Companies are following government guidance and getting as many people as possible working from home. Some companies will have resisted home working in the past, but I’m certain that the sceptics will find that people can be productive with the right tools no matter where they are. A temporary solution will become permanent. But getting it right means managing risk.

Access is king

In a typical office with an on-premise data centre, the IT department has complete control over network access, internal networks, data, and applications. The
remote worker, on the other hand, is mobile. He or she can work from anywhere using a VPN. Until just recently this will have been from somewhere like a local coffee shop, possibly using a wireless network to access the company network and essential applications.

CV-19 means that huge numbers of people are getting access to the same desktop and files, and collaborative communication toolsBut as we know, CV-19 means that huge numbers of people are getting access to the same desktop and files, applications and collaborative communication tools that they do on a regular basis from the office or on the train. Indeed, the new generation of video conferencing technologies come very close to providing an “almost there” feeling.

Hackers lie in wait

Hackers are waiting for a wrong move amongst the panic, and they will look for ways to compromise critical servers. Less than a month ago, we emerged from a period of chaos. For months hackers had been exploiting a vulnerability in VPN products from Pulse Secure, Fortinet, Palo Alto Networks, and Citrix. Patches were provided by vendors, and either companies applied the patch or withdrew remote access. As a result, the problem of attacks died back. 

But as companies race to get people working from home, they must ensure special care is taken to ensure the patches are done before switching VPNs on. That’s because remote desktop protocol (RDP) has been for the most part of 2019, and continues to be, the most important attack vector for ransomware. Managing a ransomware attack on top of everything else would certainly give you sleepless nights.

As companies race to get people working from home, they must ensure special care is taken to ensure the patches are done before switching VPNs on

Hackers are waiting for a wrong move amongst the panic, and they will look for ways to compromise critical serversExposing new services makes them also susceptible to denial of service attacks. Such attacks create large volumes of fake traffic to saturate the available capacity of the internet connection. They can also be used to attack the intricacies of the VPN protocol. A flow as little as 1Mbps can perturbate the VPN service and knock it offline.

CIOs, therefore, need to acknowledge that introducing or extending home working broadens the attack surface. So now more than ever it’s vital to adapt risk models. You can’t roll out new services with an emphasis on access and usability and not consider security. You simply won’t survive otherwise.

Social engineering

Aside from securing VPNs, what else should CIO and CTOs be doing to ensure security? The first thing to do is to look at employee behaviour, starting with passwords. It’s highly recommended that strong password hygiene or some form of multi-factor authentication (MFA) is imposed. Best practice would be to get all employees to reset their passwords as they connect remotely and force them to choose a new password that complies with strong password complexity guidelines. 

As we know, people have a habit of reusing their passwords for one or more online services – services that might have fallen victim to a breach. Hackers will happily It’s highly recommended that strong password hygiene or some form of multi-factor authentication (MFA) is imposedleverage these breaches because it is such easy and rich pickings.

Secondly, the inherent fear of the virus makes for perfect conditions for hackers. Sadly, a lot of phishing campaigns are already luring people in with the promise of important or breaking information on COVID-19. In the UK alone, coronavirus scams cost victims over £800,000 in February 2020. A staggering number that can only go up. That’s why CIOs need to remind everyone in the company of the risks of clickbait and comment spamming - the most popular and obvious bot techniques for infiltrating a network.

Notorious hacking attempts

And as any security specialist will tell you, some people have no ethics and will exploit the horrendous repercussions of CV-19. In January we saw just how unscrupulous hackers are when they started leveraging public fear of the virus to spread the notorious Emotet malware. Emotet, first detected in 2014, is a banking trojan that primarily spreads through ‘malspam’ and attempts to sneak into computers to steal sensitive and private information.

In addition, in early February the Maze ransomware crippled more than 230 workstations of the New Jersey Medical Diagnostics Lab and when they refused to pay, the vicious attackers leaked 9.5GB or research data in an attempt to force negotiations. And in March, an elite hacking group tried to breach the World Health Organization (WHO). It was just one of the many attempts on WHO and healthcare organisations in general since the pandemic broke. We’ll see lots more opportunist attacks like this in the coming months.  

More speed less haste

In March, an elite hacking group tried to breach the World Health Organization (WHO). It was just one of the many attempts on WHOFinally, we also have bots to contend with. We’ve yet to see reports of fake news content generated by machines, but we know there’s a high probability it will happen. Spambots are already creating pharmaceutical spam campaigns thriving on the buying behaviour of people in times of fear from infection. Using comment spamming – where comments are tactically placed in the comments following an update or news story - the bots take advantage of the popularity of the Google search term ‘Coronavirus’ to increase the visibility and ranking of sites and products in search results.

There is clearly much for CIOs to think about, but it is possible to secure a network by applying some well thought through tactics. I believe it comes down to having a ‘more speed, less haste’ approach to rolling out, scaling up and integrating technologies for home working, but above all, it should be mixed with an employee education programme. As in reality, great technology and a coherent security strategy will never work if it is undermined by the poor practices of employees.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version Download PDF version

Author profile

Pascal Geenens Security Researcher, Radware

In case you missed it

How has Brexit affected the security industry?
How has Brexit affected the security industry?

