Executing more home office activities during the pandemic, the risk of security incidents has increased. Companies should focus on the highest level of IT security: Especially if they want to stick with decentralized working in the long term and see it as part of their new normal. We have talked to IT security experts from our Cyber Defense Operation Center (CDOC) about prominent cybersecurity mistakes in everyday business and the need for a strategic approach to increase IT resilience:
Cybersecurity in Everyday Business: Why is it often so difficult?
We posed this question to our IT security experts who deal with monitoring and defending against cyber attacks on a daily basis at the Cyber Defense Operation Center, in short CDOC, and advise companies in a wide range of industries on security issues. In their opinion, cybersecurity is a sore point in everyday business because in many places professional IT risk management is not yet being pursued. Digital security is less visible than physical security, which means that many companies still have some catching up to do regarding this important area. Decision-makers are faced with the task of spreading information security across the company and equipping employees with the necessary knowledge. This is also important because lots of confidential data and company secrets, which used to be stored physically in a safe, for example, have now been digitized and require new protection.
In addition, it is a challenge for many companies to offer their employees a technical security environment executing mobile working. Working in home office, it is much more difficult to understand how employees act with regard to the necessary cyber security and whether they are perhaps already complying with applicable IT security guidelines. This means that serious errors can sometimes occur in everyday business, increasing the attack surface and enabling unauthorized access to company-critical assets. That is the reason why IT security should be strategically planned and consistently implemented by the management as part of a risk management process. This implies involving all employees, training them and convincing them of the importance of IT security for the sustainable success of the company.
Cyber risks: These 6 mistakes you should avoid in everyday business
In order to move business issues forward as quickly and efficiently as possible, employees sometimes resort to tools that are not sufficiently secure or handle confidential data carelessly out of ignorance. Our IT security experts have compiled a list of prominent mistakes made by companies in their day-to-day business. These can be traced back to a lack of IT risk assessment as well as a lack of IT security measures by companies:
1. opening phishing emails without thinking
Quickly reading the new emails between appointments, carelessly clicking on a contaminated link and revealing confidential data. Phishing, i.e. fishing for sensitive information, is a popular hacker method that thousands of employees have already fallen for. With serious consequences: If the misconduct leads to a cyber attack, it is not uncommon for damage to run into millions. Not to mention the reputational damage resulting from compliance violations. At the same time, methods used by fraudsters are becoming increasingly cunning. Whereas phishing emails used to be easy to spot due to grammatical errors or mistranslations, today‘s cybercriminals use spear phishing to target individual employees or small groups of employees.
Solution: Increase security awareness
Companies should conduct ongoing security awareness training to educate the entire workforce about common hacking methods such as phishing. This will prepare even tech-shy employees for human-based attacks and empower them to defend against them. Security awareness training is also important because it is one of the current ISO standards and an important basis for seeking security certifications.
2. passing on company information via telephone (vishing)
Complementary to faked emails, SMS or messages via social channels, fraud attempts via voice calls (vishing) pose a real threat to corporate IT security. Vishing is a combination of the terms phishing and voice call and describes the intention of cyber criminals to steal confidential information. To do this, they approach employees on an emotional level and put them under massive pressure. Although the method is reminiscent of old-fashioned trickery, the approach is contemporary – among other things, new technologies such as automatic voice simulation are used.
If, for example, a bank employee asks for non-public information on the phone, this should not be disclosed under any circumstances. The data can be used by hackers to enrich themselves by selling data or redirecting financial transactions.
Solution: Targeted IT security training to defend against them
As with phishing and other social engineering hacker tactics, IT security training ensures growing awareness among employees when it comes to vishing. Mistrust is better than naivety: If it is unclear who the person on the phone is and whether sensitive data may be passed on to this person, it is important to take precautions and report any anomalies to the internal IT security expert. It is also important to know that a possible callback – if any – should be made via a central and independently researched telephone number. Never, however, via the number provided by the other party. This is because criminal hackers are able to use spoofing to make calls using a spoofed telephone number.
3. unsecured access to company network
If employees access information such as business and customer data, design plans or invoices from outside the company, this should always be done via a secure server connection. If employees’ Internet traffic is inadequately protected, it is easy for professional hackers to penetrate the corporate network, read communications, and steal or modify sensitive data. In the event of such data theft, companies are in breach of the General Data Protection Regulation, which means that penalties may also be imposed.
Solution: Secure data traffic via VPN
Using a virtual private network, or VPN for short, companies ensure that their employees connect securely from home office to the company network and encrypt their Internet traffic. This prevents sensitive data from being read or modified. To ensure that employees consistently use the targeted access, virtual private network should be rolled out across the board by IT and a secure server connection should be established with the start of each company computer. This will provide employees with a secure and worry-free package for their work and allow them to focus on their core competencies regardless of location.
