IET India cybersecurity advisory: security practices for remote working
1 like464 views
This advisory note from the Institution of Engineering and Technology (IET) outlines cybersecurity best practices for employees and organizations working remotely during the COVID-19 pandemic. It emphasizes the need for timely data backup, access control policies, and enhanced security measures for personal devices while warning against phishing scams and the necessity of regular software updates. The document aims to provide guidance to mitigate cyber risks amid the heightened remote working environment.
IET India cybersecurity advisory: security practices for remote working
- 1. India Advisory Notes Remote working in the times of a pandemic Security practices: For employees and organisations
- 2. 2 | P a g e About us The IET is one of the world’s largest professional societies for engineers, headquartered in the UK. Soon to turn 150 years, the IET works closely with industry, academia and government in its mission to engineer a better world. In line with this, the IET also has specific global initiatives around key sectors that are relevant to solving problems that impact the society at large. In India, the IET has over 13,000 members and has wide ranging activities in alignment with the overall global IET strategy that also includes sector focus in areas such as Future technologies. Future of Mobility and Transport, as well as the Future of Work. Eminent engineers like Shri Ratan Tata, Former Chairman Tata Sons, N R Narayana Murthy, Chairman Emeritus, Infosys and T V Ramachandran, President, Broadband India Forum (Ex-Resident Director, Vodafone) are Honorary Fellows of the IET. With our members, we are driving innovation and change in the fields of engineering and technology. We research, investigate, review and analyse the industry’s challenges, proposing solutions that will have a significant impact on the world for years to come. This advisory note is part of a series, put together by the IET’s expert volunteers in India in the backdrop of the global pandemic brought about by Covid-19. In this paper, experts from our Cybersecurity Working group detail how employees and organisations should conduct themselves while working remotely. Read more about our Future Technology focus as well as our panels here: https://india.theiet.org/innovation-knowledge/. To become a volunteer and to contribute, please write to us at sectors@theiet.in Disclaimers This document is owned and maintained by the Institution of Engineering and Technology, India and the design of the document is © IET India 2020. The information contained in this document should not be interpreted as a representation of the views of the IET, nor should it be assumed that it reflects any of its current or future policy. The information cannot supersede any statutory or contractual requirements or liabilities and is offered without prejudice. While the authors, publisher and contributors believe that the information and guidance given in this work are correct, all parties must rely upon their own skill and judgement while making use of them. Neither the authors nor the publishers assume any liability to anyone for any loss or damage caused by an error or omission in the work, as a result of negligence or any other cause.
- 3. 3 | P a g e Introduction We are living in a heightened time of cyber risk. Organisations are still operational by allowing their employees to work from home. Cybercriminals have started taking advantage of public fear to generate coronavirus themed phishing attacks. We should be aware of COVID-19 tagged emails with misleading links or attachments. The IET’s Cybersecurity working group has put together some best practices to be followed at this crucial time to safeguard employees and as well as organisations that are navigating the new order of remote working. 24x7 uptime and connectivity Due to the current situation, companies and schools have planned for distance learning and work-from-home setups. Though employees have started using the work-from-home options, are the industries belonging to various sectors, including PSUs and private companies prepared for this heavy influx of remote workers? Organisations should conduct an exercise with their senior leadership teams and business unit heads to list their critical business applications that will be accessed the most by the employees. For cloud applications. Technology heads will have to work with cloud service providers and get a hang about their business continuity plans. Employers should ensure, by testing and validating the proper VPN connectivity for higher utilisation than usual. For enterprises with high-cloud reliance (e.g., an extension of capacity, native cloud systems), select cloud provider who has point-of- presence in the geography where majority of the employees are present and provide network path redundancy. Timely backup One crucial element in these times, more important than ever, is data backup. In these times of the pandemic, employees from various operational units are using their laptops, desktops, etc. In most of the cases, they either save their documents locally on to these systems (for example, as a PDF file or MS office document) in an unencrypted format. This is an issue, from a legal and compliance perspective. In case of a cyberattack, they may also lose their data. Therefore, employees who are working remotely, should back their data up in a timely manner to remain unaffected in case of a cyberattack where they may compromise their valuable data. Access Control Policy Financial services organisations, in a bid for business continuity to clients, may have to provide right of access to employees via remote access. Usual practices like password protection or data encryption may no longer suffice to counter smart data theft. Hence, access control policies should be implemented and updated at various entry points of the organisation. Also, the organisation can contain a potential attacker’s path to crucial data and assets by limiting user access and privileges to the information and tools needed for the employees to perform their immediate role.
- 4. 4 | P a g e Enhance the security of BYOD Employees working from home for the first time will potentially use desktop computers, laptops, tablets, and smartphones that are not protected to the same level as workplace devices. They should consider using additional risk reduction measures like document and file encryption, VPNs, regular scanning, and other best practices to lower the potential for business intellectual property or financial theft. Employees should secure home Wi-Fi by selecting the most reliable security protocol, changing the Wi-Fi password often, and use MAC filtering, which can be done by logging into the router as admin. Beware of phishing scams and other targeted attacks Recently, cases where attackers leveraging coronavirus-themed cyberattacks and phishing emails masked as sensationalised Covid-19 news or charity pleas have been on the rise. Fake applications like Corona live 1.1 have also been reported. Malware attackers are targeting masses using custom and unique remote-access trojan attacks that steal user information. Employees must consciously maintain security best practices while browsing the web. They should be more cautious about visiting sites while in session with the enterprise web site. Concerned departments and ministries should spread public awareness about these kinds of attacks to save people from being compromised at this crucial time. Enterprises can keep communicating employees through awareness campaign that reminds them of various social engineering attacks. Regular Software Update One of the main issues with most of the organisations operating in these crucial times both PSUs and private enterprises is that they use legacy systems, proprietary software, and software that may not be have been patched. Hence, enterprises need to update their software regularly to keep employees protected in such times, failing which, they will have to battle unproductivity and negative experiences of employees. Enterprises must be on top of threat intelligence and push patches at the earliest while employees must update with the latest patches of the base platform software being used. Conclusion We are currently in what can be called the largest remote working experiment in the history of mankind. Both organisations and employees are learning to work in this new world of work and figuring out the best ways to keep their data safe while minimising disruption and delivering outputs. The lockdown has brought to fore, the need for IT teams to be more vigilant, effective and frequent communications with business leaders and their IT teams and seamless communication with the staff team to ensure compliance.
- 5. 5 | P a g e
- 6. 6 | P a g e Contributors Anand Handa Member – IET Cyber Security Working Group Project Executive Officer, Interdisciplinary Centre for Cyber Security and Cyber Defence of Critical Infrastructures, Department of Computer Science and Engineering, Indian Institute of Technology, Kanpur Arnab Chattopadhyay Member – IET Cyber Security Working Group Associate Director, IBM Advisor Arvind Tiwary Chairperson – IET Cyber Security Working Group Chair, TiE IoT Forum If you have a question or query, please feel free to reach out to us at sectors@theiet.in. Read more about our work at india.theiet.org