When the United Kingdom voted to leave the European Union, a world of uncertainty unfolded for those doing business in the UK and the EU. The referendum was passed in July 2016. Including subsequent delays, the separation was completed after four years in January 2020, with a transition period ending December 2020. Even with the deadlines past, there are still pockets of uncertainty stemming from the separation. We asked this week’s Expert Panel Roundtable: How has Brexit affected the security industry?

Hybrid working and the threat of desk data
Hybrid working and the threat of desk data

The transition to remote working has been a revelation for many traditional office staff, yet concerns over data security risks are rising. Mark Harper of HSM explains why businesses and their remote workers must remain vigilant when it comes to physical document security in homes. Pre-pandemic, home offices were often that neglected room in people’s homes. But now things are different. After the initial lockdown in 2020, 46.6% of UK workers did some work at home with 86% of those doing so because of the pandemic. Semi-permanent workspaces Since then, many have found that over time, those semi-permanent workspaces have become slightly more permanent – with official hybrid working coming into effect for an assortment of businesses and their teams. The adoption of hybrid working can in fact be seen as one of the few positives to come from the pandemic, with less travel, more freedom and higher productivity top of the benefits list for businesses and their employees. The handling of sensitive documents, is a growing concern for office managers But those welcomed benefits don’t tell the whole story. The transition to remote working has undoubtedly impacted workplace security, with various touch points at risk. The handling of sensitive documents for example, is a growing concern for office managers. In simpler times, sensitive data was more or less contained in an office space, but with millions of home setups to now think about, how can businesses and their office managers control the issue of desk data? Physical document security As of January 2021, it’s said that one in three UK workers are based exclusively at home. That’s millions of individuals from a variety of sectors, all of which must continue in their efforts to remain data secure. With that, reports of cyber security fears are consistently making the news but that shouldn’t be the sole focus. There is also the underlying, but growing, issue of physical document security. The move to remote working hasn’t removed these physical forms of data – think hard drives, USBs and paper based documentation. A recent surge in demand for home printers for example, only exemplifies the use of physical documents and the potential security issues home offices are facing. Adding to that, research conducted in 2020 found that two out of three employees who printed documents at home admitted to binning those documents both in and outside of their house without shredding them. Data security concern Without the right equipment, policies and guidance, businesses are sure to be at risk Those findings present a huge data security concern, one that must be fixed immediately. The Information Commissioner’s Office (ICO) has since released guidance for those working from their bedrooms and dining tables. Designed to help overcome these challenges, the ‘security checklists’ and ‘top tips’ should be the first port of call for many. Yet throughout, the ICO make reference to ‘following your organisation’s policies and guidance’ – highlighting that the onus isn’t solely on the individuals working from their makeshift offices. Office managers have a monumental task on their hands to ensure teams are well equipped within their home setups. Without the right equipment, policies and guidance, businesses are sure to be at risk. But it would be wrong to insinuate that unsecure desk data has only now become an issue for organisations. Modern office spaces Keeping clear desks has long been a battle for many office managers. In fact, clear desk policies are practised in most modern office spaces, with it recognised as a key preventative to personal information being wrongly accessed and so falling foul of GDPR legislation. Throwing sensitive documents in the bin was never an option pre-pandemic However, the unsupervised aspect of home working has led to a potentially more lax approach to these policies, or in some cases, they can’t be followed at all. For those taking a more laid back approach, organisation leaders must remind staff of their data security responsibilities and why clear desk policies have previously proven effective. Ultimately, throwing sensitive documents in the bin was never an option pre-pandemic and this must be carried through to home workspaces now. Securely destroy documents There are also concerns over the equipment people have access to at home. For example, without a reliable home shredding solution, data security suddenly becomes a tougher task. To add to that, several recommendations state that employees working from home should avoid throwing documents away by instead transporting them to the office for shredding once lockdown rules ease. While this is an option, it does pose further issues, with document security at risk of accidental loss or even theft throughout the transportation period, not to mention the time spent in storage. The best and most effective way to securely destroy documents is at the source, especially in environments where higher levels of personal data is regularly handled. Correct shredding equipment The recent findings on home office behaviour represent a true security risk Only when home workers implement their own clear desk policies alongside the correct shredding equipment (at the correct security level), can both home office spaces and regular offices become data secure. Realistically, these solutions should, like the common home printer, become a staple in home office spaces moving forward. The likelihood is that many UK workers will remain in their home offices for the foreseeable future, only to emerge as hybrid workers post-pandemic. And while the current working environment is more ideal for some than others, the recent findings on home office behaviour represent a true security risk to organisations. With this in mind, it’s now more key than ever for business leaders, their office managers and homeworkers to all step up and get a handle on home data security policies (as well as maintaining their standards back at the office) – starting with the implementation of clear desk policies. After all, a clear desk equals a clear mind.

