On the back of the findings of the Attacks From All Angles 2021 Mid-year Cybersecurity Report by Trend Micro, the remote workforce remains an organisation’s greatest vulnerability when it comes to cybersecurity. Zaheer Ebrahim, Cyber Security Consultant at Trend Micro, shares five ways businesses can ensure they are not compromised amidst a 47% year-on-year increase in cyber threats globally.
From VPN vulnerabilities, cloud threats, email breaches and Covid-19 related scams, the pandemic and the consequential rise of the remote-workforce has given bad actors new opportunities to exploit weaknesses and vulnerabilities in individuals’ personal and organisations’ work-related cybersecurity systems.
Modern ransomware continues to mature and remains a significant threat to businesses and government organisations across the globe, while moving deeper into the victim’s system, exfiltrating data before delivering their payloads. While these kinds of cybersecurity attacks are becoming more targeted and complex – making them more detrimental to their victims – so are the methods of reaction and prevention.
Here are five key ways for employees and organisations to protect themselves from cyber threats:
- Connect to secure and verified internet providers and use anti-virus software
To secure your home as a new place of work, it goes without saying that laptops, tablets and mobile devices that are used for business purposes need to have up-to-date antivirus software. The same goes for your router, which needs to be have its software updated regularly and should be reset from its default factory password (1234’ or ‘admin’) so that it is not easy to hack.
Organisations should provide internet dongles or mobile data bundles to their employees, so that they do not have to resort to connecting to free, unsecured networks when they are working remotely from coffee shops, coworking spaces or other public spaces. A safer alternative is to use your mobile device to create a secure hotspot between your smartphone and your tablet or laptop because you then retain control over this connectivity.
- Use a secure VPN
Nothing in life is free. Open Wi-Fi portals are often too good to be true. These unsecure networks do not contain any data encryption and may allow anyone to listen in on the internet traffic between a device and the public router. A bad actor sitting nearby may detect your traffic, look at what you’re doing and intercept it.
Every corporate environment should have a dedicated VPN application that allows employees to connect to the internet via a secure tunnel. Employees also need to check into their corporate network regularly via a VPN, so that the IT department can create synergy between employees’ devices, their cloud connection and the head office.
If you have no other way to connect to the internet but through an unsecured, public network, you should always use a VPN. This makes it much harder for a hacker to detect your traffic and see where it is being directed to.
- Avoid shoulder surfing with MFA
Use a specialised application or password generator to create strong passwords for your organisation that require a forced regular reset. Do not allow employees to use predictable password sequences with slight variations.
Shoulder surfing is likely to happen when working in a public space. Credentials that are stolen in this way may lead to Business Email Compromise (BEC) internally. Best practice is to use Multi Factor Authentication (MFA) via an SMS that is sent to your smartphone, or an application such as Google Authenticator or Microsoft authenticator.
- Use Application Control to block potentially harmful installations and downloads
Despite the fact that many companies have fair usage policies for their employees, many do not abide by these. One example is how in recent years, peer-to-peer file sharing sites (P2P) – such as BitTorrent, uTorrent and Pirate Bay – have piggybacked onto devices for cryptocurrency mining.
As a result, many organisations use tools such as Application Control to create a blacklist and whitelist of applications and software that can be downloaded or accessed via a company device. This approach can also allow the IT department to audit any applications and software and its potential threat before giving or denying permission. In this way, the employee does not have to accept any responsibility.
- Educate and inform: regular employee cybersecurity training
Regular employee cybersecurity training, at least once a quarter or biannually, is invaluable especially as cybersecurity threats are continuously evolving. Trend Micro offers a cloud-based security awareness service called Phish Insight which carries out customised security awareness training by rolling out automated phishing simulations that are tailored to an organisation’s niche sector.
The simulation identifies ‘patient zeros’ and yields a list of vulnerable points so that relevant cybersecurity products and services, and education measures can be implemented.
This also allows an organisation to ensure that all employees are familiar with their cybersecurity protocols – for example; discouraging employees from signing up to newsletters from their work emails and devices and helping them identify possible security risks. Risks that may include emails with malicious URLs that are sent from incongruent domains, are written in a poor writing style (spelling and grammar), and usually rely on a sense of urgency.
These are but a handful of ways that employees can be empowered to reduce human error and become an organisation’s greatest security asset.