Organisations grappling with a variety of issues raised by the coronavirus should ensure that ‘increased cyber risk’ is on the list of new risks to manage. In response, the UK’s national cyber security centre (the NCSC) published guidance yesterday which focusses on how organisations can:
· prepare for an increase in home working; and
· spot coronavirus scam emails.
Increased home working:
Increased home working is now a reality for many organisations, with others looking to follow suit. The guidance makes a number of general recommendations to support secure home working, which include:
- Providing written (‘How do I ….’) guides for staff who may not be familiar with using new software, or using familiar applications in a different way. They also note that their guidance on implementing SaaS applications may help with the procurement of new services (such as chatrooms and document sharing) to enable continued workforce collaboration.
- Encrypting data at rest on remote devices as devices are more likely to be stolen or lost when staff are away from the office, and ensuring that devices can be locked remotely.
- Ensuring staff know how to report any security issues, and are trained (or reminded of their training) on cyber issues. The NCSC recommends that staff work through its Top Tips for Staff e-learning package.
- Following the NCSCs Bring Your Own Device guidance if workers are permitted to use their own devices to work remotely.
The guidance also covers security basics such as using strong passwords when setting up new accounts for remote working and ensuring VPNs (which allow remote users to securely access work systems) are fully patched and have sufficient licences and bandwidth to manage an increase in users. One area not touched on by the guidance is how organisations can maintain sufficient support with an IT function that are home working or (of more concern) limited in numbers if workers become ill.
Spotting scam emails:
There has been a spike in phishing emails as cyber criminals prey on fears surrounding the coronavirus. Many phishing attacks offer information on the virus while some have purported to offer tax refunds from HMRC and others have focussed on specific sectors, like transport or retail. As organisations increasingly contact their customers and supply chains with COVID-19 updates, we may also start to see cyber criminals targeting organisations with this form of phishing email.
Now is therefore the time to alert employees to this increased risk and ask for their vigilance, and to review the NCSC’s existing guidance on dealing with suspicious emails and ransomware. The EU Agency for Cyber Security (ENISA), who also shared guidance this week on how to manage COVID-19 phishing attacks (as part of its top tips for cybersecurity when working remotely), advised email recipients to separately verify any unusual emails. These could include mails asking recipients to check or renew credentials, that create a sense of urgency, or that contain unusual requests.
While much of the advice repeats existing guidance, the threat facing organisations is on a new scale and with new challenges. Organisations must therefore ensure that any technology or process that is introduced to manage this new working environment does not bring with it unintended cyber consequences.