Imagine if a hacker managed to get access to your company’s payroll system. They would be able to see the personal data of all the staff, their buying power and some of their personal history. So much sensitive data is stored on most company computers and mobile devices there is much more at stake than we might realise. The rapid spread of the coronavirus means that hundreds of thousands of people have been forced overnight to work remotely or attend classes from home. This large-scale experiment may end up convincing many of the benefits of teleworking to improve their work-life balance, but it could also lead to cybersecurity risks.
“An attack by a hacker can expose important assets such as company data, a product in development stages and the personal information of staff,” said Marc Rivero López, an expert in cybersecurity.
Cybercriminals often use scam emails to launch attacks and then steal data. They are adept at changing tactics quickly in line with events. Some hackers use pretexts related to current affairs, such as the coronavirus, according to Rivero López. “In the same way that hooks were used to lure in people before — such as by telling them they could collect an inheritance from a foreign country — emails have adapted to situations such as those caused by Covid-19,” he said. Norton, the antivirus software company, has warned consumers to be careful opening emails that purport to contain coronavirus statistics. In the UK, one text message scam states you will be fined £250 for leaving the house more than once during the pandemic, according to HMRC, the tax authority. The message asks recipients to call an 0800 number to appeal. Don’t do so!
Responsibilities of companies and staff in fighting cyberattacks
Cybersecurity threats do not have to be seen as frightening, but they should serve as a reminder that we need to be vigilant and to make sure we are doing things the right way. In this regard, companies and their staff have different obligations:
- The company: Must have a contingency plan that details policies for the use of devices owned by the employer and highlighting obligations that employees must fulfil. The company should also offer guidelines for possible situations that may occur and what actions should be taken.
- The staff: If you have any indication or suspicion that there may be a security issue, you have an obligation to communicate that to your boss. “Staff members must notify the person in charge of data protection or security if they have any concerns,” said Jorge Carranza, a lawyer specialising in data protection and information security at Legal Army, a legal services provider. This will allow the company to react as quickly as possible.
Tips for maintaining security
Cybersecurity may sound complicated, but it is much simpler than it seems. Many of the security problems that affect companies came about due to careless errors. The effects of those can be limited if we carry out some actions that are within everyone’s reach. Carranza and Rivero López recommend taking the following precautions:
- Check if your company has a “device-use” policy document detailing how files should be used properly, what the protocol for using computers or mobile devices is and the rules for installing programs or creating backups.
- Use the systems provided by the company. Where possible, avoid using different tools from those that the company makes available to you. For example, if your company uses the cloud, always upload all the documentation there. If you are under the security umbrella of the company, the information you work with will be much more protected.
- Update the operating system and all the tools you use, such as programs, browsers or even extensions. If possible, enable the option to update automatically. Do not use the same password on different portals. That is easier said than done. We use dozens of different sites that require different passwords and it is impossible to remember them all. The trick is to use a password manager. LastPass or Dashlane are good options. There you can store all your different passwords and you can also generate random and robust passwords that are entered automatically. Of course, you have to remember the master password to enter your account in these services.
- Use vaults to share passwords with your team. A password vault is a software program that keeps a number of passwords in a secure digital location. If you have to share passwords with your colleagues, it is not safe to save them in a data sheet or other document. Using password managers will allow you to share this information securely.
- Check that your email password has not been intercepted. In recent years, there have been security breaches at large and small companies, which may have exposed your account and password. You can check if this is the case at Have I been pwned or Firefox Monitor. You can also sign up to be notified if your email is compromised in future.
- Do not enter personal information in any portal unless you are 100% sure it is genuine. You may receive an email, a text, a phone call or other form of message purporting to be from your bank or another company that you know asking you to make a payment or to enter your information through a link. That link usually takes you to a website. It may all appear to be perfectly legal and above board, but unless you are completely sure it is genuine, do not enter your details. If you were not expecting any message, it is better to be wary. Make a call to the company or person who appears to be asking you for these details. Make sure that they have not been hacked and it is not a scam. Hackers create copies of sites so similar to the originals they can trick even the most advanced users: this is called phishing.
