Since the first case of COVID-19 was reported in the country, remote work has become one of the main measures adopted by many companies and self-employed workers.
Working from home seemed like a simple solution. However, putting it into practice revealed many challenges that people were not yet prepared for. Cybersecurity became a concern for everyone, and the concept of cyber hygiene took hold.
In this article, Santiago Paz, an associate professor of cybersecurity at Universidad ORT Uruguay his insights on these topics and offers suggestions for working remotely responsibly.
How do you assess the impact of the COVID-19 pandemic on businesses in terms of remote work?
Generally speaking, COVID-19 provided the final push businesses needed to accelerate their digital transformation. This applies not only to remote work but also to the transformation of their services. Today, online services in Uruguay have increased not only in quantity but also in variety. In addition to the services we were already accustomed to, such as Mercado Libre or PedidosYa, others have been added, including online psychologists, physical education teachers, and online yoga instructors, among others.
Although Uruguay is a country that is well-positioned in Information and Communication Technologies (ICT) within the region—which helped enormously in this process—it is important to keep in mind that many companies had to adopt drastic measures in recent days. In many cases, these measures were implemented without adequate planning or a thorough risk analysis due to the urgency of the situation. This must be taken into account. While these are contingency measures in response to a pandemic, they must be reviewed and adapted as soon as possible.
What cybersecurity risks did companies face with the implementation of remote work?
One of the main cybersecurity risks companies faced with remote work is the lack of awareness regarding this issue among employees. A best practice in cyber hygiene is to raise awareness among all employees regarding the cybersecurity risks and threats they will face and how to respond to them. In this regard, it is essential to consider a campaign promoting healthy habits—also known as cyber hygiene—for employees who are working remotely.
Another cybersecurity challenge currently being faced stems from the fact that, due to a lack of equipment, many companies immediately began using employees’ personal devices, creating a Bring-Your-Own-Device (BYOD) environment. These environments pose risks due to the lack of control over personal devices, making it difficult to enforce policies regarding antivirus software, passwords, updates, and other security measures.
Finally, another major challenge is having the technological infrastructure necessary to support remote work, such as laptops, VPNs, authentication systems, electronic signatures, collaborative work systems, telephony, and videoconferencing. The reality is that few companies already had all this infrastructure in place beforehand, and as a result, most proceeded to deploy new technologies in a rush. In many cases, this was done with minimal testing and quality assurance. This is undoubtedly a risk that must be taken into account and addressed to ensure the company is not overexposed.
In this context, what recommendations would you give to companies?
First and foremost, it is important to provide adequate cybersecurity training for all employees, even if they are already working remotely.
Furthermore, it is necessary to always use secure remote access solutions such as virtual private networks (VPNs), without exception, and never expose the company’s internal services directly to the internet. If remote desktops are used, they must be confined remote desktops with VPNs.
If possible, the security posture of devices accessing remotely should be validated, and the status of their antivirus software and operating system updates should be verified.
Another key consideration is the use of robust authentication systems that allow for the creation of strong passwords, the identification of individual users, and the monitoring of all access and activities: logs, logs, and more logs.
Finally, it is advisable to implement clear policies with strict user verification procedures for remote support services in order to prevent social engineering.
What recommendations would you make regarding cyber hygiene for users?
Employees must understand that their home—including both their personal computer and personal network—now has access to company information, so they must take the appropriate precautions.
First and foremost, they must keep their operating system up to date; if Windows recommends an update, it must be applied. Additionally, users must ensure they have an up-to-date antivirus program; Windows includes one at no cost: Windows Defender.
Furthermore, remote workers should avoid using Wi-Fi networks that do not belong to them. Under no circumstances is it permitted to “use your neighbor’s Wi-Fi.”
Regarding the use of your own Wi-Fi, you must configure your Wi-Fi router with security settings, at least WPA, and, of course, the password should not be easy to guess.
At this time, it is essential to have a password or PIN to lock any type of device and to be vigilant about the software you download. This software must not come from unknown sources.
Finally, remote workers must know how to identify the company’s IT support staff and should exercise special caution when communicating with them. In other words, if you receive a call from IT and are unsure who you’re speaking with, it’s important to hang up and verify the call’s legitimacy through another channel. Similarly, users should not trust emails claiming to come from the IT support team. Whenever you receive an email asking you to take any action, you should call by phone to verify the email’s authenticity.
Additionally, Paz recommends the following websites for more information on the topic: