The last two years have been of trials and tribulations for the world. It made a world of difference for us, changing the way we interacted, be it government or the private sector. Cyber sphere has been at the fore where digital interactions have become the order of the day, ranging from virtual conference, to remote learning to online shopping and having date nights and drinking sessions via online and social media platforms.
As Tom Standage put it, “the adoption of new technological behaviors in response to the pandemic, tech-celeration”. In brief, life has gone online. As our dependence and reliance on digitally connected systems and devices grows, our vulnerabilities too continue in an upward trend, forcing us to contend with cyber threats.
Cyber Security Challenges on the Uprising
In the Cybersecurity Malaysia 2020 annual report, it was reported that according to a research survey by Cisco Systems on Asia Pacific countries, cybersecurity challenges persisted amongst Malaysian organizations during 2020, with 62% of respondents experiencing 25% or more increase in either cyber threats or alerts since the start of Covid-19 pandemic.
The study revealed that 60% of respondents in Malaysia practiced remote working during the pandemic, compared to 20%. More importantly, the poll showed that 49% of Malaysian organizations ranked cyber security as more important than before the pandemic.
However, with huge increases in the number of people working remotely, it is of vital importance that we also take care of our cyber hygiene. Here are some of the recommendations that companies, and individuals can adhere to, to ensure that cyber hygiene is practiced at all times.
Cyber Hygiene Recommendations for All
Recommendations for employers and staff
The following recommendations for maintaining an adequate level of cybersecurity when remote working are divided into those for employers and for staff.
Cyber hygiene recommendations for employers:
1. Ensure that the corporate VPN solution scales and is able to sustain a large number of simultaneous connections.
2. Provide secure video conferencing for corporate clients (both audio/video capabilities).
3. All the corporate business applications must be accessible only via encrypted communication channels (SSL VPN, IPSec VPN).
4. Access to application portals should be safeguarded using multifactor authentication mechanisms.
5. Prevent the direct Internet exposure of remote system access interfaces (e.g. RDP).
6. Mutual authentication should be preferred when accessing corporate systems (e.g. client to server and server to client).
7. Provide where possible corporate devices to staff while remote working; ensure that these devices have up-to-date security software and security patch levels and that users are regularly reminded to check patch levels. It is advisable that a replacement scheme for failing devices is also in place.
8. BYOD (Bring your own device) such as personal laptops or mobile devices must be vetted from the security standpoint using NAC, NAP platforms. (e.g. patch check, configuration check, AV check etc.).
9. Ensure that adequate IT resources are in place to support staff in case of technical issues while remote working.
10. Ensure policies for responding to security incidents and personal data breaches are in place and that staff is appropriately informed of them.
Ensure that any processing of staff data by the employer in the context of remote working (e.g. time keeping) is in compliance with the EU legal framework on data protection.
Recommendations for staff on remote operations
1. Use corporate (rather than personal) computers where possible – unless BYOD has been vetted. As much as possible, do not mix work and leisure activities on the same device and be particularly careful with any mails referencing the Covid-19 virus.
2. Connect to the internet via secure networks; avoid open/free networks. Most WiFi systems at home these days are correctly secured, but some older installations might not be. With an insecure connection, people within the vicinity can snoop your traffic (more technical people might be able to hijack the connection).
That having been said, the risk is not that much higher than when using public ‘open networks’ except for the fact that presumably people will be in the same place for a long time. The solution is to activate the encryption if it hasn’t been done already and/or to adopt a recent implementation. Note that this risk is somewhat mitigated by using a secure connection to the office.
3. Avoid the exchange of sensitive corporate information (e.g. via email) through possibly insecure connections.
4. As much as possible use corporate Intranet resources to share working files. On the one hand, this ensures that working files are up-to-date and on the other, sharing of sensitive information across local devices is avoided.
5. Be particularly careful with any emails referencing to Covid-19 virus, as these may be phishing attempts or scams (see below). In case of doubt regarding the legitimacy of an email, contact the institution’s security officer.
6. Data at rest should be encrypted (this will protect against theft / loss of the device).
7. Anti-virus / Anti-malware applications must be installed and be fully updated.
8. The system (operating system and applications used, as well as anti-virus system) needs to be up to date.
9. Lock your screen. If you work in a shared space
10. Do not share virtual meeting URLs on social media or other public channels. (Unauthorized third parties could access private meetings in this way.
Phishing scams linked to COVID-19
It is important to increase awareness of digital security during this time as we have already seen an increase in phishing attacks. Attackers are exploiting the situation, so look out for phishing emails and scams.
In the current situation, one should be suspicious of any emails asking to check or renew your credentials even if it seems to come from a trusted source. Please try to verify the authenticity of the request through other means. Do not click on suspicious links or open any suspicious attachments.
- Be very suspicious of mails from people you don’t know- especially if they ask to connect to links or open files (if in doubt phone your security officer).
- Mails that create an image of urgency or severe consequences are key candidates for phishing – in these cases always verify via an external channel before complying.
- Mails sent from people you know, but asking for unusual things are also suspect – verify by phone if possible.