This post is going to look at three ways in which a firm’s digital risk might increase, with tips on how to mitigate this risk.
In Spain’s current lockdown all movements have to be pared down to the bone. The major firms now run processes and handle technology to deal with this problem, but firms that need the daily on-the-spot presence of their workers are not always able to change their working methods overnight. Working with a skeleton team may be the best way of cutting down the risks while the lockdown remains in force. For firms where teleworking is feasible, however, some simple security measures might help to reduce their digital risk:
- Make sure any device being used outside the office can be tracked down and deactivated remotely in the event of loss or theft.
- Any device, including memory cards and pen drives, used for “taking work home” must be encrypted to prevent important company information from falling into the wrong hands. The ideal security-reinforcement rule would be for the whole hard disk of laptops leaving the office to be encrypted too.
- Use remote access systems like VPN and virtual desktop infrastructure (VDI) to prevent third parties looking over your shoulder.
2. Prevent phishing attacks
If the whole personnel is teleworking, email use will soar. Wrongdoers are well aware of this, making emails an obvious target for phishing attacks.
Once more however, a series of security measures can reduce this risk:
- Tell the whole staff to deal with suspicious emails cautiously, especially those that ostensibly come from banks or those asking for personal passwords. All links have to be carefully checked before being clicked on. It is also important to compare information received with former information from the same ostensible source.
- Ensure economic transactions are properly authorized, ideally by more than one person. Additional steps may be tagged on, such as calling suppliers to check the missive is bona fide or shelving automatic payments.
- Recommend employees to report anything that looks suspicious and share information on confirmed phishing attacks with their colleagues to raise awareness of the matter.
3. Application access management
If it is necessary to set up remote application access, the use of a VPN and VDIs could boost security, especially in the case of applications accessible only from the office. Drawing up a plan and a clear policy of need-to-know access management will lead to a better understanding of the measures that have to be brought in. Many business applications have secure access tools enabled, and these should be used in situations like this lockdown.
- Enable multi-step authentication. If SMSs are trusted as an authentication method, then the best idea is to use a company telephone number. If possible, use access restriction by IP; this allows security IP lists or IP ranges to be drawn up, from which employees have to access the company domain.
- Implement a password administrator to prevent them being saved or shared by email or via other applications.
- If the decision is taken to continue carrying out projects during the lockdown, then all due efforts must be made to ensure remote server access is restricted and secure. Don’t use real data in any cloud development environment. If possible, check the system with an external service provider specializing in pentesting, asking them to audit it and pinpoint any vulnerabilities, thus being able to correct and guarantee complete system security.
Reducing digital risk at all times is simply good business
Even firms with the very best security systems and processes are vulnerable to attacks. For example, attacks on companies with loyalty cards may be provoked by theft of unconnected credentials. When the credential theft involves company email addresses the challenge is even stiffer, especially if the companies are providing remote access to applications for the first time.
Early detection of vulnerabilities in stolen credentials means your business will be better prepared for taking proactive measures. There are many damage-limitation measures that can be taken; the sooner these measures are taken, the quicker risks and their aftermath will be reduced.
Author: Marcelino Pérez Zamarrón
Las opiniones vertidas por el autor son enteramente suyas y no siempre representan la opinión de GMV
The author’s views are entirely his own and may not reflect the views of GMV