Operational controls impacted by new working arrangements
Most entities have recently made changes to their internal controls in response to COVID-19, including expanding work from home arrangements to sup
Security organisations have observed a significant increase in attacks by criminal hackers who are attempting to take advantage of the extraordinary circumstances the COVID-19 crisis presents. They have observed an increase in scams and phishing attempts related to COVID-19. Phishing is a fraudulent scamming attempt to obtain sensitive information from an end user (for example, username, passwords, and credit card information). For example, by asking a user to click on a link that results in malicious software being installed.
Entities need to ensure they implement effective security controls to support their employees working from home. Employees working from home need to be vigilant to maintain the security of their entities’ systems and information.
Among many other things, COVID-19 has brought about a fundamental change in how we work. Working from home brings the obvious challenges of untrusted networks and insecure residential environments, but it also poses a less obvious threat—letting our guard down.
Entities should remind staff to lock computers when not in use and not to leave sensitive information laying around. They should also ensure staff can log in securely to their systems, use strong passwords, and be vigilant when reading emails (which are in increased use during this time and can expose entities to phishing attacks).
To support employees to work from home securely, entities should ensure they enable multi-factor authentication to prevent users from remotely logging into an entity’s internal network without requiring two-factor authentication (for example, a username and password, plus a code sent to a mobile phone). This makes it much harder for cyber criminals to compromise sensitive information and systems.
Entities should ensure they make their staff aware of their responsibilities in managing cyber risks. Poor password practices unnecessarily expose entities to attack. Easily guessable passwords make it simpler for hackers to compromise user accounts and use these accounts to gain control over an entities' networks. In our report Managing cyber security risks, which tabled in parliament in October 2019, we recommended that entities:
undertake a risk assessment to determine the most effective password policy and implement it as a priority
Controls may include:
Entities should alert their employees to continue to use professional scepticism and exercise caution if they receive an email that is unexpected, or looks a little unusual.
The best protection is awareness and detection. Employees should not open attachments or click links in unsolicited emails—if the email is unexpected, they should be wary of opening the attachment and always verify the link.
Entities should demonstrate to staff how to identify and report phishing emails and other threats.
Here are several tell-tale signs of a phishing scam: