Consultivo Blog | Business Excellence
It’s critical to understand the level of anxiety & uncertainty we are going through after the Covid period. For many of us, Work From Home (WFH) or a blended model is new normal.
It is a blessing in disguise for hackers. Let’s not ignore the basic practices to protect our data on our work from home days.
The common target is to prey upon the insecurities of people & make them curious. COVID 19 has been such an event when the number of malicious websites, malware, phishing emails, and impersonation are rising high up.
When people are uncertain, anxious and afraid, they seek information to allay their fears or to confirm their fears.
Most conveniently, they search up on the internet. Now that’s the game park for hackers, if not properly taken care of.
Numerous malicious websites which supposedly provides updates and information on COVID 19 have been developed to lure the users. Just by clicking on that link to that malicious website, it gets the malware downloaded or misleads the users for sharing their usernames and password.
Similarly numerous mobile applications with names containing “COVID” and “Corona” have been developed containing malware such as viruses, worms, Trojans and ransomware which are also downloaded on the mobile. The subsequent consequence is known or can be predicted.
In a webinar on information security, I heard a story of an incident where a fake company was selling PPE and other essentials and which disappeared once the payment was made. The material never arrived.
Another participant narrated about how an elderly neighbour was made to deposit money into an account to pay for the medical expenses of her daughter who was living in another place. She received a phone call that her daughter was quarantined and could not make the phone call and she has requested that the hospital charges to be paid.
It was very concerning to note that the person making the call knew the personal details of her daughter and her mother and could convince her mother to make the payment.
Others play on the good nature of humans and act as volunteers or non-government organizations (NGOs) and solicit donations on behalf of affected people. Only later do the people find out that there was no such NGO or volunteer. In another incident, an employee of a company received a phishing email requesting an urgent release of payments to a supplier of PPE. Fortunately, the payment was not made and the organisation managed to prevent monetary loss. Such incidents highlight the need to protect information at all cost as it can be misused.
Information security is ensuring confidentiality, integrity, availability of information. Confidentiality is ensuring that the information is not made available to persons who are not authorised to receive it or see it.
A common example of confidential information is a password. The second property is integrity. Integrity is the correctness and completeness of the information.
How would you react if you received a cheque which has a spelling error in your name? Practically it becomes useless. You will not be able to use it. Similarly, information which is not correct is useless. The third important property of information is availability. It is the property that the information is available to the person when he or she needs it.
In the above incident of the elderly woman, had she been able to contact her daughter, she would have realised that the phone was a fake. Fraudsters and hackers use the opportunity of non-availability of information to their advantage
To ensure information security, the organisation must ensure that they secure applications, networks, servers etc.
They must ensure that firewall is configured correctly and backups are regularly taken. User ids of employees who are no longer working with the organisations and unused applications must be disabled.
Organisations must regularly communicate with the employees who are working remotely on precautionary steps to be taken to protect their information. Regular guidance must be provided. Decisions taken must be communicated timely. Special care must be taken to identify disgruntled or de-motivated employees as they could become insider threats.
On the part of the remote workers, they must ensure that they keep their personal work separate from their official work. Many employees have uploaded photographs of working at home on the social network like Facebook, Instagram etc. Many of the photographs clearly reveal official information including confidential information which is a clear violation of policy. Needless to mention, such employees make the lives of hackers very easy.
Employees must verify emails and report any abnormal activity, emails to their manager. Also, another common mistake is that at home, employees often use their home WiFi to carry out their official work. While doing so they must ensure that WiFi is configured and all default admin user name and passwords are changed as it is very easy to hack into the WiFi.
Responsible use of technology will ensure information security. While deploying new technology, the risks must be evaluated and the employees must be trained on the technology.
These steps while logical and seem obvious on hindsight are ignored commonly. Only organisations who have a good information security management system can systematically identify threats and vulnerabilities and implement controls to mitigate them.
ISO 27001 is an ISO standard which states the requirements of information security management system for common business. Other businesses like credit card companies have standards like PCI DSS which have similar but more stringent requirements.
ISO 27001 is aligned to the high-level structure of the ISO standards and has additional controls given in Annex A. These controls have control objectives and cover a variety of domains and when implemented increases the robustness of the system.
Implementation of ISO 27001 leads to improved information security of the organisation.
An organisation implementing ISO 27001 can identify potential business continuity threats and be prepared to meet them. Employees are generally the weakest link and implementation of ISO 27001 ensures that the organisation carry out necessary and sufficient training for the employees.
Implementation of ISO 27001 ensures that situations like COVID 19 do not impact their business leading to better stakeholder confidence in the business and increase in brand value.
Related training programmes
Share this post
Category: Blog
Tags: Business Excellence
Related insights
Blogs
Knowledge Bank
News & Events
Knowledge Bank
News & Events
Blogs
View more in Impact Stories | Blogs | Knowledge Bank | News and Events
