So, the world has changed because of the COVID-19 pandemic. This might be the first and only time that so many employees are working remotely. And this change in going to stay because organization can’t take risks with their employees’ health. India's largest IT service firm Tata Consultancy Services (TCS) announced that it would ask a vast majority (75%) of its 350,000 employees to work from home by 2025, up from 20% currently, as the company looks to permanently adopt the remote working revolution brought on by the coronavirus pandemic. As we live in a well-connected world, and employees are facilitated with the required tools needed to work from home properly, the crisis has provided an opportunity for organizations to discard a decades old operating model and leapfrog into a new mode of work. This well might be “The New Normal” in the post COVID-19 world.
With the work from home regime, many new challenges have appeared:
• A lack of collaboration and difference in the work culture
• Difficult or no communication
• Workforce reliability and retention
• Logistical issues
• Lower productivity and effectiveness from the remote workforce
• Cybersecurity concerns and many more
In the World Economic Forum Global Risk Report 2020, cyber-attacks feature in the top 10 risks in terms of likelihood of occurrence as well as impact. This article focuses on cybersecurity as one of the biggest risks while working from home.
The COVID-19 pandemic which has caused the work from home phenomenon has also increased the likelihood of cyber-attacks exponentially. As per a report published by Barracuda Networks, the number of coronavirus COVID-19-related email attacks has increased by 667 % since the end of February, this year.
One of the biggest concerns for organizations is that they might not even be aware of the breach in progress. As complex cyber-attacks are performed in stages over a period, organizations can perhaps reduce the damage caused by the attack if they were somehow better informed about the attack in its initial stage. Hence, it’s highly recommended for organizations to keep sight of their cyber-attack risks by evaluating the risks associated with their people (employees, partners, vendors, stakeholders etc.), processes, and technologies. Cyber criminals target the weakest link which can’t be patched – people – who are working remotely, and this makes it even more challenging for organizations to manage their cybersecurity.
Here, are some questions which organizations can ask their remote employees, partners, vendors etc. to assess their cybersecurity health and possibly find out if there might be any breach in progress. We have divided our evaluation/assessment questions into three primary categories of cyber risks associated with people, processes, and technologies
People are the most vulnerable link during the work from home regime as they are working outside the office environment using either a weak public network or home internet without strong office firewalls. As hackers are targeting people using different kind of social engineering attacks, we have further broken down the risks into the type of social engineering attacks vectors and associated questions
Malware, or malicious software, is any program or file that is harmful to a computer user. Types of malware can include computer viruses, worms, Trojan horses and spyware. Organizations can ask their employees and partners a list of questions to evaluate malware attack risks.
• Have you installed any third-party app in you mobile which might be suspicious?
• Have you installed any well-known mobile app recently in your mobile phone which you feel has some issues? It might be a copy of that app which hackers might have created or might be an infected version of the authorized app with some malware.
• Have you installed any app on your office laptop without approval from security and IT team?
• Do you check and verify the authority on a mobile or web app before installing it on your device?
• Have you clicked/opened any malicious link recently?
• Have you opened any malicious attachment/file recently?
• Do you check on a link address by hovering over the hyperlink?
• Have you recently visited any suspicious or malware infected website?
An email technique used by cyber criminals fooling people and collecting sensitive information.
• Have you received any suspicious email using COVID-19 keywords and offering help or advice recently?
• Did you inform the security and admin teams about this suspicions email?
• Do you consult/ask your friends/colleagues/manager before clicking on any link or opening any attachment in a suspicious email?
• Do you read the email body and check for grammatical errors?
• Do you hover over email name (To: and from:) to see full email addresses and validate its authority?
• Did you make recent donations for by clicking on a link directly?
• Did you forward any suspicious email or malicious content to your co-worker or friends?
A SMS technique used by cyber criminals fooling people and collecting sensitive information.
• Have you got any malicious SMS to offer financial help or any other sort of favor during the work from home regime?
• Have you opened/clicked on any malicious link which came through SMS related to COVID-19 (suspicious)?
• Have you followed any SMS instructions and shared any sensitive data (personal or official) in response to getting some financial help or any sort of favors claimed by the sender?
A voice call technique used by cyber criminals fooling people and collecting sensitive information.
• Have you got any malicious call to offer to financial help or any other sort of favor during work from home regime?
• Have you shared any sensitive/classified information with someone who might have posed as your senior authority in office or client and needed some information urgently?
• Do you consult/ask your friends/colleagues/manager before sharing any classified/sensitive information with anyone over a call?
In this technique, cyber criminals find out the interest of target group (websites, applications they visit) and look for vulnerabilities in these sites and application in order to infect them with malware. And once the target group will visit those sites, the sites will get infected.
• Have you used your office laptop to do personal work (surfing through the internet not related to office work like visiting websites, applications etc.)?
• Did you visit any website which you feel in suspicious or clicked on any suspicious attachment or link on your office laptop?
• Have you encountered any irregularities and suspicious things with the websites or apps you visit regularly/frequently?
