Millions of people around the world are working from home, many of them for the first time, as more and more countries go into lockdown over COVID-19. But as remote working increases, so too does the security risk to sensitive data, systems and networks.
Many home networks lack security measures such as antivirus software, customized firewall and online backup tools. This increases the risk of malware finding its way onto devices and into corporate infrastructure.
Already cyber criminals are preying on people’s concerns about the spread of COVID-19. Organizations as diverse as the WHO and the FBI have issued warnings and tips in recent days about a spate of phishing emails claiming to be from health officials.
Many of these attacks rely on the mistakes and carelessness of those they target. That’s why the least affected organizations are likely to be those with a strong cyber security culture, where all staff play a clearly defined part in protecting critical data and networks.
In one scam, emails pretending to be from the director of the WHO are encouraging receivers to click on a link in order to access essential information about COVID-19. In another scam, fake apps, when downloaded, are enabling criminals to spy on victims through phone cameras and microphones, as well as read text messages.
There is a lot of good advice online about the cyber security measures that need to be taken to protect staff and corporate assets. For example, Cyber security is essential when preparing for COVID-19 comes from the Australian authorities.
At the very least, organizations should be reminding staff to stay vigilant and to avoid opening or clicking on anything that looks suspicious. Preferably, it should be part of an ongoing cyber security communication strategy that regularly reminds employees about basic precautions and security policies, as recommended in ISO/IEC 27001.
This standard advises giving all employees awareness education and training about their organization’s information management security policy. The ISMS requirements described in ISO/IEC 27001 define a cyber risk management-based approach to managing people, processes, services and technology.
Using ISO/IEC 27001, helps organizations to manage their information security risks, including threats, vulnerabilities and impacts, as well as designing controls to protect the confidentiality, integrity and availability of data and for regulating access to critical information systems and networks. It also emphasizes the importance of the ISO/IEC 27001 risk management process taking account of legal, regulatory and contractual requirements.