Working from home and telecommuting are not new among Philippine enterprises. The Telecommuting Act, signed by Pres Rodrigo Duterte in December 2018, allows companies, including those in the private sector, to work from an alternative workplace using telecom technologies and services.
Amid the continuous rise in Covid-19 cases and medical organizations and facilities admitting exceeding capacity or nearing capacity, the government reiterates the need for health and safety measures, including the continuous implementation of a work-from-home (WFH) setup for businesses.
While some companies have no choice but to have their staff work in the premises, many companies are adopting a WFH approach, with some planning to continue doing so till the end of this year, if not till early in 2021.
WFH will likely have a long-term impact on the way people work and collaborate even after the pandemic because of its many benefits. It helps in reducing not only traffic congestion but also the environmental impact of having too many vehicles on the roads. It has enabled businesses to maintain lower running costs, with some moving to smaller spaces to accommodate the few office-bound people. WFH also provides greater flexibility for workers.
Of course, WFH does have some drawbacks such as technical challenges, particularly in the area of online security. This is a critical concern for businesses now pursuing a WFH model.
While large enterprises have in-house security experts and policies to help ensure security remains top-notch, SMEs and their employees may need some help. With more businesses adopting the cloud, users have to be extra vigilant in protecting data and know what to do when faced with suspicious activity meant to steal their information.
Here are some steps SMEs can take to ensure that their business-critical information are kept secure even while implementing the WFH setup:
- Use a VPN — Requiring a Virtual Private Network (VPN) to access company resources is usually a good idea. While most enterprises already have a VPN for their employees, most SMEs, even those with cloud applications and resources, need to secure their cloud resources behind a VPN. A VPN eliminates several attack vectors, for example, from a home gateway going rogue. SMEs should look for a VPN gateway that can be configured to enable SSL-VPN access to Virtual Private Cloud (VPC) from Windows, Mac and Unix terminals (computers from home).
- Use stronger two-factor authentication — To ensure really robust security, every online service log in accessed by staff working from home should be secured with two-factor authentication (2FA). This protection should include email, cloud storage, social media and any other online asset. Most people know 2FA as a passcode sent as a text message. Knowing that SIM cards can be swapped and fall into the hands of a fraudster who could receive the text message authorization, many services now offer a stronger version of 2FA. This is called one-time password (OTP). OTP-enabled online services typically use a time synchronization version of OTP where a mobile app continuously generates OTP codes that need to be entered to log in to an online service.
Overcoming mobile app-based OTP protection usually requires physical access to the device, which is impossible for fraudsters in most cases. Before Covid-19, some SMEs disabled electronic wires and decided to do infrequent bank wires from the bank itself, in person, to eliminate fraud. With stay-at-home policies now in place, this may not be an option for SMEs anymore. Many banks now offer OTP cards or digital tokens that generate code sequences, with each wire containing a separate code. This will guarantee that the wires will not be sent by fraudsters to their accounts (in fact, one of my friends fell victim to wire fraud due to a SIM card swap, causing him to be wired out of his account). Even if the bank charges for this OTP card service, it’s still less costly than dealing with fraud consequences. In instances, however, where an OTP option is not available, a text message-based 2FA is a better security measure than none at all.
- Run updates frequently — All home electronic devices should be maintained in an updated firmware state and all security patches need to be applied quickly. Many IoT devices such as home cameras, routers and smart appliances present easy targets for hackers. Many inexpensive devices purchased several years ago no longer receive firmware updates from manufacturers that have switched their resources to support newer releases.
Such IoT devices should be discarded through a proper and responsible recycling method. Routers, in particular, present a serious potential threat as hackers can control the traffic going through the routers and implement various strategies to attack home users. DNS hijacking, for example, redirects users attempting to go to banking websites to phishing destinations that look exactly like the attacked bank’s log in page. Updated firmware, therefore, can significantly limit the success of such cybersecurity threats.
- Be skeptical with every URL you click — Phishing in general has increased since everyone started staying at home. Users need to be extra careful when clicking on links in emails and social media messages. Without the option to approach the sender of the link in person to verify its authenticity, users may fall victim to fraudsters pretending that the email is coming from another employee. The fraudster may then ask for a wire transfer or ask users to open an attached invoice where the attachment is a malware. This type of phishing is called “whaling phishing.”
The most important requests should always be verified by an independent communication channel such as a phone call. While technical protections are important, social engineering attacks are as popular as ever, with humans still being the weakest link. Hackers often trick users into downloading software with embedded malware. Crafty attacks can ask employees to download malware camouflaged or embedded as a teleconferencing software or a game. Users then should never execute updates and downloads from links sent through emails or pop-ups but instead download any updates or new installs from official locations or online app stores.
- Protect your videoconferences — With most team meetings now happening through videoconferences, it is important to use passwords to limit the conference to only the intended audience. This will protect businesses against fraudsters eavesdropping on corporate meetings. A passcode can be used for connecting from both a computer and a phone. It’s a minor inconvenience but a worthwhile one for ensuring the privacy of the team’s meeting.
When WFH becomes the new normal for many companies – including SMEs – it is important that users always stay cautious in the digital realm by doing the simple things: set up and update passwords on a regular basis, update firmware and always go to an official site for new installs. It is our responsibility to stay alert as we, large enterprises and SMEs, collectively adapt to the new normal in the post-pandemic world.
The author is the head of security innovation labs at Alibaba Cloud