We are living in a heightened time of cyber risk. Organisations are still operational by allowing their employees to work from home. Cybercriminals have started taking advantage of public fear to generate coronavirus themed phishing attacks. We should be aware of COVID-19 tagged emails with misleading links or attachments. The IET’s Cybersecurity working group has put together some best practices to be followed at this crucial time to safeguard employees and as well as organisations that are navigating the new order of remote working.
Read ahead to know steps that both organisations and individual employees can undertake to do their bit to secure their enterprise data.
3. 3 | P a g e
Introduction
We are living in a heightened time of cyber risk. Organisations are still operational by allowing their
employees to work from home. Cybercriminals have started taking advantage of public fear to
generate coronavirus themed phishing attacks. We should be aware of COVID-19 tagged emails with
misleading links or attachments. The IET’s Cybersecurity working group has put together some best
practices to be followed at this crucial time to safeguard employees and as well as organisations that
are navigating the new order of remote working.
24x7 uptime and connectivity
Due to the current situation, companies and schools have planned for distance
learning and work-from-home setups. Though employees have started using the
work-from-home options, are the industries belonging to various sectors, including
PSUs and private companies prepared for this heavy influx of remote workers?
Organisations should conduct an exercise with their senior leadership teams and
business unit heads to list their critical business applications that will be accessed the
most by the employees. For cloud applications. Technology heads will have to work
with cloud service providers and get a hang about their business continuity plans.
Employers should ensure, by testing and validating the proper VPN connectivity for
higher utilisation than usual. For enterprises with high-cloud reliance (e.g., an
extension of capacity, native cloud systems), select cloud provider who has point-of-
presence in the geography where majority of the employees are present and provide
network path redundancy.
Timely backup
One crucial element in these times, more important than ever, is data backup. In
these times of the pandemic, employees from various operational units are using their
laptops, desktops, etc. In most of the cases, they either save their documents locally
on to these systems (for example, as a PDF file or MS office document) in an
unencrypted format. This is an issue, from a legal and compliance perspective. In
case of a cyberattack, they may also lose their data.
Therefore, employees who are working remotely, should back their data up in a timely
manner to remain unaffected in case of a cyberattack where they may compromise
their valuable data.
Access Control Policy
Financial services organisations, in a bid for business continuity to clients, may have
to provide right of access to employees via remote access. Usual practices like
password protection or data encryption may no longer suffice to counter smart data
theft. Hence, access control policies should be implemented and updated at various
entry points of the organisation. Also, the organisation can contain a potential
attacker’s path to crucial data and assets by limiting user access and privileges to the
information and tools needed for the employees to perform their immediate role.
4. 4 | P a g e
Enhance the security of BYOD
Employees working from home for the first time will potentially use desktop
computers, laptops, tablets, and smartphones that are not protected to the same
level as workplace devices. They should consider using additional risk reduction
measures like document and file encryption, VPNs, regular scanning, and other best
practices to lower the potential for business intellectual property or financial theft.
Employees should secure home Wi-Fi by selecting the most reliable security protocol,
changing the Wi-Fi password often, and use MAC filtering, which can be done by
logging into the router as admin.
Beware of phishing scams and other targeted attacks
Recently, cases where attackers leveraging coronavirus-themed cyberattacks and
phishing emails masked as sensationalised Covid-19 news or charity pleas have
been on the rise. Fake applications like Corona live 1.1 have also been reported.
Malware attackers are targeting masses using custom and unique remote-access
trojan attacks that steal user information.
Employees must consciously maintain security best practices while browsing the
web. They should be more cautious about visiting sites while in session with the
enterprise web site. Concerned departments and ministries should spread public
awareness about these kinds of attacks to save people from being compromised at
this crucial time. Enterprises can keep communicating employees through awareness
campaign that reminds them of various social engineering attacks.
Regular Software Update
One of the main issues with most of the organisations operating in these crucial
times both PSUs and private enterprises is that they use legacy systems, proprietary
software, and software that may not be have been patched. Hence, enterprises need
to update their software regularly to keep employees protected in such times, failing
which, they will have to battle unproductivity and negative experiences of employees.
Enterprises must be on top of threat intelligence and push patches at the earliest
while employees must update with the latest patches of the base platform software
being used.
Conclusion
We are currently in what can be called the largest remote working experiment in the history of
mankind. Both organisations and employees are learning to work in this new world of work and
figuring out the best ways to keep their data safe while minimising disruption and delivering outputs.
The lockdown has brought to fore, the need for IT teams to be more vigilant, effective and frequent
communications with business leaders and their IT teams and seamless communication with the staff
team to ensure compliance.
6. 6 | P a g e
Contributors
Anand Handa
Member – IET Cyber Security Working Group
Project Executive Officer, Interdisciplinary Centre for Cyber Security and
Cyber Defence of Critical Infrastructures, Department of Computer Science
and Engineering, Indian Institute of Technology, Kanpur
Arnab Chattopadhyay
Member – IET Cyber Security Working Group
Associate Director, IBM
Advisor
Arvind Tiwary
Chairperson – IET Cyber Security Working Group
Chair, TiE IoT Forum
If you have a question or query, please feel free to reach out to us at sectors@theiet.in. Read more
about our work at india.theiet.org