As governments around the world encourage people to work from home, businesses and their staff are more vulnerable to cyber attack

With remote working being encouraged by many governments during the Covid-19 pandemic, businesses are being urged to think about the heightened cyber risk they may face as a result.

Employees may be forced to rely on personal devices that do not have the same level as security as their workplace computers.

Meanwhile, hackers are seeking to exploit fears surrounding coronavirus in phishing emails and other scams, according to the UK National Cyber Security Centre (NCSC). Clicking on links in scam emails, that may claims to have a ‘cure’ for the virus for instance, could lead to malware infection and loss of data like passwords.

According to Oliver Price, associate director at cyber security firm S-RM: “Businesses need to be alert to the fact that cyber hackers are looking to take advantage of the current chaos and uncertainty created by the coronavirus.”

“This is particularly pertinent for employees using their personal devices to work on from home. Firms need to ensure that they apply the same level of IT security that they would in their office environment, and help their employees to ensure that these devices are secure.”

Ransomware attacks skyrocketed in 2019, according to the latest Beazley Breach Briefing. The two most common forms of attack to deploy ransomware are phishing emails and breaching poorly secured remote desktop protocol (RDP). RDP enables employees to access their work computer desktops or company’s primary server from home with the press of a button, but the convenience also comes with added risks. 

Katherine Keefe, Beazley’s global head of BBR Services, said: “With the convenience of enabling employees to work from home, using RDP can make IT systems more susceptible to attack without the right security measures in place.”

”The coronavirus has forced many more employees to work from home and in this pressured environment it is very important that companies take the right steps to reduce the vulnerability of their IT infrastructure.”

To help businesses as they migrate towards home working, NCSC has published a series of advice and tips to help employers and their staff.

NCSC notes that staff are more likely to have devices stolen (or lose them) when they are away from the office and recommends making sure that laptops and tablets encrypt data while at rest. “Most modern devices have encryption built in, but encryption may still need to be turned on and configured.”

Organisations that use virtual private networks (VPNs) to allow remote users to securely access company IT resources, such as email and file services, should create an encrypted network connection, says NCSC. VPNs should be fully patched and companies may need to arrange additional capacity or bandwidth if they are dealing with large numbers of remote workers for the first time.

Due to supply chain constraints and an increase in demand, many firms have no choice but to allow staff members to use personal devices. In these instances, companies should use Bring Your Own Device guidance to mitigate the risks.

To help businesses as they migrate their employees to homeworking, Clyde & Co and cyber security firm S-RM, have offered the following advice: 

  • · Make sure that staff do not take short cuts to normal risk management and cyber security processes in their haste to set employees up to work from home;
  • · Ensure employees know what to be alert to from a cyber security perspective, and what to do if they suspect they have been targeted by, or inadvertently clicked on a link in a phishing email, and
  • · Ensure that incident and crisis management plans are appropriate for home working and communicated to all home working employees and those supporting them.

“Whilst the immediate working environment for many people is likely to undergo significant disruption and change over the next few days and weeks, organisations must bear in mind they remain subject to the same legal data privacy obligations whether employees are working from home or in the office, so their data privacy protocols must form part of any remote working policies they implement,” said Helen Bourne, partner at Clyde & Co.

“These policies must include having sufficient and adequate security measures in place to protect personal data, as well as adapting breach response protocols to a remote working environment.”

“Achieving the requisite level of compliance will be altogether more challenging as organisations rely on remote working technology across a diverse workforce,” she added. “In many cases, the introduction of such technologies will be happening under considerable time pressures and perhaps without sufficient opportunity to plan and integrate them into a robust, secure network.”

“We recommend that employers remind their employees to exercise the same level of diligence surrounding the management and processing of data and, to introduce security protocols that take into account the additional risks when your workforce is operating remotely.”