Keeping your small business cyber fit while working remotely during an emergency
Lately the news has been consumed by information on the Coronavirus which is spreading and affecting countries worldwide, including Australia. Advice has centred around health and safety and rightly so, however we know that businesses need to continue operating during this time. We’ve heard of countries closing offices and schools, resulting in many teams having to work from home. It’s just a matter of time before this happens in Australia.
We hope to see as many small businesses as possible prepare for this by walking through some common security considerations associated with moving your team to a remote or working from home arrangement.
“The difference between this emergency situation from other remote working situations is that it’s for an extended and unknown period of time”.
To help avoid a bad day, we’re sharing some of the concerns we’ve been working through in our own small business and sharing with our small business Cyber Fitness members. You may already be thinking about some of these, but there are likely suggestions that will be new to you.
If you haven’t already, you should consider discussing these things with your team and coming up with a plan to ensure you all stay safe and secure while working remotely.
Secure access to your office systems
We know every business is different. Some heavily rely on face-to-face meetings, delivery of goods or accessing documents and technologies in a specific location.
Think about the day-to-day processes and interactions in your business. What requires physical access to something and what are your alternatives?
If your business relies heavily on client-facing meetings, you might look to re-prioritise work for the coming weeks or months of isolation. If you can’t afford to miss meetings you might be able to use virtual meeting solutions such as Google Hangouts, Microsoft Teams/Skype or Zoom.
If you need physical access to documents or systems, now would be a good time to start exploring cloud-based services or VPN solutions that can give you and your team access from wherever you find yourselves.
Protect the information and equipment in your office
Offices are emptying out as businesses are moving their workforce to self-isolation at home for a few weeks or months. If you need to do the same in your business, think about what you are leaving behind and if it will be of value to someone?
If there’s information or equipment of value, consider ways to secure them or store them safely temporarily while the office is unoccupied.
Consider as well the message you communicate on the status of your office and think about the risk of whether this might invite an unwelcome visitor to pay you a visit.
“Our office will be closed for the next 6 weeks with no one available to take your call. Please feel free to come and take our client records and servers anytime...”
Take care when communicating with customers and your team
You could have a bad day if someone is able to impersonate you online. One way to avoid this is to be clear upfront with your team and customers about how you will be communicating to them during this disruptive time.
“Hi there 👋
We’re emailing all our customers from our new account to let them know that due to the Coronavirus, we would like you to make all future transfers to our new Bank of Fiji account.
Thanks in advance”
How will you communicate with your team if they’re not in the office? Will you use email, SMS, Slack, WhatsApp?
If your customers expect emails from you asking them to do something, how will they verify an email has come from you if your office is unattended?
How hard is it for someone to impersonate you over email or through another platform?
The advice we provide our members of our Cyber Fitness Platform on protecting their email is a great starting point for thinking about these issues.
Keep an eye out for more scams and ‘fake news’
We’re going to depend more and more on what the news is telling us and seeking government advice on what we need to do during this time. This, unfortunately, gives fraudsters the opportunity to mislead people into either giving up sensitive information like passwords inadvertently, clicking on a dodgy link or opening a dangerous attachment. We’re already seeing an increase in fake ‘coronavirus maps’ which can infect computers and steal passwords.
“Please click here to download the list of people infected with the Coronavirus virus”
☝️This is from an actual email!
Have a think about the resources and news feeds you will trust to get accurate and up-to-date reliable information from. At Cynch we’re closely monitoring information shared by the Australian Department of Health and the Victorian Department of Health and Human Services.
Protect yourself when browsing the web by installing an adBlocker and DNS filtering
If something doesn’t seem quite right, pause, question it and contact someone like Scamwatch to verify what you’re seeing is real.
Prepare for Internet and Cloud service disruptions
As more people move to remote working and communications-type services such as WhatsApp, Zoom and Skype, there is a good chance that accessing these services will start to slow down as more people choke the network.
If your team are going to be using their personal internet connection to do their work you might also find them running out of mobile data, having no network available or having difficulties accessing the things they need.
“Sorry, I can’t take your call for a while, I don’t have any more data on my phone.”
Check your current telco plans to make sure you don’t get throttled at a critical time.
Having some alternative solutions in mind ahead of time could actually save you time. If you use Zoom and this gets slow, what’s your alternative?
If you haven’t tested how things like your office VPN work when everyone starts using it you might want to have it checked out.
Make sure you’re connecting from a secure network
Connecting the laptops or mobile device used by your team for work into a home network introduces risks you need to consider. Keep in mind that you are connecting devices containing potentially confidential work information into a possibly ‘dirty’ or insecure network. If a device at home has something dangerous running on it (like malware), this could potentially infect other devices on the same network.
Have you and your team members checked your router settings to make sure that default passwords have been reset and firmware updated?
Have you ensured that family laptops/devices/IOT devices are appropriately protected with updated software?
Have you enabled a password/pin/biometric on all your devices so curious children who will also be in isolation with you don’t accidentally send an email to a client?
These are just some of the things you need to consider. We’ll be sharing more information about how to do this over the coming days.
Unfortunately there’s also a risk of criminals creating fake Wi-Fi (using something call a ‘Wi-Fi Pineapple’ 🍍), or fake mobile tower (using something call a ‘StingRay’) hoping that an innocent remote worker will accidentally connect to them.
The risk here is that you could inadvertently connect to one of these insecure networks and unwillingly share information about your business or passwords as a result of something called a ‘person-in-the-middle’ attack.
Think about the type of information you work with day-to-day, what you do with it and how you would feel if it got into the wrong hands.
If the data is sensitive, and the thought of it getting into the hands of someone makes you uncomfortable, you might want to enable a mobile VPN before doing anything online.
This is also a good opportunity to check your device Wi-Fi settings to see if it is set to ask or join a Wi-Fi network automatically and disabling that feature.
Keep control of sensitive data at home
Due to the length of time we might be in isolation and working from home, your team might introduce some creative processes and work-arounds such as taking home or printing confidential documents that they normally wouldn’t. This increases the risk of someone inadvertently losing or throwing our sensitive information which they no longer require.
“I don’t need this client document anymore, I’ll just chuck it in the bin”
Another possible scenario involves someone emailing documents to their personal email so they can access them from home as they rush out of the office.
Do you have clear policy and guidelines on information classification and document handling your team can reference? Have you provided them with a secure way of managing documents that’s just as fast and easy?
Have you looked into turning on logging for critical systems and applications so you know who is accessing sensitive data?
Are you checking logs in case your team are doing abnormal or risky things?
When something has gone wrong, it's important to figure out what happened and the extent of the issue.
Things can get a bit hairy when we’re all worrying about the health of those around us and dealing with the unpredictability of an emergency. There’s a risk that someone might see this as an opportunity to break into your home and steal something valuable. Letting your team know what you want them to do if your business’ information or devices are lost ahead of time will help you stay on the front foot.
We can’t always predict what will happen, but having a high-level response plan in place for when things go wrong is worth the effort.
If you haven’t already, put together an incident response plan for your business.
Check if all of your staff have a printed copy of your incident response plan.
Keep a list of emergency contact numbers somewhere safe.
A good business leader helps their company stay calm and navigate through whatever comes their way. Remember that every business is unique and will have different concerns and risks that need to be managed. At Cynch security, we help businesses figure out the most important things to address are and provide guidance on how to achieve this in 5 minutes or less at a time.
Get help with everything discussed here and much more in the Cynch Cyber Fitness Platform.
We genuinely hope you and your team stay safe over the coming weeks.
Please contact us by sending an email to hello@cynch.com.au if we can help your business in any way.