View security guidance on preventing cyber attacks during the unique working arrangements of Covid-19.
As a result of the ongoing Covid-19 crisis, and the sudden movement towards remote working, many practitioners and their employees will find themselves in less secure cyber security arrangements and possibly using personal devices rather than office issued hardware.
The Society previously issued a practical guide on working from home. However, with the increase in cyber attacks, the below information sets out additional advice on common cyber security risks associated with working remotely and the steps that can be taken to mitigate against them.
Practitioners are advised to keep anti-virus software, computer programmes and operating systems up to date and to maintain caution when opening attachments from unknown or unsolicited emails.
Virtual Private Networks
If you are working from home, you may have the option of utilising a Virtual Private Network (VPN). This is a network that allows remote users to securely access office IT resources, such as email and a firm’s case management system. A VPN does this by creating an encrypted network connection that authenticates the user’s device at home and encrypts the data in transit between that device and the IT resources from the office. There are many VPN providers on the market and advice from an IT expert should be obtained before selecting one.
If you are already using a VPN, make sure it is fully patched and, where possible, have a two-factor identification system in place. It is also worth considering whether an employee needs access to the entire office network, email or cloud service. If not, consider limiting the employee’s network access. Where full access is required, it is safer that this occurs through an office-owned device rather than a personal device.
If you are working without a VPN, ensure any locally stored data is adequately backed-up in a secure offline manner.
Using personal devices
Using personal devices as work devices increases the exposure to successful attacks. It is therefore recommended that, where possible, practitioners and their employees should not work through their personal device. However, given the rapid change of working arrangements brought on by Covid-19, it is understandable that this option may not be available.
If it is the case that access can only be obtained through a personal device, consider restricting it to email and cloud services and issue the device with a license for the same anti-malware available in the office. In addition, consider limiting the ability to download and copy data to that device. It is also important that regular scans are conducted for malware and spyware.
Finally, multi-factor authentication is highly recommended before allowing a personal device to connect to your network.
Multi-factor authentication (MFA) occurs most commonly through the creation of a unique time-limited passcode that is generated by the host system and sent to another device in your possession to be entered before login. In short, MFA acts as an additional barrier to a fraudster gaining access to your critical data notwithstanding your password being compromised. There are a number of options with regard to setting up an MFA.
If your device has a biometric reader, it can get an image of your face or finger print and require it before allowing you to proceed to turn on a device or access a particular programme. Most smartphones have this feature and it is not difficult to implement.
There are many MFA apps that can be downloaded such as Google Authenticator that offer an SMS text messaging service to your phone to authenticate before login and after you enter your password. Care should be taken when selecting an appropriate app.
External physical key
Practitioners can also purchase a USB device that is inserted into your device and generates a unique passcode every time you touch or tap a button on the computer. The passcode can be used for login, depositing or withdrawing funds from your account, or as a Master Key. There are many devices available like this on the market and care should be taken when selecting an appropriate one.
Physical security of devices outside of the workplace
During the Covid-19 period, practitioners and their employees will be exposing devices to greater risk by leaving the security of the office. To protect against this practitioners using Windows should consider enabling Bitlocker, a system that allows for a full-disk encryption. This ensures that, if the device is stolen, the data therein cannot not be accessed notwithstanding the removal of the hard drive to another computer.
It is also recommended that there should be a strong password/passphrase policy, and a policy of never leaving a device unattended without logging off or locking the computer.
Practitioners and their employees should only connect with a secure private wifi connection. Thankfully, most wifi systems at home are correctly secured. However, connecting through an open or insecure wifi means that criminals in the near vicinity can view your traffic.
Many firms have started using Zoom or Skype to conduct meetings with clients and staff. However, there can be a risk of criminals hijacking meetings and overhearing content. To protect against such an attack the following steps will help to reduce the risk:
Set the meeting to private:
Have the host of the meeting set a password for attendees:
Make sure all connected accounts are fully updated:
Important additional security measures for Zoom
- Enable the waiting room option on Zoom to view and allow attendees in one by one. See how to enable the waiting room
- Do not use your Personal Meeting ID for the meeting. Instead, use a meeting ID that is exclusive to a single meeting.
- Disable Join Before Host and Screen-sharing. It should be disabled by default, but check to be sure. In addition, disable all file transferring annotations and auto save feature for chats. Disabling these features can be done by clicking on Settings after login at which point there will be the options to turn off these features.
- Once the meeting begins and everyone is in, lock the meeting to outsiders and assign at least two meeting co-hosts. The co-hosts will be able to help control the situation in case anyone bypasses your efforts and gets into the meeting. To add a co-host, go to the Settings, then Meetings and scroll down to Co-host and make sure it is enabled.
- Meeting links should be sent by email only to attendees only
- A meeting via Zoom may be recorded and shared by the host. Therefore, it may be preferable to be the host for certain meetings. A meeting via Skype may be recorded, however a pop-up notice will inform you of same.
Best practice procedure for transmitting sensitive and confidential information
The most secure method of providing or receiving bank details is directly by hard copy.Transferring account details by email should be avoided, where possible.
Another way to further reduce the risk of fraud when exchanging bank account details is via telephone. This should only be attempted when the practitioner is absolutely certain that the person they are speaking to is the actual person with whom they wish to exchange bank details. If uncertain, practitioners should consider a video call where the individual can be visually identified.
However, during this period, practitioners may find themselves in situations where it is absolutely necessary to transmit bank account details, and the only way of doing so is via email. In such circumstances, and to mitigate the risk of fraud, it is recommended that the transmission should only occur by attaching to the email a password protected document containing the relevant account details. This document can be protected by either a robust password or passphrase, which should be provided to the recipient through an alternative secure communication method. This procedure for transferring data applies equally to the sharing of all other sensitive and confidential information.
For more information regarding securing your email system see the following practice note: