Government, businesses and other organisations in the Middle East are increasingly encouraging home working in a bid to slow the spread of COVID-19/coronavirus. While the measure is undoubtedly effective in flattening the curve of coronavirus increase, there are cyber risks to consider in relation to this change. Kaspersky experts have shared their concerns and pieces of advice on the process of transferring the companies to the remote workplace.
Transferring employees to work outside the office is a process that usually treated with thorough preparation, as once corporate devices are taken outside of a company’s network infrastructure and are connected to new networks and wi-fi, the risks to corporate information increase. During the emergency switch of large people from work at an office to home-based activities, such preparations maybe should be in the center of attention of attention.
“Many companies have already adopted a practice of regularly allowing their employees to work at home. The results have been quite positive and home-based employee does not portray any risks if the approach to their cybersecurity is comprehensive. «There are two major risks to corporate networks related to the home office: employees’ usage of unprotected devices when connecting to the corporate network, and connection via insecure Wi-Fi and 4G/5G networks, especially for those who work from personal devices. – says Maher Yamout, a security researcher at Kaspersky.
The experts noted that the best practice would be to use a corporate device, instead of a personal one. They add that the biggest mistake companies could make is to consider an employee device insignificant and ignore the fact that it might be the entry point of a cyberattack. “A year ago, we have assessed the cases of cyber incidents and found that a third of them started from employees devices. In 34% of cases, it was either a download of a malicious file from an e-mail or a malicious website. So the more potentially contaminated or unprotected machines are connected to the company’s infrastructure, the larger are risks of infection. A vast majority of threats we see are not targeted, but come from mass-campaigns that rely on human errors or holes in un-updated software, which means that they are not unpredictable and can surely be prevented”.
The researcher recommends employers to follow to take basic precautions to minimize security risks:
- Provide a VPN for all staff to connect securely to the corporate network; ideally to tunnel all the network traffic
- All corporate devices – including mobiles and laptops – should be protected with appropriate security software, including mobile devices (e.g. allowing data to be wiped from devices that are reported lost or stolen, segregating personal and work data, along with restricting which apps can be installed)
- Make sure you have implemented the latest updates to operating systems and apps
- Restrict the access rights of people connecting to the corporate network based on the need-to-know and least privilege principles
- It is necessary to remind coworkers about basic cybersecurity rules: do not follow links in emails from strangers or unknown sources, use strong passwords, etc. Ensure that staff are aware of the dangers of responding to unsolicited messages. Also, it is essential to agree on rules of work: whether all questions are asked in protected chats and conference calls are made via secured channels.