Since the global epidemic of the new SARS-CoV2 virus in March, our society has faced many challenges. This also affects the way we work and especially where we work. As a result, many companies have suddenly and usually abruptly moved to work at home. According to Bitcom, almost every 2nd employee in Germany was affected by this development. But how well could the IT security be guaranteed? And especially: What could we learn from this for the current 2nd wave of home offices?
IT security or smooth operations while working at home?
This shouldn’t be a decisive question, even though reality has shown that this was indeed the case.
Virtually overnight, the employees – and with them the IT they were using – started to work from home. Many companies were not prepared for such changes, since working at home was long considered to be no alternative to on-site presence. It showed that their IT structures were not designed for this situation. In many cases, the business-critical infrastructure was often the priority when setting up a remote work environment.
The responsibility for the security of the devices used was thus handed over to the employees. Often, however, the basics for IT security, such as training or the necessary infrastructure for working remotely, were already missing.
A survey of Computerbild shows that basic security measures were also not used: Almost two-thirds of those surveyed stated that they had password protection for their computers and installed virus protection programs. However, only just under half of those surveyed said that there was a separation between privately and professionally used devices. VPN connections and Multi-Factor Authentication (MFA) were also only used by about a third of those surveyed.
At the same time, many companies had highly fragmented security systems that operated as silos. At least at the management level, the Corona crisis has certainly created an awareness of new unified security systems. One solution here would be Managed Security Services (MSS), which offer a security solution for all business areas from a single source. It can be assumed that the costs and benefits of security solutions will be reassessed soon. And companies are prepared to move away from old structures in favor of increased security.
The potential threat to IT security through cyberattacks while working from home
Nevertheless, there is one piece of good news: despite often weak security equipment while working at home, the German Federal Office for Information Security (BSI) initially did not detect an increased increase in (successful) cyber attacks on companies. However, the feared loss of reputation may also have meant that companies do not allow such attacks to get out. Attempted attacks are therefore more likely not to have been reported and the number of unreported attacks could therefore be significantly higher.
Although the number of attacks has not increased, the topics with which aggressors approach companies and their employees have changed. Although malware spam uses always social engineering methods to address people’s fears and worries, the topics have changed. In recent months, the new uncertainties in connection with the Corona crisis have been central topics.
CEO-Fraud / Business Email Compromise (BEC)
CEO-Fraud is not a new concept either, but this phishing tactic was increasingly observed in connection with the Corona crisis. The procedure is always the same: an employee receives a ( presumed) e-mail from a superior. With the request to accept an appointment invitation via a link. Or to transfer a larger sum of money to a specific account. Urgent!
If you are not in constant contact with your manager anyway, then you should be alert. But even in the first case, it’s best to pick up the phone first and have the matter confirmed again. Attackers may have assumed the identity of your manager – with the help of freely accessible data on the Internet and possibly with the help of previous “information campaigns” among internal employees. The latter is particularly true if you are not normally a direct contact for the management level.
Also, check the sender address again: Often, it is not the work e-mail address, but a supposedly “private” one from your employer. But even the official address is not always a grant for a real e-mail. Your manager’s mailbox may have already been taken over by a malicious software attack, e.g. Emotet. With the help of so-called Outlook harvesting, the attackers have now succeeded in sending deceptively real-looking e-mails to additional recipients.
These measures secure your IT
As you can see, in addition to the technical components, the human factor must also be taken into account when securing your IT systems.
Short-term measures such as the strict separation of private and professional devices are a good start for the current situation. In the long term, however, you need a holistic strategy that starts with the choice of the technical solutions used. This concerns VPN clients, cloud applications as well as firewall and anti-virus programs. Ideally, these modules go hand in hand, so that the maintenance effort of your IT infrastructure is reduced.
It is also essential that you become even more aware of the importance of human security risk – and take active measures. This begins with training on phishing, which not only addresses the basic problem but also explains technical aspects. Only then can a basic understanding of the dangers of such attacks be developed.
At the same time, we advise you to introduce improved password security in your company. While employing Multifactor Authentication (MFA), users must identify themselves several times when logging on to different applications or devices. This increases security against unauthorized use by third parties. An MFA is especially important for all employees who have administrative or remote access rights to servers and devices of third parties.
We are pleased to be at your disposal as a contact for your IT security.
Do you have questions or additions? Then leave us a comment. We look forward to your feedback.