How cyber aware are you? Can you trust the email you just received from a local charity seeking donations for a COVID-19 fundraising campaign? Is the text you received about updated coronavirus testing locations a legitimate government issued communication? While common cyber security software and tools provide a degree of protection from potential threats, your first true line of defence is yourself. So how cyber aware are you?
CORONAVIRUS – ADDING A LAYER OF COMPLEXITY
Current restrictions such as social distancing and self-isolation means we’re out of step with our normal ways of working. Shifting to complete virtual business operations is more than hosting video conferences, sending emails and participating in online messenger conversations. Our physical disconnectedness from our teams and colleagues means we lose our spontaneous and incidental chats and our ability to casually discuss as they arise.
And let’s face it – right now we’re all consumed by the unfolding events on the news, at work and in our personal lives as we grapple with the complexity and uncertainty this virus brings. We’re more distracted and tired, and all these combined means we’re more likely to be caught out by a cyber security attack or online scam.
THE IMPORTANCE OF BEING CYBER AWARE
Fundamentally, the threats of today are much the same as they have been for the last few years. Right now, a large proportion of scams and attack campaigns are incorporating COVID-19 themes, but there’s still the “normal” attack profiles floating around. What’s different is that they’re escalating in volume and matching pace with the rapid increase in local and global disruption. This is something that both individuals and businesses need to be aware of.
Mimicking official government bodies or trusted brands, attackers use email, SMS, social media, false websites, instant messaging and phone calls to target their victims. They prey on people’s weaknesses, offering help or information related to financial relief, medical instructions, and travel updates. However, unbeknownst to the victim, the links and attachments contained in these communications are maliciously designed to unleash havoc through malware or ransomware on the victim’s device.
A report published by Recorded Future (a cyber threat intelligence organisation) showed that between 1 January and 11 March 2020, hundreds of malicious domains were registered. Most of which were themed on the domain names of legitimate health organisations or COVID-19 information sources. Domains like the following have been registered over the past few months (the  brackets are there to make sure you can’t click on these):
As you can see, they’re quite sophisticated and even a cyber-savvy person may get duped into opening these malicious links or attachments if they’re in a state of distress from the current COVID-19 climate.
SECURE HOME WI-FI
Most home wi-fi networks are not as secure as corporate solutions. The key lesson here is your home network security should be as important as your company’s network security. Some simple tips that make a big difference in securing your home network include:
- Change the wi-fi access point SSID so that it doesn’t identify your name, address or who you work for
- Update your wi-fi username and password. Most systems have a default password that should be changed on installation, but many users don’t do this
- Use a (short-range) router that reaches only as far as your front-door (rather than broadcasting down to the beach)
- Patching applies equally to networking equipment as it does to computers and smartphones, so update your router’s firmware on a regular basis.
SECURE VPN CONNECTIONS
No offense, but in trying to access online corporate environment, your likely to be connecting from your home wi-fi which is an untrusted network. Here’s some advice on VPN best practice:
- You should ensure you a secure VPN connection between your computer and your office so that sensitive and confidential data (emails, documents etc) travels over an encrypted network directly to the office network, rather than insecurely traversing the home network or internet
- Computer systems should be configured to only function when connected to the VPN. It’s possible to do this in some operating systems, so check with your IT department.
- Good alternatives to VPNs include using remote desktop solutions where you connect to a remote PC and use its interface to access corporate resources. That way, no corporate information leaves the corporate network, making it a good solution for confidential information access.
TEAMWORK AND INSTANT MESSAGING
While working from home, you may occasionally lose access to office collaboration solutions like Microsoft Teams, Slack and corporate email. This might lead you to use personal email or social media to collaborate – especially if you’re working against a deadline.
Please don’t do this. Side-channel collaboration like this exposes you and your company to heightened risks and it’s impossible to control confidential information once it ends up on Facebook, WhatsApp, Gmail or LinkedIn.
If you experience any connectivity issues, you should contact your manager and IT team who can help resolve the issue. Critical communications are likely to be considered in your company’s business continuity plan, so a backup plan may already exist.
One of the most common gateways for cyber-attacks is exploitation of unpatched software. When working from home, especially if using your own devices rather than company equipment, it’s all too easy to pause updates while you get some work done.
Again, please don’t do this. Make sure you update all devices (personal and corporate) as soon as patches are released and ensure auto-updates are enabled. It’s also important to uninstall applications you no longer need since dormant applications still pose a risk.
SET NETWORK BOUNDARIES
Many home wi-fi routers have Guest network access capabilities. This feature creates a new access point for users to access the internet but keeps the device off the internal network. Most kids being home schooled don’t need to be on the internal network, so migrate any unnecessary devices from the internal network to the Guest wi-fi.
This one is for businesses.
Two-factor authentication (2FA) should be the norm for all business logins. Let’s face it, even social media platforms use 2FA these days. If you 2FA enabled on your corporate device, start with critical business functions where corporate information flows, such as Office365. This way, if a password is compromised while working at home, attackers still would require the second factor via the user’s phone, which is a lot harder to acquire.
For more information on PROTECT+ Security Awareness services, check out the website here.