16 April 2020
In coming to grips with the new, and hopefully not for too long, normal of working remotely, we continue to receive many requests for guidance on protecting one’s cyber security when working from home. Working from home has specific cyber security risks, including targeted cybercrime. When compromised, unauthorised access to your stored information can have a devastating effect on your emotional, financial and working life.
We partner with Australian Signals Directorate’s Australian Cyber Security Centre whom we thought to share their relevant guidance here.
Here are nine things you can do to in your new working environment to protect your work and your household’s cyber security.
Cybercriminals see a crisis as an opportunity. Major change brings disruption, and businesses transitioning to working from home arrangements can be an attractive target.
Be aware that the COVID-19 pandemic will be used by cybercriminals to try to scam people out of their money, data and to gain access to systems. While working from home you should:
Socially engineered messages are messages sent by an adversary in an attempt to direct users into performing specific actions such as opening an attachment, visiting a website, revealing account credentials, providing sensitive information or transferring money.
To increase the likelihood of users performing an adversary’s desired actions, the adversary will go to lengths to make their messages appear as if they are legitimate and from a trustworthy source.
As a result, socially engineered messages are likely to be work-related, infer a sense of urgency or target a specific interest of users. They may also appear to come from someone known to users such as a colleague, senior manager or authoritative part of their organisation (e.g. the information technology, human resources or finance areas).
While socially engineered messages can be very convincing, there are things to look for to assist in differentiating them from legitimate messages. Users should consider the following questions.
When messages contain links to websites, users should browse to the website themselves rather than clicking on the link in the message or directly copying or typing the link into a web browser. An adversary can use a number of techniques (such as single letter substitutions) to either obfuscate or trick users into accessing a malicious website that they think is legitimate. Never enter credentials into websites if directed there by a link in a message.
When opening attachments from messages, users should be cautious and exercise judgment. If unsure, use a known out-of-band contact method for the sender (e.g. a phone number) to confirm their intent to attach files to the message.
Often an adversary will be unable to achieve their goals without interacting with users. This may be due to existing security controls or the complex nature in which an adversary is attempting to compromise a system.
For example, if Microsoft Office macros are disabled an adversary may provide users with step-by-step instructions on how to enable them in order for their malicious code to execute when the user opens a Microsoft Word document. Users should treat any requests to change the configuration of systems or perform specific actions as highly suspicious.
Alternatively, a form of social engineering known as CEO fraud involves an adversary masquerading as an organisation’s CEO and requesting large transfers of money, often when they know the actual CEO will be uncontactable and unable to refute the request.
One of the easiest ways of performing social engineering is for an adversary to simply ask users for the information they want by exploiting user’s natural desire to be helpful.
Often an adversary will masquerade as someone users might expect to have a legitimate requirement to access the information being asked for. For example, a colleague asking for copies of documents that they accidentally deleted. Alternatively, an adversary may choose to masquerade as someone that users may not necessarily know but could be reasonably expected to have a requirement to access the information they are requesting, such as a new starter with the information technology help desk or a staff member working on the same project but from a different office.
Users should never disclose credentials such as passwords to other people. Furthermore, users should be suspicious of any requests for sensitive information from people that they do not interact with on a regular basis. Even if users know the person requesting sensitive information, they should still consider whether that person has a legitimate need to know that information, as malicious insiders often leverage their contacts in order to gather information or privileges they shouldn’t have access to.
While an adversary may go to lengths to make their messages appear as if they were legitimate and from a relevant and trustworthy source, another adversary may lack the skills or motivation to do so. Incorrect spelling and capitalisation, abnormal tone and language, or the absence of a specific addressee can indicate that a message is likely to be a socially engineered message.
Passwords are passé! Strong passphrases are your first line of defence. Enable a strong and unique passphrase on portable devices such as laptops, mobile phones and tablets.
Use a different passphrase for each website and app, particularly those that store your credit card details or personal information. To use the same username (such as an email address) and passphrase for multiple accounts means that if one is compromised, they are all at risk.
A passphrase is similar to a password. It is used to verify access to a computer system, program or service. Passphrases are most effective when they are:
Why? Greater security & more convenience
Multi-factor authentication is one of the most effective controls you can implement to prevent unauthorised access to computers, applications and online services. Using multiple layers of authentication makes it much harder to access your systems. Criminals might manage to steal one type of proof of identity (for example, your PIN) but it is very difficult to steal the correct combination of several proofs for any given account.
Multi-factor authentication can use a combination of:
If your device supports biometric identification (such as a fingerprint scan) it provides an additional level of security, as well as a convenient way to unlock the device after you have logged in with your passphrase.
It is important to allow automatic updates on your devices and systems like your computers, laptops, tablets and mobile phones. Often, software updates (for operating systems and applications, for example) are developed to address security issues. Updates also often include new security features that protect your data and device.
Virtual Private Network (VPN) connections are popular method to connect portable devices to a work network. VPNs secure your web browsing and remote network access.
Sometimes organisations specify that you use a VPN on work devices. If this is the case, you should familiarize yourself with your organisation’s VPN requirements, policies and procedures.
It’s much easier to access your information if other people have access to your devices. Do not leave your device unattended and lock your computer when not in use, even if it’s only for a short period of time.
You should also carefully consider who has access to your devices. Don’t lend laptops to children or other members of the household using your work profile or account. They could unintentionally share or delete important information or introduce malicious software to your device.
If you do share your computers or devices with family or your household, have separate profiles so that each person logs in with a unique username and passphrase.
When transporting work from the office or shop to home, portable storage devices like USB drives and cards are easily misplaced and, if access isn’t properly controlled, can harm your computer systems with malware.
If possible, transfer files in more secure ways, such as your organisation’s cloud storage or collaboration solutions. When using USBs and external drives, make sure they are protected with encryption and passphrases.
Cybercriminals and other malicious actors use popular and trending topics such as COVID-19 to spread disinformation or scam people. Impersonating, cloning or creating websites to look genuine is one way to do this (see ‘Beware of scams’ above). Producing and sharing false information on social media is another.
Be sure to only use trusted and verified information from websites be it government or research institution’s websites. Think critically about the sources of information that you use and balance all evidence before believing what people share.
For information on where to find the latest COVID-19 information, see:
If you’ve any questions regarding the above or require advice, please phone Iby Boztepe, Director of Professional Services, Exigence on 9568 5437 or by email: firstname.lastname@example.org.