22 July 2020
Paul Conaty is Principal Consultant with CWSI’s Strategic Enterprise Mobility consultancy and advisory services division, which provides strategic and tactical advice to clients in Ireland and globally on topics including security, regulatory compliance, governance, risk management, business transformation, and mobile technologies. Paul regularly speaks about mobile security topics at events in Ireland and is a member of the organising committee of the Irish Information Security Forum (IISF).
Covid-19 kick-started digital transformation from a two-year strategic goal to a two-week sprint. In the race to provide employees with the tools and technology to allow them to work from home, businesses prioritised productivity over security concerns. But the rapid pace of change put SMEs at a disadvantage.
Unlike large enterprises with big IT departments and dedicated security teams, few small businesses have the resources to plan for the kind of business interruption that resulted from Covid-19.
A different kind of virus threat.
Cybercriminals often use major global events as a trigger for campaigns because when people are preoccupied with other issues they are less likely to recognise suspicious activity and less wary of potential warning signs like emails or messages with unknown links.
The police agency Europol warned about an increase in cybercrime attacks during the pandemic. Between February and March 2020, as the virus was spreading worldwide, phishing emails relating to Covid-19 rose by 667%. These types of messages are designed to trick people into clicking on links that download malicious software. More than 30% of Irish workers say they had an online account compromised since they started working from home during Covid-19.
In a normal work setting, businesses can roll out standard computing devices with authorised apps, up-to-date software, and spam filters to catch fake emails before they ever reach people’s inboxes. But in an unmanaged setting, those protections aren’t always available.
Technology roll-outs usually need careful planning and time but both factors were absent with Covid-19. Many small companies rushed to buy off-the-shelf laptops for workers who needed them and asked them to connect to the internet using either their home broadband service or else tether from their smartphones. This meant there was more scope for misconfiguration or installing solutions incorrectly.
In other cases, where people used their home laptops for work, businesses had no way of knowing if those devices were running up-to-date operating systems and anti-malware software. All told, it opened companies to increased security risks, and there’s been no shortage of those lately.
Data security risks from personal devices.
Another change since Covid-19 is that people are using their mobiles far more than they ever did while working from home, whether for conference calls, tethering, or even scanning and uploading physical documents. And because the mobiles are more likely to be storing potentially sensitive work data, they’re a more valuable target for attackers. Even before the current crisis, we had already noticed a shift in attack types towards phishing victims through mobile messaging apps like WhatsApp or Facebook Messenger.
Another security risk in working from home is the workspace itself. Are employees making or taking calls that involve discussing sensitive information? Is there a possibility that others could hear the conversation, or see confidential data on the device screen?
Clear communication creates cybersecurity culture.
So what can businesses do to mitigate the risks? At a basic level, one of the most effective ways a company can understand how its people are working while remote is to ask them. It’s easy to assume that the only thing people are using their mobiles for is email – but it’s almost always wrong. They’re probably using WhatsApp if there’s no official organisational messaging tool, and they’re probably file sharing as well at least. Some people use their phone’s camera app as a scanner, but they might not realise that a photo of a company documents will automatically be saved to the phone maker’s cloud storage. If that’s located outside the EU, they may be unknowingly in breach of GDPR.
Staff surveys can really help to get an insight into actual security practices in the business. This is particularly important in SMEs, because in the absence of a dedicated resource, it helps to build a culture of ‘everyone is the security team’. By explaining the risks like having their passwords or credentials stolen, and explaining how the business is trying to manage the threat, it’s easier to get buy-in from everybody.
These conversations are invaluable for identifying possible risks. Getting the right tone and approach is vital. The trick is in phrasing the question: “what tools do you find useful?”, or “tell me about your working day?” It’s about communicating with people and letting them know that the company wants to enable them to do their job safely and securely.
When people are more aware of the security tools and what the business is trying to do, they’re more likely to report something suspicious rather than try and hide if they think they’ve made a mistake. If the company takes an authoritarian, heavy handed approach, staff will be far more likely to brush things under the carpet.
Mobile device management.
Once the business knows what devices and software its employees are using, and for what tasks, it’s easier to put in controls and tools to help improve security. The first step is to deploy a mobile device management tool that ensures the devices have up-to-date applications so they’re not at risk from vulnerabilities in older versions.
Another step is to enable multi-factor authentication for accessing services like productivity apps. This asks the user not only to input a password on their laptop but also to verify their identity through an authentication app on their phone. This feature is available for the Microsoft 365 tools and for Google’s G Suite, for example.
Some of these productivity tools have extra security features many people don’t realise are included, such as controls for managing online meetings, and data loss prevention that stops people from accidentally copying confidential information.
With increased mobile use during the work from home phase, it’s also worth considering a mobile threat defence product that’s specifically geared to mobiles for SME customers. A tool like 3 Mobile Data Management and Security lets businesses set caps on non-business use or apply usage policies that are tailored to the needs of different groups of staff. It guards against known malware, can detect suspicious or unusual activity on the device, and also protects against security weaknesses in Wi-Fi connections the device it’s using. These are available to small businesses on a monthly subscription model so there’s no need for a sizeable upfront investment.
Security for the new normal.
Even as the restrictions are easing and businesses reopen, things are not going to go back to normal any time soon. The official advice is still to work from home where possible. Beyond that, remote working is here to stay in some form for most businesses.
So as we move from the ‘digital transformation’ stage to a consolidation phase, it’s not too late to put in place security processes that will endure long past lockdown. We’ve had a few months to get used to this new situation. Now, most businesses can now start looking at the investments and upgrades they’ve made in that time and integrate them in a way that ensures security is built into the new way of working.
Our recently launched business mobile security and usage control solution, 3Mobile Protect; is simple to set up and helps users to stay on the right track. Find out more here.