A few recommendations on the cybersecurity of the workplace

For the first 2016 Kaspersky Business blog post, we’ve chosen Commandments of Office Security, a handful of common problems with cybersecurity in the workplace, and the ways to solve – or at least mitigate – them.

Holiday season is over, and hopefully everyone had a decent rest and some well-earned time of peace and quiet.

Now, we’re back to work. For the first 2016 Kaspersky Business blog post, we’ve chosen a topic that may sound a bit too hortatory: Commandments of Office Security. It’s actually a handful of common problems with cybersecurity in the workplace, and the ways to solve – or at least mitigate – them. This is not a complete list, of course, as there are many more issues. Let’s take a closer look.

Case one: somebody knows worse

It isn’t Alice’s job to watch out for cybersecurity.  She’s the CFO in a medium-sized firm, but she’s learnt to be cautious long ago, and is very good at recognizing phishing letters from the legit ones.

When a message ostensibly from the IRS hit her inbox, Alice felt her suspicions rising. Although everything looked okay, there was something a bit sinister with the date – out of cycle, too early.

Anyway, it was late evening, past working hours already, so checking out the source wasn’t an option. Alice chose not to open the attachment until she could ascertain the source – i.e. until the next morning.

Too bad she had to be OOO the next day. And her assistant tasked with handling the boss’ emails while she was away, was a much-less experienced person – and fell for the trick.

The breakdown

This scenario may seem a bit far-fetched, but it is not necessarily. It was Alice’s mistake (or, rather, a result of a faulty security policy in the entire company) that the wrong person was tasked with handling executive emails. Executives are among the primary targets for phishers and APT actors.

Education of the staff against phishing is a highly recommended proactive security measure. As is the deployment of an automatic anti-exploit system such as Kaspersky Automatic Exploit Prevention solution. It wouldn’t let the exploit through.

Case two: Let the guest remain the guest

Jerome wasn’t expecting anything bad from a friend visiting him in the office shortly before the end of the day. The friend asked if there was WiFi available for his tablet, and Jerome handed over the password to the company’s internal network. It turned out the friend’s tablet wasn’t secure and clean…

The breakdown

This is why guest networks exist. Jerome has definitely violated the company’s security policy by allowing a stranger inside the network. Even if a stranger didn’t mean any harm, the malware sitting in his devices did.

The guest network should be totally isolated from the internal network, and data exchange between them should be very limited and strongly controlled. Otherwise… well, hopefully, removing the Android malware that slipped from the guest’s device into the internal network wasn’t much of a big deal.

Case Three: The bird of prey carried something away

Chuck has never been good at fighting, especially if outnumbered in a dark alley late at night. Thugs got away with Chuck’s smartphone, Fortunately, his health was damaged much less than his ego. But there was yet another reason for his anxiety: the smartphone contained certain working files that weren’t supposed to fall into the wrong hands. And that is exactly what happened.

The breakdown

Depending on whether the smartphone was “registered” with the company’s IT staff and the appropriate measures are deployed, the problem is either huge or almost non-existent.

If the smartphone is armed with the corporate security solution and anti-theft tools, the device will be soon retrieved, or sensitive data wiped off remotely, or, in the worst case, the criminals will be left with a useless “brick” in their hands before they are going to sell it.

Otherwise, the repercussions may go far and wide for the entire company. The chance that Chuck was not a random victim, and the thugs were really going after his smartphone specifically are slim. Such a scenario would fit in a spy flick like “Mission: Impossible”, but even more outlandish things happen, so discarding such situation would be unwise.

With BYOD every user and every carrier of the work-related data becomes the network endpoint and as such requires protection, which can only be provided if the IT staff is aware of the existence of these “endpoints” – first and foremost personal devices used for work.

Case Four: A yellow sticker and webcam

Passwords, passwords, passwords. A damning number of them have to be memorized over the course of everyday work. It is such a temptation to use just one or a handful of similar ones, or to write them all down on a sticky note and keep it nearby.

That’s what Andy did. On the wall there is a handful of yellow stickers with multiple arcane, hard to break, impossible to guess combinations of symbols, letters, and digits.

When these passwords were used by the cyber-intruders to wreak havoc in Andy’s company network, he was knee-deep in trouble. Eventually, investigators found out that those stickers were photographed with a nearby laptop’s web-cam.

The breakdown

Passwords aren’t something to be shown for all to see. Even though it may seem that nobody guesses which password belongs where, leaving them on the plain sight is as unsafe as sharing them in plain text via e-mail, for instance.

And the safe approach? – A good password manager that will have you remember just one master password.

Wisdom of a mild paranoia

Now, these are a few scenarios related to various cyberincidents in the work environment. They may look “fantastic”, but they are not – cyberattackers really use webcams for “intel-gathering” (remember Carbanak).

The list of “commandments” of cybersecurity in the workplace would be long, much longer than these four cases, but the basics are these:

– Do everything to prevent phishers from success (phishing letters are the first attack vector for a long list of other threats);

– Set up a guest network and keep it isolated from the internal one, and no non-employees are to use the internal network;

– If BYOD is in, take the “always guilty, always wrong” approach to the “visiting” devices. Admins should always know what devices you are using for work and have a remote “kill switch” for working data on such devices in case they are lost or stolen, or the owner is leaving the company;

– Passwords should be kept privately, only accessible to their specific user; using a password manager is the best way, using stickers on the wall is the worst.

We can add here a recommendations to restrict use of social networks, unless they are necessary over the course of work, and file sharing services/clouds unless they are absolutely necessary. Perhaps this may look a bit over the top, but if there is something to lose, better to do everything to prevent such losses.

Please feel free to share your own experience and thoughts on the cybersecurity in the office.