wi-Fi router is protected with the WPA2 or WPA3 encryption setting; ensure your router/modem and internet service provider (ISP) portal are configured with a strong, unique password; and enable software updates for all routers and modems.
Focus on well-being
-
Finally, consider steps to manage your well-being while working at home. If you are less anxious and less distracted, you are less likely to make a mistake when handling sensitive data. Important suggested considerations, include:
-
Set structure and boundaries around your work from home. If possible, set up a dedicated workspace where you can go “to the office.”
-
Ensure you are still getting social interaction. Consider using collaboration software, including video calls, to minimise potential isolation.
-
Ask for help from co-workers.
-
Limit “news checks” and stay focused to minimise anxiety and distraction.
-
Take breaks throughout the day.
-
Wind down at the end of the day. Try to separate “working” from home from “being” at home.
This note is not intended to give legal or financial advice, and, accordingly, it should not be relied upon for such. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. In preparing this note we have relied on information sourced from third parties and we make no claims as to the completeness or accuracy of the information contained herein. It reflects our understanding as at 1st April 2020, but you will recognise that matters concerning Covid-19 are fast changing across the world. You should not act upon information in this bulletin nor determine not to act, without first seeking specific legal and/or specialist advice. Our advice to our clients is as an insurance broker and is provided subject to specific terms and conditions, the terms of which take precedence over any representations in this document. No third party to whom this is passed can rely on it. We and our officers, employees or agents shall not be responsible for any loss whatsoever arising from the recipient’s reliance upon any information we provide herein and exclude liability for the content to fullest extent permitted by law. Should you require advice about your specific insurance arrangements or specific claim circumstances, please get in touch with your usual contact at Gallagher.