In this technique, cyber criminals create fake profiles in different social media platforms (especially LinkedIn) tricking people to get sensitive information
• Are you recently receiving a lot of requests on social media especially LinkedIn (From recruiters etc.)?
• Once connected, are these contacts trying to be friendly and asking for sensitive/classified information?
• Did you disclose any sensitive/classified information to your social media contacts?
As somebody rightly quoted, every good thing comes with a price tag. Technology is one of the most important factors in enabling work from home. As organizations have adopted new technologies and tools to help the workforce to perform their duties effectively from remote locations and collaborating with other co-workers, this has also increased the digital attack surface for organizations. Increased attack surface has also increased the likelihood of breaches. In this inter-connected business environment, if organizations want to stay SAFE, they must be extra vigilant about the kind of risks technology has created.
Here’s a list of questions which can be used to assess the technology risks in the work from home regime:
While working from home employees are using many tools like web conferencing tools (like Zoom, Skype, Gotomeeting, Google Hangout etc.), collaboration tools (like Google drive, dropbox etc.), instant messaging software etc. Vulnerabilities in software can cause a breach to an organization using them.
• Have you updated your software with all the vulnerability patches?
• Do you have the latest back up of files with you securely, offline?
• Do you have the latest back up of files with you securely, online?
• Have you incorporated solutions to proactively identify threats and fix them before attackers can exploit them?
• Are all your devices are hardened and patched?
• Do you use strong passwords for your account logins for all your devices and accounts especially bank accounts and email?
• Is multi-factor authentication enabled for bank accounts and emails?
• Have you enabled your privacy and security settings?
• Have you installed a corporate-approved anti-phishing filter on browsers and emails?
• Do you have a corporate-approved anti-virus software installed to scan attachments?
• Have you lost any of device, even for a short time, having sensitive/classified information?
• Did you attach any external untrusted/suspicious device (USB, flash drive, etc.) to your office laptop?
Network plays an important role for the work from home regime. People using home internet might be exposed to the risk of weaker security of their local internet provider. Organizations can assess the security of home network by asking following questions to their employees.
• Is your home network safe?
• Has your home internet vendor patched all the existing vulnerabilities?
• Which brand of WIFI modem you are using?
• Have you checked that your WIFI modem is good hardware (Not having default password and not easy to hack)?
• Does your home internet provider patch network vulnerabilities on a timely basis?
• Do you use a strong password for your home network?
• Have you enabled multifactor authentication for VPN access?
• VPN vulnerabilities - new vulnerabilities (zero days) or existing vulnerabilities are patched on timely basis?
• Do distance and logistical challenges prevent the IT department from efficiently providing the required assistance?
• Do you keep your VPN always on when working from home to avoid cyber criminals’ spying attempts?
Organizations must consider the risks associated with third parties as well. Because even if they are secure, their data might get breached from their partners or any of their vendors’ integration/API might have weak security and can be targeted by hackers.
• Are you using any third-party apps on your office laptop without approval?
• Are you using multi-factor authentication for your customers and partners portals?
• Have you taken cybersecurity liability insurance to help in recovery, in case of an incident?
• Have you checked that your WIFI modem is good hardware?
• Do you have a list of critical partners with you?
• Have you checked security of all your critical partners (technical and strategic partners) with whom you are sharing sensitive/critical data?
Processes are the framework that makes an organization work smoothly using people and technologies. Whatever tools and technology you implement, with poor processes you cannot achieve effective operations. Good security processes will guide people and technologies on “what and what not to do” to stay SAFE. Organization must assess the security concerns related to processes for a holistic cybersecurity view:
• Does your security team collaborate with other teams — including Financial Controls, Treasury and Fraud teams — to sharpen fraud prevention and detection?
• Have you received proper security awareness trainings (online or offline)?
• Do you receive cybersecurity communication and tips on a time to time basis over email?
• Do you have documented policy and controls in place to cater to the needs of working from home?
• Do you have documented policy and controls for employees using mobile phones for office work (dos and don’ts)?
• Do you have a documented policy regarding place of work?
• Do you take notes on paper or digital applications?
• Did you throw any sensitive information in the trash/dust bin?
• Do you handle viewed or created IP or PII as per policy?
• Do you use personal devices for office work?
• Do you work from public place like cafés etc. - talk loudly during a call, use public Wi-Fi, expose laptop screens to others?
• Do you have a documented disaster recovery and business continuity plan?
• Are you using EFSS tools like Dropbox and Google Drive to share sensitive and classified data?
• Do you collect audit logs and reporting to auditors to stay compliant for WFH duration?
With responses to these questions, organizations could get a clearer picture of their cybersecurity posture in the work from home scenario. With this cybersecurity posture in hand, organizations can take necessary action to reduce the damage from an attack in progress and be ready to response future attacks if happens.
At MetricStream we understand the challenges organizations are facing in this pandemic and have launched a COVID-19 solution to help organizations stay resilient through this crisis. With this solution, organizations will have the ability to measure risks, manage information, processes, and responses, and take better, real-time decisions that impact employees, business leaders, customers, vendors and partners.