Be warned: almost a million people in the UK have received scam calls, texts or emails from criminals posing as tax authorities, according to the Financial Times. Some insist you owe back taxes, while others reel you in by claiming you are due a tax refund.
- Take care of the details. Don’t be sloppy when saving information. Try not to use the hard drive to save files with company data, and delete downloads and temporary files that you have used during the day. When you finish working, remember to log out of your browser and computer. This way, you may prevent someone else from accessing corporate information without your knowledge.
Are you teleworking? Apply these extra tips
For those working from home, either in full or part-time, there are some extra steps you can take to protect the information you work with:
- Change the password to your wifi. If you use the password given to you by your broadband supplier, a hacker will find it much easier to enter your network. It is best to create your own password, with more than 12 characters, upper and lower case, special characters, and without references to personal data.
- Hide or change the name of your wireless network. It is better to use a name hackers cannot identify with you. Calling it “John’s wifi” just makes life easier for someone who wants to hack into your network, since they will know easily which one they have to unlock.
- Do not use public access networks. Some people can access public networks even from their homes through wifi hotspots, such as BT’s. They are best avoided, however.
- Use a VPN connection if the company has enabled it. Many companies have private and encrypted access installed on their employees’ computers to the office’s physical local network: this is a virtual private network (VPN). By using it, you can connect to the internet and the company’s internal network when you are working from home, as if you were in the office. This minimises the risks associated with using your own wifi network.
- For more advanced users, you can control what devices you have on your network through the MAC (media access control) address, or even hide the access point to your network. (The MAC address is a number that identifies each device on your network, such as your iPad or other tablet.)
If you don’t do any of this and the network is configured to default settings, hackers can get into it in less than 15 minutes, according to Rivero López.
I have been hacked anyway: what can I do?
Perfect cybersecurity does not exist. We can take action and make the job a little more difficult for cybercriminals, but there will always be some risk. There are several types of threats that we face:
- Phishing: fraudulent messages that try to steal your data.
- Ransomware: a virus that encrypts the content of the device and asks for money in exchange for unlocking the computer and returning the data to the company.
- Adware: a program that creates additional ad windows in your browser.
- Spyware: a type of malware the attacker uses to observe what the user is doing without permission.
- Remote access: the hacker can control your computer remotely.
- Worms: a type of malware that can multiply in the internal network, affecting other computers in your company.
- Trojans: one of the most dangerous viruses. It appears to be something useful, but once installed it can steal your data.
If you think you may have suffered an attack of any type, the first thing to do is to inform your company, which has an obligation to analyse what happened and try to find out what the error may have been.
Consequences for staff
The consequences will depend on the severity of the security breach and the information the company has provided to its employees about protocols for using the devices. Based on these two factors, a cyberattack on an employee could even result in dismissal in the event of gross negligence. Carelessly leaving a company laptop open in a restaurant is not the same as being the victim of a hacker who has gained access to your wifi network despite the precautions you have taken, according to Jorge Carranza.
At the same time, the company has the right to audit your equipment from time to time to make sure you are implementing cybersecurity recommendations and to prevent unauthorised use of the computer. You must be informed in advance of what they plan to do and how they will do it, and they should not invade your privacy.
This is why it is important for companies to have detailed rules around cybersecurity. These rules should document “the rights and obligations of the company and the employees, detailing in which cases users can be audited by the company,” said Carranza. If the rules are clear, and you follow these basic safety tips, working from home can be practically as safe as doing it from the office.
Translated by Sunita Maharaj-Landaeta
Follow Welcome to the Jungle on Facebook and subscribe to our newsletter to receive our best articles.
- Add to favorites
- Share on Twitter
- Share on Facebook
- Share on LinkedIn