The COVID-19 pandemic in 2020 has had a profound impact on the lives of most people, both in terms of work-place practices as well as personal lifestyle. One of the key measures to slow down the spread of COVID-19 introduced by different governments all over the world to differing degrees was social distancing. To many industries this meant the acceleration of the remote working practice, wherever possible. In many industries employees had to shift to working from home over a matter of days. Employees in these industries were the “lucky” ones, as other industries such as the aviation, events or hospitality sectors were practically closed down during the lock-down periods which were enforced during different times of the year. This rapid shift to remote working was not unexpectedly accompanied by an increase in phishing scams and other forms of cyber attacks as hackers sought to take advantage of the more-open infrastructure which many organisations had to resort to.
ENISA, the European Unio Agency for Cybersecurity, reports that European SMEs are facing increased cyber threats.1 ENISA contends that “Accounting for more than half of Europe’s GDP, SMEs are a key driver of innovation and growth across the Union. Their well-being is vital to both the economy and society. The pandemic has put an incredible stress on these businesses this year. SMEs are not only navigating a new digital realm where employees work from home and business is increasingly conducted online, but they are also facing more advanced and targeted cyber threats”.
In the changing digital landscape employees working remotely need to adopt best practice to reduce the risk of their systems being compromised and serving as launch pads for cyber attacks to their company’s infrastructure. It has set out a series of basic recommendations for employees working remotely and presented these both as info graphics as a short video.
According to ENISA, the top ten cyber hygiene topics that SMEs should address, possibly through outsourcing where needed, are presented below2:
- Management buy-in. It is important that management sees the importance of cybersecurity for the organisation and that it is informed on a regular basis.
- Risk assessment. This answers the question: what do I have to protect and from what? Identify and prioritise the main assets and threats your organisation is facing.
- Cybersecurity policy. Have the necessary policies in place to deal with cybersecurity and appoint someone, for example an Information Security Officer (ISO), who is responsible for overseeing the implementation of these policies.
- Awareness. Employees should understand the risks and should be informed about how to behave online. People tend to forget such things rather rapidly, so repeating this every now and then can be valuable.
- Updates. Keeping everything, meaning servers, workstations, smartphones, etc. up-to-date is key in your cyber hygiene. Applying security updates is part of this process. Ideally, this whole process is to a certain level automated and the updates can be tested in a testing environment.
- Backups. Prior to doing these updates it is vital to have good backups in place. This will also protect the environment from attacks such as ransomware. Backup the most important data often and think about the cost of losing data during a certain timespan. Keep the backups offline, test the backups and try to have duplication of the backups.
- Access management. Have rules/policies in place for access management and enforce them. Make sure default passwords are changed for example, that passwords are not shared, etc.
- Endpoint protection. Think about securing the endpoints through for example installing antivirus software.
- Secure remote access. Limit remote access as much as possible and where absolutely needed, enable it but in a secure way. Make sure that communication is encrypted properly.
- Incident management plan. There should be a plan on how to handle an incident when it occurs. Different realistic scenarios could be part of this plan. Get to know whom you could contact when things are problematic, for instance the national CSIRT.
Home set-ups are often insecure and employees tend to use several devices. In addition, remote working leads to increased data-sharing through the internet and the logistical challenges hamper IT support3. Other recommendations that are made frequently by cyber security experts are based on the simple precept of Treating business information as personal information.
Use antivirus software – at a personal level, if you are using the same device and network for work. Prevent important data, key data from ending up in the wrong hands.
Ensure Privacy with a VPN – If using company computer, this should be checked constantly by internal IT team for any possible breaches of the device. If using personal computer, VPNs should be used to secure connection and encrypt data.
Ensure Software and programs are consistently updated – Big Software companies tend to provide updates to their software on a regular basis. Make sure that these systems are consistently updated to ensure no criminals or hackers exploit weaknesses in older versions of the software that can prove damaging to the organisation.
Beware of Scams: COVID-19 – Hackers always seek to get people to click on their malicious links. The latest ploy is to use COVID-19 related emails or links to get people to click through and essentially expose themselves to attacks from hackers.
Two-factor Authentication – It’s important for companies to invest in systems that allow for maximum security. Strong passwords are effective but not infallible. Two-factor authentication involve an additional step to add an extra layer of protection to an employee’s accounts.
Back-ups – All important files should be backed up regularly, preferably using cloud services. Clear policies are required to ensure that proper back-up procedures are established and maintained on a daily basis and this includes regular testing of back-up solutions.
eBusiness Systems provides an extensive range of support services that include training and development of staff in basic cyber security procedures as well as the setting up of appropriate cyber security policies and guidelines and support in their implementation. An important part of the support services provided by eBS in this regard is the planned testing of cyber security solutions, as all too often the regular testing of systems is compromised by day-to-day urgent deliverables. eBS support services in this sector ensures that appropriate and timely specialised support services are available to ensure that cybersecurity efforts of an organisation are carefully dovetailed within the overall enterprise risk management activities of the organisation.
1 Anon, 2020, “European SMEs facing increased cyber threats in changing digital landscape”, Nov 23, https://www.enisa.europa.eu/news/enisa-news/european-smes-facing-increased-cyber-threats-in-a-changing-digital-landscape
2 Anon, 2020, “Top ten cyber hygiene tips for SMEs during COVID-19 pandemic”, Jun 02, https://www.enisa.europa.eu/news/enisa-news/top-ten-cyber-hygiene-tips-for-smes-during-covid-19-pandemic
3 Mutune, George, 2020, work from Home Cyber Risks, https://cyberexperts.com/work-from-home-cyber-risks%EF%BB%BF/