NIS2, Are you on scope?
Belgium's new cybersecurity law enters into force. Check it out now.
As new ways of working mean new possibilities for cybercriminals to get access to confidential information: homeworking introduces additional security risks for an organisation. For example, an unmanaged workstation can get infected by malware more easily, the lack of encryption can cause a data breach and the lack of access control can allow an entrance to the organisation’s resources. It is thus in the organisation’s best interest to secure the homeworking of its collaborators in the best way possible.
Secure the remote access by using strong passwords different for each account (i.e., a combination of upper and lower cases, symbols and numbers), and implementing Multi-Factor Authentication wherever possible. Multi-Factor Authentication requires a user to provide at least two different methods (e.g., passwords and PIN code, PIN code and a code received via text) to verify their identity and grant them access to the resource they are trying to reach.
There are two solutions that allow collaborators to work from home: either the organisation provides them with a device, or it allows them to use their private workstations.
The first option, a managed device, ensures that security risks can be controlled by your IT Responsible and the controls put in place (e.g., managing all administrative rights to limit what a user can do the device, forcing the installation of required security updates when needed, etc.). However, the costs of providing each user with the necessary equipment will be higher.
Relying on collaborators’ private workstations can be a more cost-saving method, but the organisation then needs to take additional measures (e.g., limiting what can be accessed remotely, implementing Multi-Factor Authentication to access the organisation’s resources, etc.) to make sure that these devices don’t cause any harm to the organisation. The cost of having to resolve a breach also needs to be brought into account.
Strictly limit the remote access to systems and applications necessary to ensure the continuity of the business when homeworking. The other systems should be segregated to avoid their tampering, especially if they are critical to your business (e.g. backup servers).
Using managed devices for homeworking is the safest option as the organisation can implement more security controls. If managed devices are not an option, a series of security guidelines and rules should be given to collaborators to adopt the right behaviour when working from home:
• Locking the workstation when leaving it;
• Not leaving any passwords written and accessible (e.g., writing it on a sticky note and putting it on the computer screen);
• Going to a private or secure area when discussing confidential information;
• Turning off the computer when the work is done to allow necessary updates to be made; and
• Using secured chat services to discuss rapidly with collaborators.
Whether collaborators use a managed or private workstation, it is important to secure their connection to the organisation’s resources with a Virtual Private Network (VPN). A VPN is a technology that encrypts the connection between a device and the organisation remote servers allowing the encryption of the data transiting from one point to the other and making sure that it cannot be intercepted by external or malicious users. Authentication to the VPN should be done through Multi-Factor Authentication to reinforce the security and make sure only people who are allowed, have access.
There are several ways a device can be infected by a virus: opening an attachment, clicking on a link, plugging a USB drive or simply surfing through a website. A virus is a malicious software that aims at damaging resources, deleting files, slowing down performances or stealing confidential information. Once a virus is on the computer, it will take time, effort and financial means to remove it. This is why it is better to protect all devices allowed to connect to the organisation’s network remotely with an antivirus software upfront.
In addition, a firewall should be used to monitor and filter the access requests to the corporate network based on predefined security rules. The firewall acts as a wall between the corporate network and an untrusted network (e.g., home network, Internet). It will allow the organisation to limit external access only to authorised people.
It doesn’t matter how many different systems, applications or devices you use and how frequently they are needed: it only takes one of them for cybercriminals to compromise in order to cause damages and get access to information. Installing updates as soon as they are available is thus crucial to ensure a strong cyber defence and to make sure that the system version being used is still supported by the vendor.
Backup all systems, applications, servers and data to make sure that even if an incident occurs, all important information can still be recovered. It is important to regularly test those backups to confirm that they can actually be used if needed, after an incident.
Videoconferences are much used in the context of homeworking. The following tips can help use videoconferences more securely:
• Only use known products;
• Only install the solution from official websites;
• Make sure to keep the solution or software updated;
• Create a different account, if possible;
• Secure your account with a strong password and, if possible, the implementation of Multi-Factor Authentication;
• Only take your videocalls in private or secure areas;
• Only share the link to join the videocall with intended people;
• Protect each meeting with a strong password;
• Cover you webcam if you don’t need to put it on; and
• Configure the region through which your data can transit, if possible.
The first step collaborators should take to secure the network is to secure their router, i.e., the door between Internet et their personal network, by implementing the following controls:
• Modify your network name by making sure nothing obvious, such as your address, is used;
• Modify your network passwords, including the router’s one;
• Install ‘WPA2’ protection, an encryption mean, with a strong password;
• Update all your equipment;
• Activate a firewall and use an antivirus;
• Deactivate the Wi-Fi Protected Setup, a functionality that allows devices to connect more easily to a Wi-Fi network without needing a password;
• Implementing a host network, a dedicated network separated from your personal one to allow your guests to access your internet connection; and
• Use an Ethernet cable instead of the Wi-Fi, for devices that you don’t need to move around as the Ethernet cable has less chances of getting hacked compared to a Wi-Fi.
You can find more information on how to configure your router’s parameters on Proximus, Telenet or VOO.
Personal devices tend to have less security controls in place compared to professional ones, making it easier to access them or steal confidential information they might contain. Collaborators should be aware of the importance to separate professional and personal usage to make sure no corporate data leakage happens. Several best practices can be adopted to ensure that separation:
• Using different passwords for professional and personal accounts;
• Differentiating professional and personal chat services;
• Differentiating professional and personal backup services;
• Differentiating professional and personal removable media;
• Avoiding the use of unknown and public Wi-Fi;
• Paying attention to what they share online; and
• Only using official websites to download applications.
More details on those best practices can be found by visiting our dedicated article on the separation of personal and professional usage via LINK.
An organisation’s collaborators are its first line of defence. Your collaborators need to be made aware on how to identify scams and fake message in order to adopt the right reflexes. There are several ways cybercriminals try to steal collaborators’ credentials in order to get access to an organisation’s resources. It is thus important to have regular informative sessions to train the collaborators about not sharing too much on social media and not clicking on a link or opening a file without analysing where it comes from first.
The aim of this content is to share and raise awareness of good cyber security practice.
Some of this advice may apply differently depending on the context of your organisation.
Always comply with the policy and instructions in force in your organisation.
If in doubt, always ask your IT manager for advice first.