Working from home is the so-called new normal for a considerable portion of the workforce nowadays. It's safe to say that not all companies and its employees were ready for the abrupt shift.
Regardless, whether you already have experience working from home prior to stay-at-home orders, everyone is fair game in the eyes of cyberattackers looking for a weak point to penetrate.
To help you out, both employees and companies, we've enlisted some help from the CEO of Straits Interactive, Kevin Shepherdson. Straits is a data privacy platform solutions provider and data protection consultancy housed in Singapore, servicing the ASEAN region. We sought his advice on how one may be able to operate securely in this new working environment, along with the potential new risks that we need to be aware of.
With people going on work-from-home arrangements, what are the potential cybersecurity risks? Not all companies and employees were ready to suddenly migrate to a remote system, so what should we be looking out for?
Kevin Shepherdson: In our "new normal" of working from home (WFH), companies need to make reasonable security arrangements to protect data that the organization possesses or controls.
It is not just a cybersecurity issue but a data privacy issue as well. Under the Philippines' Data Privacy Act, all organizations must implement reasonable and appropriate organizational, physical and technical measures intended for the protection of personal information "against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing." This applies to work-from-home arrangements.
Some common risks to be aware of:
Based on an IBM/Ponemon research study, a lot of the risk or threats come from the inside of the organization – be it a negligent employee, a malicious insider, or the failure to follow standard operating procedures.
Organizations need to also be weary of exposure or leakage of data through unprotected devices, compromise or loss of data due to hacking and unsecured data due to virus or malware attacks. In a Kaspersky Lab Global IT Risk Report, malware, spam and phising are top threats affecting businesses. With a work-from-home arrangement, we can assume this will become more pronounced as the line between company and personal devices blur.
What steps should companies take to plug these gaps?
KS: Companies should embrace a data protection mind-set. Here are some steps to begin with:
Next, sustain the data protection efforts by training staff and conducting regular reviews. Then, be prepared for security incidences and data breaches.
A data breach is not a matter of if but more of a matter of when. Organizations should implement data protection and information security on 3 levels, from administrative policies (such as having a person in-charge), physical security (providing privacy screen or camera cover) and technical information security (like encryption and secured communication lines).
Some immediate actions that can be taken are drawing-up a clear data protection policy under a WFH arrangement. Provide simple data protection “Dos and Don’ts” for company-provided devices. If employees use their own devices, define the access controls and acceptable use policy. Apply security controls and measures to the company network and applications.
Last but not least, ensure data protection policies are communicated to all employees and encourage them to report incidences. Learn from the incidences and plan for data breaches and security incidents.
What tips would you give employees to help them lessen their vulnerabilities, and make them aware that they could open up their company to hacks if they're not careful?
We have to remember that data protection is every one's responsibility, and shouldn't just be left to the IT Manager or IT Department. All employees need to be data-aware. Some tips that we would like to share include:
Is there a workflow you'd suggest for those you'd with really large teams on how to effectively cascade proper cybersecurity "hygiene" during these times?
Train, train, train! Create awareness on data protection and information security by holding regular training sessions. As some would say, a well-trained worker is the best safety device.
Has there been a rise in data scams that take advantage of the current coronavirus scare? What should companies and employees look out for?
Data scams have always been an issue in the online world. A very recent example is the spoofing of the WHO (World Health Organization) domain. An email from the WHO domain was sent out to solicit donations capitalizing on COVID-19. In the UK, email scams were asking for donations to help its National Health Service (NHS), which amounted to almost 1.6 million pounds as reported by The Guardian on April 4, 2020.
In Singapore, the Personal Data Protection Commission warned of scammers impersonating the country's Ministry of Health (MOH) officers to request for financial information from individuals.
In the Philippines, the Securities and Exchange Commission on April 2 published an advisory on the proliferation of a text scam using the name of the President. The message recipients were made to believe that they had won P750,000 through an electronic raffle, from the PRESIDENT: RODRIGO DUTERTE CHARITY FOUNDATION with Bangko Sentral ng Pilipinas as “Handog ng Kabuhayan.”
And then there are the privacy-intrusive technologies. A lot of these technologies collect excessive personal information and ask disproportionate permissions from the user’s mobile device. They ask access to the camera, mic, social media profile and even contacts.
The average person has easily 30 apps installed on a mobile phone, many of which are tracking and collecting personal information in the background for behavioral advertising purposes or sometimes even with malicious intent. Many of these apps are free for users to download. But as the saying goes, "if the app is free, you are the product". – Rappler.com