Don’t compromise your security during the COVID-19 crisis

Don’t compromise your security during the COVID-19 crisis

The COVID-19 pandemic has resulted in an exponential growth in people working from home, meaning that the level of security we take for granted may now not be as strong as it was before.

By Jason Dewar

Principal Consultant, Response

14 Apr 2020

For many companies that have a mature Acceptable Use Policy (AUP) and have already put preparations in place for business continuity working, there is probably no need for change. But if you are a business that is not geared up for remote working at scale, there is an urgency to review the way you operate, especially if you are allowing the use of personally-owned equipment to facilitate home working.

From an organisational perspective, the main risks come from the use of systems, software and devices that are not BAU (Business as Usual). This could range from employees’ own PCs or laptops, or the use of non-standard platforms such as for conferencing facilities and other collaboration systems. It is important to assume these are insecure.

Here are few issues you should consider in these challenging times:

  • Are your employees using personal devices? If so, you need to ensure that the devices meet minimum security requirements including the use of complex password protection, up-to-date operating systems and applications and current and reliable anti-virus software. You also need to ensure methods of accessing sensitive information remain secure through robust authentication and the protection of data in transit. 

  • If using personal devices, make sure your staff know not to attempt to connect them if they are displaying security issues such as: the device being very slow running, pop-up ads appear and if the device have been infected in the past.

    We have heard of many instances where staff have been asked to use their own laptops only to discover that they have a raft of malware just waiting to be let loose on the corporate network once connected.  This can be a significant problem for companies that are changing the way they operate during this crisis.

  • Are your employees likely to be connecting their personal devices directly to company equipment such as USB memory, keyboards, cameras or large screens? If so, you should set acceptability parameters for each piece of kit.  

  • Businesses should not be rushing to make a whole raft of changes to their Acceptable Use Policy, however chances are existing AUPs may not address the extreme situation we find ourselves in. They may be over restrictive, or miss aspects of operation that may have been changed due to changed working conditions. Look at it carefully and if necessary, review it and provide staff with an amended version to ensure essential compliance remains in place. And if you need help with that, get in touch and we can do so.

  • No one knows how long we will be working from home, but if you are permitting the use of personal devices, don’t leave it until the last minute to consider how you can ensure data does not remain on those devices after this lengthy business interruption.

  • Don’t forget your office premises and make sure they are secure whilst they stand empty with sufficient security and intruder detection to protect your key assets. With everyone staying in their houses, thieves may well turn their attention to offices.

  • It is also quite possible that you will have staff leaving the company during this lockdown. So, consideration must be given on how to recover IT assets and close accounts. You may also want to consider locking access for furloughed employees.

For those working from home, much of the risk can be mitigated by additional situational awareness. Consider the following: 

  • Think about physical security and make sure your laptops or mobile phones are safe from theft. For example, with the weather getting warmer, is your laptop sitting next to an open window on the ground floor?

  • Get into the habit of locking of your screen (Windows + L key) if a family member or flat mate comes into the room, particularly if your job involves working with sensitive and confidential information.  

  • Lock your laptop every time you walk away. What could be more natural than getting up from your sofa and getting a cup of tea? It may seem that your laptop is safe in your home, but you could be distracted and leave it for longer than expected. This can open the device up to a whole range of potential threats. 

    Some less malicious threats, but just as damaging, could be your young children accidently sending a message “to all” because you’ve left their computer unlocked while you make a coffee. Or better still, the MD receiving a video call from a three-year old! Embarrassing at best – so don’t be that person.  

  • Avoid eavesdropping. Sometimes when we’ve got headsets on, it’s easy to get lost in the call, meaning that others in your household (or through open windows and thin walls) may overhear something they shouldn’t and innocently pass this information to a friend. It’s good to agree workspaces in your house and create rules around video/telephones calls.

  • We could be working from home for a long time, so get into a routine and use the time to reconnect with the family. 

There is no doubt that COVID-19 has presented unimaginable chaos and challenges for all of us. And whilst we rapidly adapt and change to ensure businesses can carry on and survive, there is no room for compromise when it comes to security. After all, cyber criminals can’t go anywhere too.

Subscribe for more Research like this

About Jason Dewar

Principal Consultant, Response

Find out more

Book a Meeting

CREST
CREST STAR
CHECK IT Health Check Service
CBEST
Cyber Essentials
CESG Certified Service
First - Improving Security Together
BSI ISO 9001 FS 581360
BSI ISO 27001 IS 553326
PCI - Approved Scanning Vendor