One of the key measures to reduce the spread of Covid-19 is social distancing, which for many organisations means encouraging – or instructing– staff to work from home.
But moving at short notice from a trusted office environment to working remotely can create security risks. On top of this, nasty opportunist crooks are already using the coronavirus as subject matter for their phishing scams, hoping that the unwary will click through and hand over passwords or other data.
With the rapid increase in remote working in mind, European cybersecurity agency ENISA has set out a series of recommendation for companies moving to teleworking as a result of Covid-19.
ENISA said it had already seen an increase in coronavirus-related phishing attacks. The agency recommends, as far as possible, that workers try to not mix work and leisure activities on the same device and be particularly careful with any mails referencing the coronavirus. “Attackers are exploiting the situation, so look out for phishing emails and scams,” ENISA said.
SEE: Coronavirus: Effective strategies and tools for remote work during a pandemic
The agency also warned remote workers to be suspicious of any emails asking them to check or renew their passwords and login credentials even if they seem to come from a trusted source.
“Please try to verify the authenticity of the request through other means, do not click on suspicious links or open any suspicious attachments,” it said.
SEE: Coronavirus having major effect on tech industry beyond supply chain delays (free PDF) (TechRepublic)
ENISA also warned workers to be suspicious of emails from people you don’t know — especially if they ask to connect to links or open files. Phishing messages try to create an impression of urgency in order to panic you into clicking on a link, it said. Emails sent from people you know, but asking for unusual things are also suspect,the agency said — so double check by phone if possible. The UK’s National Cyber Security Centre (NCSC) has also issued a similar warning about coronavirus-themed phishing attacks.
ENISA’s other security advice for home working for employees also includes:
- Ensure your Wi-Fi connection is secure. While most Wi-Fi is correctly secured, some older installations might not be, which means people in the near vicinity can snoop your traffic.
- Ensure anti-virus is in place and fully updated.
- Check all security software is up to date: Privacy tools, add-ons for browsers and other patches need to be checked regularly.
- Have a back-up strategy and remember to do it: All important files should be backed up regularly. In a worst case scenario, staff could fall foul of ransomware for instance. Then all is lost without a backup.
- Lock your screen if you work in a shared space: ENISA said workers should really avoid co-working or shared spaces at this moment and that social distancing is extremely important to slow down the spread of the virus.
- Make sure you are using a secure connection to your work environment.
- Check if you have encryption tools installed.
ENISA said employers should:
- Provide initial and then regular feedback to staff on how to react in case of problems. That means info on who to call, hours of service and emergency procedures.
- Give suitable priority to the support of remote access solutions. Employers should provide at least authentication and secure session capabilities (essentially encryption).
- Provide virtual solutions. For example, the use of electronic signatures and virtual approval workflows to ensure continuous functionality.
- Ensure adequate support in case of problems. This may require setting up special rotas for staff.
- Define a clear procedure to follow in case of a security incident.
- Consider restricting access to sensitive systems where it makes sense.