Cyber Security Guidelines in WFH Time

Due to Global Pandemic of COVID19, Home is the New Office.

In effect, Work from Home (WFH) has become the need of the hour & utmost priority to keep the workforce safe and ensure protection of the company data & improve employee productivity. While entire workforce embraces this model, Numerous bottlenecks have resulted in major setbacks for these companies in terms of cyber-security.

Cyber-security, which was not a major concern when working from inside an office, has now propped up owing to lack of awareness and necessary protocols not being followed. Here are some basic guidelines for new-normal time where Home is our new Office:

Network Security

Do not use unsecure or open Wi-Fi for official purposes.
Change the default network name and password of your router used for login.
Secure your Wi-Fi router connections by enabling WPA2 + AES security.
Connect to office network strictly through company provided means.

Software & Infrastructure Security

Only licensed software are to be installed.
Keep your operating system and applications updated.
Install an antivirus and firewall & maintaining regular updates.
Be careful and vigilant before installing any third-party software.
Games, browser plugins, etc. should be avoided.
Freeware/shareware should be avoided without proper due diligence.

Portable Media Security

Amidst the lockdown, a lot of resources are using their personal laptop/desktop for official purposes. While organizations implement security protocols when it comes to using USB devices with official systems, the same remains valid for both official & personal systems.

Perform a full scan of hard drives, pen drives & SD cards with an updated antivirus before you open/use them.
Avoid sharing official USB drives with other personal computers of family/friends around you.
Use additional read/write security controls and if required, enable event logging Password Security.

Password Security

Use complex passwords with strict password policy like 8 characters with a combination of alphanumeric and special characters (@#$%*).
Frequently change account passwords while working from home network.
Use a unique password on every account/device to ensure that all accounts are not compromised all at once.
Use two-factor authentication (2FA) to ensure that just the password is not enough to gain access.
Never put the same password/passphrase for multiple accounts.
Never give your passwords, One-Time-Password (OTP), CVV, ATM Pin, Card Expiry date, Bank Account information, Internet Banking login ID, Aadhar number, PAN number or other sensitive data via email or telephonic call or message. Your bank or government departments never ask for such sensitive data on call or message or email.

Web Surfing Security

Visit only trusted sites and always check for https or the lock sign while browsing.
Do not browse the Internet using system admin credentials.
Keep an eye on any automatic content download. These can be Trojans, viruses.
Stay away from links leading to malicious websites. They may look identical to a legitimate site, but the URL will have a variation in spelling or a different domain (e.g., .com vs. .org).
Verify full URL using mouse hover before clicking any button or shortened link
Never activate ‘save password’ feature in your browser for official accounts
Enable Pop-up blockers on all browsers. Blocking Pop-up messages on your browser is a very effective security strategy. It will forbid your browser from visiting dubious websites and would shield your computer from any stealth installation of any malware/ spyware.
Before putting your credit card / debit card information / credentials on any website accessed through a link/ URL, check the link/ URL, if it begins with ‘https:\\’, it is most likely genuine. However, accessing financial services through the official website of a bank/ e-marketplace or any other company is the safest option.
The Internet is full of fraudsters. If any website, link, message, etc., seems suspicious to you or offers something which is too good to be true, it is indeed a trap. Do not open the link to see what it is about; it may contain a malware which could steal all your personal/ financial information along with passwords to crucial accounts.

Email Security

Use strict spam filtering for official and personal emails.
Never forward a company email containing sensitive info to personal email accounts.
Better not to access personal emails on official email clients.
Do not open password protected PDF, PPT, Excel or zip files from unknown senders, especially when the password is mentioned within the email itself.
Never enable macros in word files received from unknown senders.
Report suspicious emails to your IT department by making it an attachment. Do not forward it directly and aware others by the subject name.

