Complex Made Simple

The latest course, security tips, and cyber awareness on working from home

A recent WFH employee learning program, the latest security tips, and cyber awareness measures will help SMEs overcome the stresses posed by rogue elements aiming to steal and disrupt during and post COVID-19

Remote staff tends to overestimate the level of their knowledge of cybersecurity basics Many IoT devices such as home cameras, routers, and smart appliances present easy targets for hackers High-risk groups, like the top leadership who perform mission-critical functions, need a robust complement of security

The UAE is slowly opening up and businesses have reopened their doors but work from home (WFH) will likely have a long-term impact on the way people work and collaborate even after the pandemic because of its many benefits.

We provide you the latest on a recent WFH training, security tips, and cyber awareness measures.

Kaspersky course results

Remote working affected corporate security via a growing number of web-based attacks, coronavirus-related phishing, as well as the increased use of shadow IT

Free security awareness training on an adaptive learning course for those transitioning to at-home working from Kaspersky and Area9 Lyceum has seen participants enact correct responses 66% of the time. However, results revealed that remote staff tends to overestimate the level of their knowledge of cybersecurity basics. In 90% of cases when learners selected a wrong answer, they evaluated their feelings toward the given response as “I know it” or “I think I know it”.  

The study also identified the most difficult learning objectives – the hardest being reasons why to use virtual machines. As many as 60% of the given answers were wrong on this matter, with 90% of respondents falling into the ‘unconscious incompetence’ category. This means that mistaken learners were still sure that they had selected the right answer or option.

More than half of responses (52%) to questions about reasons why employees should use corporate IT resources (such as mail and messaging services or cloud storage) when working from home was incorrect. In 88% of cases, remote employees thought that they could explain this correctly. Almost the same proportion of mistakes (50%) was made when answering a question about how to install software updates. In this case, a staggering majority of 92% of those who had provided wrong answers, believed they had that required skill.

“If employees see no danger in risky actions, let’s say, in storing sensitive documents in personal storage, they are unlikely to seek advice from IT or IT Security departments. As a result, ‘unconscious incompetence’ is one of the most difficult issues to identify and solve with security awareness training,” comments Denis Barinov, Head of the Kaspersky Academy.

Read: 5 principles of cyber hygiene

Simple Security Tips 

Alibaba Cloud Head of Security Innovation Labs, Yuriy Yuzifovich, wrote that WFH has enabled businesses to maintain lower running costs but some drawbacks such as technical challenges, particularly in the area of online security. 

While large enterprises have in-house security experts and policies to help ensure security remains top-notch, SMEs and their employees may need some help.  

Here are some steps SMEs can take to ensure that their business-critical information systems are kept secure even while implementing the WFH setup:

Run updates frequently

All home electronic devices should be maintained in an updated firmware state and all security patches need to be applied quickly. Many IoT devices such as home cameras, routers, and smart appliances present easy targets for hackers. Many inexpensive devices purchased several years ago no longer receive firmware updates from manufacturers that have switched their resources to support newer releases.  Routers, in particular, present a serious potential threat as hackers can control the traffic going through the routers and implement various strategies to attack home users.  

Be skeptical with every URL you click

Phishing, in general, has increased since everyone started staying at home. Users need to be extra careful when clicking on links in emails and social media messages. Users may fall victim to fraudsters pretending that the email is coming from another employee. The fraudster may then ask for a wire transfer or ask users to open an attached invoice where the attachment is malware. This type of phishing is called “whaling phishing.”

The most important requests should always be verified by an independent communication channel such as a phone call. 

Social engineering attacks are as popular as ever, with humans still being the weakest link. Hackers often trick users into downloading software with embedded malware. Crafty attacks can ask employees to download malware camouflaged or embedded as a teleconferencing software or a game.  

Protect your video conferences

With most team meetings now happening through video conferences, it is important to have passwords to limit the conference to only the intended audience. This will protect businesses against fraudsters eavesdropping on corporate meetings.  

In the digital realm, set up and update passwords on a regular basis, update firmware and always go to an official site for new installs.  

Read: Nearly a quarter UAE businesses using EDR able to detect cyber-incidents in hours or less

Bolstering cybersecurity during COVID-19 and beyond

Gregory Garnier, Partner at Bain & Company Middle East, and Syed Ali, Expert Partner at Bain & Company Houston, United States, wrote the pandemic forced most companies to embrace the new digital era, and approximately 70% of the companies rolled out WFH for their employees. 

Even before the Covid-19 pandemic, research by Bain & Company in Q4 2019 found that executives at many companies overestimate the effectiveness of their cybersecurity and lack the strategic capabilities essential for a robust posture. 

Instead of increasing cybersecurity, over 40% of large enterprises made moderate to significant reductions in IT budgets, and about 20% cut their security spending. This made it easier for malicious entities to launch attacks with a greater frequency and intensity on remote employees and other corporate assets. 

Security teams have seen more attempts at intellectual property theft, particularly since late January 2020. APT41, a prominent cyber threat group, reportedly targeted companies across industries in the US, UK, Canada, and parts of the European Union and the Middle East using recently disclosed vulnerabilities in major vendor systems. Its aim was long-term espionage and surveillance.

Organizations should take two sets of actions against cybercrime: The first to neutralize the threats to all companies that have adopted digital technology and the second to position themselves for the evolution of how work gets done after the pandemic. 

A multidisciplinary task force is the most effective way to tackle WFH threats and improve resilience during the pandemic. 

The task force should begin by characterizing groups of remote workers and partners based on their business role and level of access. All groups should be covered by a common set of modern security technologies and processes. However, high-risk groups, like the top leadership who perform mission-critical functions or employees that have the deepest system access such as DevOps teams, system administrators, and application developers, need a robust complement of security.

Additionally, to avoid hacks, companies must also consider revising software and hardware technology standards, such as minimum specifications for employee-owned laptops, and lists of approved USB, HDMI, and Bluetooth peripherals for remote workers.