Malaysia is slowly opening up its economy by easing quarantine protocols across the country. This has allowed a good number of sectors to restart operations. However, the government still encourages employers to continue implementing health and safety measures such as physical distancing, lessening the need for travel, and the implementation of a work-from-home (WFH) set-up.
Working from home or telecommuting is not a new concept among Philippine enterprises. In fact, President Rodrigo Duterte already signed the “Telecommuting Act”, also known as the “Work-from-Home Law”, last December 2018. According to the law, employees in the private sector may be allowed to work from an alternative workplace with the use of telecommunication and/or computer technologies. With the current situation causing heightened concern for employee well-being, we are now seeing more local businesses adopting this alternative work set-up.
WFH will likely have a long-term impact on the way people work and collaborate even after the pandemic because of its many benefits. It helps in reducing not only traffic congestion but also the environmental impact of having too many vehicles on the roads. It has enabled businesses to maintain lower running costs, with some moving to smaller spaces to accommodate the few office-bound people. WFH also provides greater flexibility for workers.
Of course, WFH does have some drawbacks such as technical challenges, particularly in the area of online security. This is a critical concern for businesses now pursuing a WFH model. While large enterprises have in-house security experts and policies to help ensure security remains top-notch, SMEs and their employees may need some help. With more businesses adopting the cloud, users have to be extra vigilant in protecting data and know what to do when faced with suspicious activity meant to steal their information.
Here are some steps SMEs can take to ensure that their business-critical information is kept secure even while implementing the WFH setup:
Use a VPN
Requiring a Virtual Private Network (VPN) to access company resources is usually a good idea. While most enterprises already have a VPN for their employees, most SMEs, even those with cloud applications and resources, need to secure their cloud resources behind a VPN. A VPN eliminates several attack vectors, for example, from a home gateway going rogue. SMEs should look for a VPN gateway that can be configured to enable SSL-VPN access to Virtual Private Cloud (VPC) from Windows, Mac and Unix terminals (computers from home).
Use “real” two-factor authentication
To ensure really robust security, every online service log in accessed by staff working from home should be secured with two-factor authentication (2FA). This protection should include email, cloud storage, social media and any other online asset. Most people know 2FA as a passcode sent as a text message. Knowing that SIM cards can be swapped and fall into the hands of a fraudster who could receive the text message authorisation, many services now offer a stronger version of 2FA. This is called one-time password (OTP).
OTP-enabled online services typically use a time synchronisation version of OTP where a mobile app continuously generates OTP codes that need to be entered to log in to an online service. Overcoming mobile app-based OTP protection usually requires physical access to the device, which is impossible for fraudsters in most cases.
Before COVID-19, some SMEs disabled electronic wires and decided to do infrequent bank wires from the bank itself, in person, to eliminate fraud. With stay-at-home policies now in place, this may not be an option for SMEs anymore. Many banks now offer OTP cards or digital tokens that generate code sequences, with each wire containing a separate code. This will guarantee that the wires will not be sent by fraudsters to their accounts (in fact, one of my friends fell victim to wire fraud due to a SIM card swap, causing him to be wired out of his account). Even if the bank charges for this OTP card service, it’s still less costly than dealing with fraud consequences.
Run updates frequently
All home electronic devices should be maintained in an updated firmware state and all security patches need to be applied quickly. Many IoT devices such as home cameras, routers and smart appliances present easy targets for hackers. Many inexpensive devices purchased several years ago no longer receive firmware updates from manufacturers that have switched their resources to support newer releases. Such IoT devices should be discarded through a proper and responsible recycling method. Routers, in particular, present a serious potential threat as hackers can control the traffic going through the routers and implement various strategies to attack home users. DNS hijacking, for example, redirects users attempting to go to banking websites to phishing destinations that look exactly like the attacked bank’s log in page. Updated firmware, therefore, can significantly limit the success of such cybersecurity threats.
Be skeptical with every URL you click
Phishing in general has increased since everyone started staying at home. Users need to be extra careful when clicking on links in emails and social media messages. Without the option to approach the sender of the link in person to verify its authenticity, users may fall victim to fraudsters pretending that the email is coming from another employee. The fraudster may then ask for a wire transfer or ask users to open an attached invoice where the attachment is a malware. This type of phishing is called “whaling phishing”.
The most important requests should always be verified by an independent communication channel such as a phone call. While technical protections are important, social engineering attacks are as popular as ever, with humans still being the weakest link. Hackers often trick users into downloading software with embedded malware. Crafty attacks can ask employees to download malware camouflaged or embedded as teleconferencing software or a game. Users then should never execute updates and downloads from links sent through emails or pop-ups, but instead download any updates or new installs from official locations or online app stores.
Protect your video conferences
With most team meetings now happening through video conferences, it is important to employ passwords to limit the conference to only the intended audience. This will protect businesses against fraudsters eavesdropping on corporate meetings. A passcode can be used for connecting from both a computer and a phone. It’s a minor inconvenience but a worthwhile one for ensuring the privacy of the team’s meeting.
When WFH becomes the new normal for many companies – including SMEs – it is important that users always stay cautious in the digital realm by doing the simple things: set up and update passwords on a regular basis, update firmware and always go to an official site for new installs. It is our responsibility to stay alert as we, large enterprises and SMEs, collectively adapt to the new normal in the post-pandemic world.
-- BERNAMA
Yuriy Yuzifovich is Head of Security Innovation Labs of Alibaba Cloud.