Phishing

Avoid emails that insist on an action with urgency. The goal is to get you to click on a link and provide personal information.
Beware of online requests for personal information. A corona-virus-themed email that seeks personal information like your employee ID or login information is a phishing scam. Never respond to the email with your personal data.
Check the email address or link. You can inspect a link by hovering your mouse button over the URL to see where it leads. Sometimes, it’s obvious that the web address is not legitimate. But keep in mind that phishers can create links that closely resemble legitimate addresses. Forward the email to us and delete the email.
Watch for spelling and grammatical mistakes. If an email includes spelling, punctuation, and grammar errors, it’s likely a sign you’ve received a phishing email. Forward it to IT and delete the same.
Look for generic greetings. Phishing emails are unlikely to use your name. Greetings like “Dear sir or madam” signal an email is not legitimate.
Make sure your computer is protected by strong, multi-layered security software (AV).
Never reveal your personal information over the phone. Most organizations do not ask for this information over the phone.
Don’t trust the display name of who the email is from. Just because it says it’s coming from the name of a person you know or trust doesn’t mean that it truly is. Be sure to inspect the email address to confirm the true sender.
Check the email signature. Most legitimate senders will include a full signature block at the bottom of their mails.
Be careful with attachments. Attackers like to trick you with a really juicy attachment. It might have a long name. It might be a fake icon of Microsoft Excel that isn’t actually the spreadsheet you think it is.
Email forms creating urgency or lottery wins asking users to fill personal/financial information

There are a lot of phishing and scam attempts related to WHO. The World Health Organisation has released a Cyber Security Scam Alert to stay away from such fraudulent attempts. Know more: https://www.who.int/about/communications/cyber-security .

Social Engineering Scams

Vishing: Never respond to hoax calls which claim to be from banks/hospitals asking for sensitive information. Beware of VoIP attacks as it allows caller identity (ID) to be spoofed
Pretexting: Hackers create a false sense of trust by impersonating a remote co-worker or figure of authority and ask for account login and passwords or sensitive official information
Smishing: Beware of attacks that exploit SMS or text messages which can contain links to web-pages, email addresses or phone numbers that when clicked may automatically open a browser window, email message or dial a number
Quid pro quo: Amid the lock-down, hackers may pose as a technical support staff from various services that the organisation uses and offer to upgrade/patch the software in exchange of critical data or credentials. Immediately inform your IT team to validate such calls.

The golden rule is to avoid responding to inbound calls, email support requests. In case any such support is needed, initiate it from your end keeping your IT team in the loop.

Donation Scam Alerts

Ignore emails and messages with links urging for donations. Always initiate a donation from your end at official websites.
Always crosscheck all account details/UPI handles before making any donation on PM or CM relief funds.
Do not scan unrecognized QR codes while extending financial support
Beware of fake websites and malicious donation links. Check URLs for authenticity.
Before sharing your donation information on Social Media, impart caution to avoid sharing any personal/financial information online.

Other Security Tips

Frequently backup your data as advised by your company against accidental data corruption or device failure or data security issues.
Stay away from PC cleaning/RAM booster software/freeware.
Never believe a deal which sounds ‘too good to be true’.
Avoid chatting with strangers over the internet. Fraudsters and scammers prowl on the internet looking for innocent victims. Further, under no circumstance you should transfer any money to a person you have not met in person.
Don’t pay the ransom. Rather invest some time and resources into creating a backup.
Don’t trust any call or email asking for urgent monetary help. Verify twice with the person who the email claims to have come from.
Do not invest in any stock claiming that the products or services of publicly-traded companies can prevent, detect or cure corona-virus, and that the stock of these companies will dramatically increase in value as a result. The promotions often seem genuine but these are ways to trap you and make you shell money.

All the above methodologies and activities have one important aspect in common- your awareness and response-to-stimuli. The moment you do something unknowingly or absent-minded, it is at that moment the cyber-criminals are waiting for. The information contained in your system which is a mix of personal and professional content becomes vulnerable. Vigilance is the key to working in this situation be it your personal health or professional. Safety never takes a holiday.

For any additional queries or cyber-security concerns, you may reach out to Team at info@primeinfoserv.com

THE “PDP LAW’ ERA AND CYBER PROTECTION LAW URGENCY - Prime Infoserv LLP on GDPR and VAPTAugust 20, 2021
[…] for obtaining those personal data and information for their individual gain. In this scenario, GDPR provides a firm stance…
THE “PDP LAW’ ERA AND CYBER PROTECTION LAW URGENCY - Prime Infoserv LLP on GDPR – The EssentialsAugust 20, 2021
[…] one of the most popular laws related to cyber protection is the General Data Protection Regulation (GDPR) that addresses…