Video intercoms for a smarter, safer workspace
Video intercoms for a smarter, safer workspace

Though many office workers across the globe have found themselves working remotely for the past year, we are seeing a bit of a silver lining, as vaccine rollouts hint at a return to some pre-pandemic sense of normalcy. However, while some of us might opt for a fully-remote work life, others are anticipating a hybrid solution. Even before the pandemic, offices were taking a new, more open layout approach—moving past the days of cubicles and small office configurations. Going forward, offices and other workspaces will be tasked with supporting a hybrid work solution, as well as increasing hygiene measures. Video intercom solution This is where an IP video intercom solution can assist. Below are four ways they can help usher in a smarter, safer work environment: Video intercoms assist in creating a more hygienic work environment - The outbreak of COVID-19 has raised awareness of germs and just how easily a virus can be transmitted by face-to-face contact. Germ barriers are popping up in many aspects of our daily lives, where we were not likely to see them before Unfortunately, the door is also the easiest of these germ barriers to breach As such, we’re becoming accustomed to seeing plexiglass barriers at restaurants, grocery stores, and even coffee shops. However, many don’t realise that one of the best germ barriers is a simple door. Unfortunately, the door is also the easiest of these germ barriers to breach. All it takes is a knock or a doorbell ring to make us open our germ barrier and be face-to-face with whomever is on the other side. Increasing hygiene safety A simple step to increase hygiene safety and visitor security in commercial buildings and workspaces is an IP video intercom. Installing a video intercom will allow staff to see and speak with visitors without breaching that all-important germ barrier. A video intercom system provides a first line of defence, enabling the user to visually confirm the identity of the person on the other side of the door first before granting access. It can also be used to make sure proper procedures are being followed before a person is allowed to enter, such as using hand sanitiser, wearing a mask, and following social distancing guidelines. Basic security needs A major topic of conversation the past year has been how to manage occupancy in all facilities Video intercoms for occupancy management and basic security - A major topic of conversation the past year has been how to manage occupancy in all facilities—ranging from grocery stores and retail shops to restaurants and commercial buildings. Workspaces and offices are no exception. A video intercom provides a quick and convenient method of seeing who, or what, is on the unsecure side of the door before opening. For basic security needs, if a business has a door opening into an alley, a video intercom would be used to ensure no one is waiting outside to force their way in when the door is opened. Personal protection equipment Such solutions can also be used to ensure a person is carrying proper credentials, or wearing proper personal protection equipment (PPE), before entering a sensitive area. For example, if a lab has a room which can only be accessed by two persons at a time wearing specific protective gear, a video intercom could ensure each person is properly equipped, before allowing access that particular room. Additionally, for office or workspaces that have shared common areas, such as a cafeteria, gym or even conference rooms, managing access to these spaces will remain a priority, especially with post-pandemic restrictions in place. Video intercoms are a comprehensive safety and security tool for any workspace Deliveries of packages, work-related materials, or even food are common in any office or workspace. Video intercoms can assist in facilitating safe deliveries by visually and audibly confirming the identity of the individual. The visitor could be your next big client, your lunch delivery, a fellow employee with a faulty access card, or your mail. Video intercoms are a comprehensive safety and security tool for any workspace. Visitor management systems Video intercoms provide a cost-effective solution in small to mid-sized office facilities - One significant advantage of video intercom systems is the variety of applications available. Systems range from simple one-to-one video intercoms, to buzz-in systems, to full-fledged visitor management systems in mixed-use buildings. While they might lack the resources and manpower many enterprises have, small-to medium-sized offices can also take steps to ensure the safety of their staff and customers. Like any business, controlling who comes into the building is a primary way of maintaining safety. Video intercoms work in conjunction with access control systems to provide an identifying view of visitors or employees with lost or missing credentials. They allow staff to both see and hear those on the unsecured side of the door to determine intent before granting access. Most quality video intercoms will provide a clear enough image to allow an identification card to be read by holding it close to the lens, adding another opportunity to verify identity. Touchless intercom activation One major trend is the option of providing a touchless door activation Video intercoms provide a touchless option - Even prior to COVID-19, one major trend is the option of providing a touchless door activation or touchless intercom activation of a video intercom for those without proper credentials. Though touchless isn’t a new solution to the access control market, the pandemic introduced a renewed focus on these types of solutions to provide hygienic access to visitors. For offices and other workspaces looking to make investments into post-pandemic solutions to assist in reopening, touchless can support these efforts. When it comes to smart, secure workspaces, many people think instantly of cameras or monitors, access control, and alarm systems. Proper access credentials However, video intercoms are often the missing piece of a building’s security puzzle. A video intercom provides an identifying view that is not always available from a camera covering a large area. They allow those without proper access credentials a method of requesting entry, and just like cameras, they can be activated by alarms to allow staff to clearly see and communicate. If a workspace or office is important enough to be secure, it’s important enough to be sure of who is there before the door is opened. In 2021, it’s not enough to ensure the physical security of your staff and visitors, but also to ensure they are accessing a hygienic environment. Video intercoms provide that security and peace of mind.