As the Covid-19 crisis takes hold, many businesses are considering asking staff to work from home.
But a local cyber security expert is warning that insecure remote access systems could be targeted by cyber-criminals.
“Cyber-criminals love a global crisis,” says Carl Ceillam who is Chief Penetration Tester at The Chain Limited, “we’ve already seen phishing emails exploiting victims of the Flybe collapse, and malicious applications posing as interactive Covid-19 maps. But my main concern is that businesses do not fully understand the risks of working remotely from home. Some of these systems are not as secure as they should be, and so there is a danger we could see a sharp increase in data breaches or fraudulent activity.”
The issue centres on remote access systems and virtual desktop environments that organisations set up for workers who are on the move or working off-island. Mr. Ceillam explains, “many companies don’t have adequate remote access systems in place and are rushing to set up new services or increase capacity. They are not taking the time to have their security tested properly. It stands to reason that if staff can access the system remotely, then potentially so can a cyber-criminal. It’s also important to remember that a home user’s computer may not be as secure as one in the office, so if a home PC gets compromised then it could be snooped on or hijacked by hackers to gain access to corporate systems.”
But hackers aren’t the only threat, and data protection issues could arise from the way many people use remote access systems; “it’s surprisingly common that remote access users are allowed to copy data between their own personal computer and the corporate system, even though in the office transfers to USB devices may be blocked to prevent data loss. When people copy corporate data to their personal devices the organisation loses control of that data. It can be misused by malicious employees, lost, stolen or accessed by unauthorised individuals.”
“These aren’t new risks but as we relocate in large numbers from the relative safety of the workplace to the untrusted internet, the risks are increased significantly, ” he says. He
points out that cyber-criminals also have the lead on the rest of us when it comes to working in isolation and coping with business disruption; “unlike most businesses, cyber-criminals operate almost exclusively online already; most don’t have an office to go to, they don’t need to meet up in-person with colleagues, and even their victims are online. The only resources
they need are an internet connection and a computer. They are open for business and ready to profit from this crisis if we don’t take precautions.”
The Chain has offered the following advice to businesses that are preparing for remote working:
- ▪ Perform a proper risk assessment of home-working arrangements
- ▪ Ensure the remote desktop platform is penetration-tested
- ▪ Enforce mandatory two-factor authentication
- ▪ Only allow corporate devices to have remote access
- ▪ Monitor for unusual or suspicious activity
- ▪ Ensure that clear policies and procedures are in place so that staff know their security
responsibilities
If access from home computers is permitted then additional controls should be in place, for example:
- ▪ Do not allow file transfers between the corporate system and the home computer
- ▪ Make sure home devices are kept up to date with security patches and anti-virus
definitions
- ▪ Do not use an administrative account to connect to the internet
- ▪ Do not share the system with other family members