Far from being locked down, the Covid-19 pandemic has blown IT infrastructure wide open to security breaches. The search for quick solutions in a state of crisis has led to the usual level of review and evaluation being thrown out the window. Remote working is here to stay for many of us, so it’s time to go back and address the potential holes in the IT environments that were set up in haste to cope with the move to WFH.  

This guide outlines the biggest and most likely security risks your business faces, and suggests where any investment will provide the returns.  The advice given is aligned to the Government’s Cyber Essentials scheme for best practice.

If you're not into security or tech but know it needs sorting...

Get a service provider to provide a quick assessment of your business risks. They will assess how you work, audit your environment, highlight the biggest and most likely risks to your organisation, and work with you to help address them fully, or at the very least, mitigate the threats you face.

An IT environment is like an onion. We look at each layer in the light of changes made during the pandemic and think, “how could this layer be sliced open, and make me cry?”

Your perimeter security is in the hands of young children

Staff working from home may be giving devices to their children to do homework or communicate online. It's impossible for any employer to vet the files being transferred, the URLs being visited, the e-mail attachments being opened from webmail, and adverts that could be getting clicked on... and what’s worse, this is one of the most likely forms of attack.

User behaviour is responsible for over 90% of security breaches - and that’s from the safety of an office!

The UK Information Commissioner’s Office puts nine out of 10 breaches down to human error so the risk of a device breach is huge. Devices are being used for longer, outside of core working hours, and potentially by multiple users, probably to access non-work websites and apps - all of which represents a massively elevated threat.  

Lock them down - here are some suggestions:

• Remind all staff of the risks of using their devices for social use and discourage it wherever practical. Whenever devices are not in use, they should be shut down.

• Passwords should be different for all systems and not shared between home and work applications.

• Add layers of extra control to internal policies - authorisations could happen over the phone as well as through e-mail.

• Use centralised IT policies to prevent applications being installed by anyone other than IT administrators and for users to be logged off where there is five minutes or more of inactivity.

• All connections to the work network must be over a secure VPN and that should be disconnected when not in use.

• Install anti-malware and anti-virus applications on all devices (including phones and tablets) and ensure they are connected to the work network for daily updates.

• Devices must be updated promptly so all known vulnerabilities are addressed as and when they are discovered.

• Scan e-mails for malicious attachments to prevent phishing attacks.

• Set up Multi-factor Authentication for all access to cloud applications, eg. CRM systems, task systems, file sharing systems and so on.  

Unsure how to do any of this? Get help - and quick. 

That upgraded broadband is leaking confidential information as fast as the fibre it’s connected to

Broadband upgrades are booming - which means every device is shipped with default usernames and passwords, known by every hacker on the planet. Tell employees how to change their default install so traffic to and from their router can’t be ‘sniffed’ by someone else.

Think a VPN will save you? Think again - access to a home router gives attackers a world of information to try to guess passwords, get Trojans on to devices and gain access eventually.  Get the router secured.

Curiosity killed the network, your data, and your business

Visiting the office for the first time in a while and found a USB pen on a desk? Don't plug it into your laptop! This was how foreign agents launched the Stuxnet malware on Iran’s nuclear facilities some years ago. Office facilities aren’t typically used for enriching uranium but all offices, particularly shared ones, have been exposed for prolonged periods.

Professional hacker networks target cleaning staff, security staff, and admin staff in offices as a way of gaining access to sensitive networks - don't let curiosity get the better of any of your people.

We’re arresting you on suspicion of aiding and abetting a cyber attack

Every device on a home network is now a stepping-stone away from your corporate network. Security on the Internet of Things is often non-existent or incredibly weak. Your 'smart' doorbell is a gateway to the home and to the office. It could drop a botnet on to every other device on the network.

Guide staff working from home on how to set up separate networks for their home and work devices. The more segregation, the better.

I’ve secured my staff... now what?

Start from the outside in, and address the potential holes in your IT environment. Consider getting a technical audit or penetration test. The following areas highlight the most common threats and how you could address them.

Office network and cloud access – all the data is in the office or the cloud, but users at home? The gateway needs securing, users need individual VPN accounts, and the bandwidth to the office needs to be able to cope. Service providers can help route traffic through central points and ensure connections to software in the cloud are secure.

Big Brother defence - there are tools that will monitor devices and network activity for anything unusual and flag up this behaviour as a threat. If your users represent a risk, or you have known patterns of behaviour and anything else is considered suspicious, then deploying these tools could detect unusual activity early and protect you from attack.

Get scanning and patching - most organisations don’t keep their internal IT environment up to date. As soon as a hacker busts through a perimeter, they will be searching for known vulnerabilities. Unless you’re running Windows 98 and attackers don’t have software old enough to hack you (yes, this has happened), you need to keep your internal environment up-to-date. “But my application doesn’t run on the latest version” is a practical consideration, but better to spend money updating the application than have no business to use it.

A concluding thought

While there is no silver bullet for protection, by adding layer upon layer of defence, you can frustrate and bore even the most motivated of attackers. Spend some time thinking about your risks and mitigation strategies - it doesn’t need to be expensive, and it could just save your organisation from disaster.

 

To learn more about cybersecurity and emerging from the Covid-19 pandemic stronger, register now for 2021's Digital City Festival.