4. sending unencrypted e-mails and confidential documents
If e-mails to colleagues or customers are sent unencrypted and confidential documents contained therein are sent without a digital signature, there is a risk that invoices, for example, will be intercepted, edited and forwarded in an altered form. For example, cybercriminals are able to exchange account data in files, divert payments and scam hundreds of thousands of euros. This is because the fake files are sent, at least apparently, via the company e-mails of the company concerned, as these (like the telephone number mentioned above) can be faked if no security precautions are taken. Thus, the fraud is usually only noticed when damage has already occurred.
Solution: e-mail encryption and introduction of digital signatures
The encryption of e-mails must be regulated centrally: Companies thus ensure that information sent is treated confidentially and that e-mails are actually only sent and received by their own employees.
By introducing digital signatures, companies further protect themselves from hackers: comparable to a conventional seal, this technology ensures the identity of the communication actors as well as the integrity of the content.
5. using passwords that are too simple
According to the BSI, simple combinations such as “hello” or “123456” are still widely used because many people or employees find it difficult to remember complex password combinations. More secure passwords are an important step toward greater data security because they make it more difficult for cybercriminals to gain unauthorized access to internal company information.
Solution: Introduce password guidelines, use password managers
Companies should provide their employees with clear guidelines for password design in order to initially ensure certain security standards. Suitable password combinations contain at least ten characters and combine upper and lower case letters as well as numbers and special characters. Depending on the value of the company, an internal password policy also specifies how often passwords should be changed – for example, every 30, 60 or 90 days.
Serious password managers such as KeePassXC support the creation and management of various and constantly changing complex passwords. Thanks to encryption and a central master password, these ensure the secure storage of various user names and automatically generated passwords. For highly sensitive information, two-factor authentication can also be used in the password manager. For example, a confirmation code is sent to a second end device such as a cell phone to finally release the login.
6. uncontrolled use of private devices for business purposes
Increased remote working during the pandemic has reinforced the use of private end devices such as smartphones, tablets or laptops for professional purposes. Often, it is the employees themselves who prefer to work with their own powerful devices. This results in new risks and tasks for cyber security. In addition to consequences such as data loss and hacker attacks, there are, for example, legal consequences if companies violate the current General Data Protection Regulation (GDPR). But there are ways to reliably separate professional data from other data and, if necessary, to remove company data from end devices if employees should leave the company.
Solution: Introduce BYOD, CYOD or COPE
The bring your own device model, or BYOD for short, allows employees to use their private devices for work-related activities, subject to defined guidelines. In order to define framework conditions in accordance with IT security requirements and compliance specifications, the use of professional mobile device management (MDM) is a good idea. The aim should be to clearly separate work-related and private data in accordance with an infrastructure specified by the employer and to only allow access to the company network via secure interfaces. However, BYOD is only one option that companies can implement – and it has the disadvantage that employees may use different and sometimes very outdated devices that may no longer be managed by the MDM platform. A choose-your-own-device (CYOD) policy would therefore also be conceivable for everyday business. In this case, the employee can choose from a certain selection of devices that he or she would like to use for mobile working. These devices can be managed by MDM. Depending on the implementation, they are either purchased by employees themselves, who are then, of course, allowed to use the devices privately, or they are purchased by the company for purely professional use (COPE approach).
Plan and implement IT security strategically
Above mentioned mistakes can be avoided by a successfully implemented IT risk management process. Decision-makers should know which corporate assets are particularly worthy of protection and carry out an assessment of the greatest cyber risks, on the basis of which targeted countermeasures are initiated.
In order to convince employees of the sense and purpose of increased cyber security, a public commitment is also required from management. The goal should be to fully support the company’s own employees in all IT security issues and to provide them with ongoing training. This ensures that employees are aware of the intentions of criminal hackers and are prepared for current attack methods.
Optimizing IT security is particularly important if the home office is to remain an integral part of the new corporate reality. According to a survey by the BSI, almost six out of ten of the companies surveyed (58 percent) plan to maintain or expand working from home even after the pandemic. Meanwhile, external pressure is growing: cyber insurers increasingly expect certificates and compliance with defined guidelines in order to insure companies against cyber risks.
The BSI’s IT compendium provides basic information and concrete practical tips for optimizing your own IT security. In addition, experienced IT security service providers such as DGC provide support in establishing targeted measures for all-round protection. Do you want to know how your company can be comprehensively protected against cyber risks? Arrange an appointment with us right away. We will be happy to advise you.