Home-based workers are at increased risk of cyber attack, but there are several measures they can take to reduce risk.
This is according to Bryan Baxter, a corporate IT business development manager and IITPSA KZN chapter committee member, who was addressing an IITPSA KZN Chapter webinar last week.
The webinar, focusing on cybersecurity and etiquette for remote work and meetings, outlined a significant shift in cyber risk facing companies and their employees.
“The abrupt move to remote working and cloud has driven many companies to try and do in a matter of months what others took years to achieve,” Baxter said. This move has strained IT resources and highlighted vulnerabilities in home IT environments, which cyber criminals were taking advantage of.
“Security and communications at home are typically not sufficient for corporate usage,” Baxter warned.
Reducing home worker cyber risk
Corporate data is at risk in home user environments due to common vulnerabilities in home networks, and the fact that many users were unaware that their personal information may already have been compromised, Baxter said.
Baxter said key risks among remote workforces included vulnerable endpoints, data leakage, password compromises, the use of shadow IT, a lack of corporate VPNs and insecure meeting solutions.
“A layered defence approach is needed to protect users, data, networks, devices and technology,” he said. “IT professionals need to make users’ lives easier and they must make it easy for end users to stay secure, or we will see the emergence of shadow IT and greater risk.”
He recommended a number of ways to mitigate risk in home user environments: “Enhance user awareness training, implement stronger two-factor authentication and keep personal and work systems separate.
“Corporates should ensure that they have classified their data and that sensitive data is adequately protected from employees working at home. Regularly backing up both work and private data is essential.
” Use a VPN to access important systems, and secure home routers and wireless devices. Updated endpoint protection such as anti-virus and host based firewalls are important. These are now moving to more advanced threat protection such as ERD or endpoint detection and response. This is important because standard AV does not pick up shell scripting compromises.
“Home systems must be patched and kept up to date, and ideally home users should create separate admin and user accounts on their home computers.”
He also emphasized the need to change the default admin password on the home router; enable WAP2 encryption; and use a strong password for the home wireless network.
Selecting safer virtual meeting solutions
With a webinar participant poll revealing that 38% of participants most often use Microsoft Teams, 42% use Zoom, and 9% use Google Meet for video conferencing, Baxter noted that selecting the right solutions for enterprise use was crucial for security and data protection.
He highlighted cases in which meetings had been compromised and videos of meetings posted online. “If you’re going to have a board meeting or talk about your financial results, you need to think about the solution you’re using,” he said.
“Enterprises need to look first at the vendor – asking what is their support like, and can you trust them. Then consider the solution – asking how good is the product, how is it rated and how secure is it?” Considerations should include whether the solution was fit for purpose, its cost and the ease of integration and mobility options.
Factors that should be considered include whether the video conferencing solution offers full end to end encryption, where data is be stored and whether this data would remain private, if meetings could be password protected, the level of host control to mute, block and drop attendees, the visibility of attendees, and if information could be protected from unauthorised modification, access and disclosure.
Etiquette for online meetings
Baxter recommended several basic measures to improve security and effectiveness of online meetings: “Test the technology before the meeting; have a plan and agenda; appoint a moderator; only invite participants who need to be there; and lock the conference and put passwords on entry.
“Inform participants if you are recording the meeting and introduce everyone at the beginning.
“Participants should have a clean, work appropriate background for the video call; be aware of their audio and video settings; they should look into the camera and not at themselves while speaking; and they should eliminate distractions and focus on the agenda: be present, mute your mic when not speaking and don’t do other work during the meeting,” he said.
The IITPSA KZN chapter webinar was one of a series of new webinars IITPSA is rolling out to enhance communication and knowledge sharing among members. The Institute of Information Technology Professionals South Africa (IITPSA) CEO Tony Parry noted that the Institute is also increasing the frequency of its new Tabling Tech webinars, designed to give in-depth insights into emerging technologies.