Q&A – Cybersecurity, distance work, distance learning
Is distance working really a safe choice?
If it is done correctly and knowingly, distance working is certainly safe. Even though the current emergency situation, where many people work from home, does increase the danger that companies and their employees fall victim to a cyber attack or cyber fraud, these risks can be brought down to a minimum by following elementary cyber hygiene requirements. In turn, by safely doing distance work you lower the risk of coronavirus infection for yourself as well as others.
What are the most common current threats?
Because information regarding the coronavirus is understandably the focus people's of interests right now, the distributors of malware are using it as well – all over the world letters are sent out with links or attachments that contain a document that seemingly might give the receiver new information about the spread of the virus. We are also aware that a map of the spread of the virus is being used as bait. These letters infect your computer with malware that could steal your passwords and other data.
The growing popularity of distance working is also being exploited. Working from home, people often need to join different central services, file sharing platforms or communication networks. If you receive a letter that calls on you to click on another link in order to join a work-related group, make sure that this really is a group or a service that you have arranged with your employer.
In the case of work e-mails, you have to remember that invoice fraud and CEO fraud schemes are quite common in cyber crime. If your boss (who is currently probably not with you) asks you to transfer money from the company's account to a completely unexpected bank account, confirm through some other prearranged channel of communication whether she is sure about that. If a business partner in another country asks you to send a payment for services to a new bank account, confirm this with him over the phone or some other channel of communication.
Recent times have seen a resurgence in the spread of payroll scams where an employer seemingly asks the head of personnel to transfer her wages to a new bank account as of next month. This request is actually being sent by cyber criminals who end up getting the money. In a payroll scam the cyber criminals send a short e-mail in quite convincing Estonian to the head of personnel under the name of an employee, asking that the wages be transferred to a new bank account as of next month. For this they use visual scams, replacing a letter in a name or barely noticeably altering the domain name (ettevõte.ee vs ettveõte.ee). They might also take advantage of insufficient security of the e-mail account and impersonate the e-mail address of an employee in a way that is difficult to distinguish for a layman.
At the beginning of the crisis, there was a spread of English-language phone calls asking access to the recipient's computer in Estonia. The calls came from foreign phone numbers and the caller introduced himself as a representative of an internationally well-known company. Referring to the current situation where many work in home offices and the need to keep the equipment used for distance work secure, the callers asked for access to the computer. The reason they gave was a wish to check that the device is secure enough. At refusal the caller did not end the call but steadfastly continued asking for access. The goal of the fraudsters might have been to steal passwords or bank card data. These kinds of calls might also be used to sell scareware products that seemingly find malware in the victim's computer. By paying the fraudsters you unfortunately really get rid of your money and only seemingly get rid of the so-called malware that wasn't in the computer in the first place.
What software should be used for video- or teleconferencing?
The main important thing is to come to an agreement with your colleagues and close ones on what channels of communication are used for the distance communication during the emergency situation. You children, for instance, have similar agreement with their teachers and friends on which channels they use. It is always good to find out more about these channels of communication, to establish which are not only easy to use but also safest from a message confidentiality point of view – in case you have to share confidential business information with your business partners. Read through the terms and conditions! At the same time, keep an eye on what channels of communication are the safest for your child's health and welfare.
As distance working will continue both in Estonia and the rest of the world for quite a while longer, there will probably also be campaigns where criminals try to spread malware or steal data by impersonating different distance working applications. We have seen that the popularity of some videoconferencing platforms has been exploited for spreading malware – the victim is left with an impression that he has received a link from such a programme or a link is shared that seems to be connected to some such programme but leads to a web page that is being used to collect user data.
The Centre of Registers and Information Systems stresses to the employees of ministries and agencies that information that has been labelled as restricted (AK) can only be forwarded on a videoconferencing system that is controlled by the holder of the information (is hosted in the ICT infrastructure of the holder of the information). If it is not possible to use this kind of a system, the restricted information cannot be forwarded through a videoconference.
What are the recommendations regarding passwords?
Distance working and learning requires constantly logging into places and inserting passwords. This might create a temptation to use one and the same (and as simple as possible) password everywhere. It would be used to enter work, school, store, social media, chat rooms and gaming sites. But if this one password should leak (and passwords do leak from time to time!) the hackers will see whether the already leaked passwords and usernames can be used to enter other places as well.
One possibility to use different passwords in different places in a way that you do not need to remember the long passwords yourself is to see what options are being offered by password managers. There are several, they can be used for free (e.g. LastPass, Keepass, 1Password) and in this way you only need to remember one long password for your password manager.
But as work done at home, e-mail addresses and all kinds of accounts are currently vitally important for work, study and communication, an important assistant for securing your accounts is multi-factor authentication. This means that even if somebody does get hold of your password (with phishing, malware or previously leaked passwords), they still can't access your e-mail account without a code that is in your phone. No, you do not need to enter the code every time you want to log into Gmail. But if someone tries to get access to your e-mail account from a geographically distant location, they will not be successful.
Do devices that are used for distance working or learning need to be prepared somehow?
Make sure that both your and your child's computer or device has the latest possible software. This is vitally important! If the software is expired, your computer might get infected by just visiting a suspicious web page.
If you know how to find the settings of your smart television, your router and your Internet-connected web camera, you should update their software regularly as well. All this so that the devices in your home could not be used to attack anyone else. Just as you don't want to be the one who transmits the virus.
Additionally, it is important to check whether the anti-virus software of your devices has been able to regularly update itself. Anti-virus never protects you from all the threats – malware creators are always a step ahead of anti-virus programmes. But if a malware has already circled the globe several times, the anti-virus programmes will also recognize them and stop them before they manage to infect your computer or the computers of those close to you.
Definitely find out whether the people close to you have the latest versions of operations systems and anti-virus software in their computers. In the Windows operation systems, for instance, this means updating the Windows Defender definitions.
How to ensure data retention?
There is one more good way to reduce stress about your work and studies during these unusual times: backing up your data. Nobody wants to redo work that they have already done. But we know that devices sometimes break or, even worse, get infected with malware that will not allow access to the data anymore. Schoolchildren might initially find it great that they can say that they could not submit their schoolwork because the computer was not working but in the end even they will still have to redo this work. Losing your work because of ransomware or a device that has unexpectedly broken down is an even bigger worry.
There is a vast array of commercial cloud solutions for backing up your work (Google Drive, Microsoft Onedrive, Amazon Drive, Dropbox) that back up your documents automatically over the Internet. It is your task to save your files to a correct drive and to find your documents again on another device if something happens to yours.
We recommend using an external hard drive or a memory stick as well, to back up your most important data. In the case of large data it can, on one hand, this might make restoring your data faster, on the other hand, keeping large data volumes in cloud solutions is more expensive than using external data carriers. Find out from your employer what backup solutions are even acceptable to them – is keeping work documents in a cloud even allowed or does the company have different rules.
My child is online for days on end – e-school, socializing with friends, just passing time. What should I keep in mind?
Show regular interest in what your child is doing on the computer. It is more comfortable to do this if the screen of the child's computer is placed so that it can be read easily when passing by. Be interested, communicate, ask. Try to find time for this even when you are distance working yourself.
I am a head of a company. What should I pay special attention to?
On April 8, the internationally recognized collection of cybersecurity measures "CIS 20 Controls" was made available in Estonian by the Information System Authority. This is a tool that was developed by recognized cybersecurity experts and can be used by IT managers and all others who are responsible for the field of IT in their company, in order to ensure cybersecurity in their company. The latest version of the CIS 20 measures also differentiates between measures that are meant to be implemented by large, but also small and medium sized companies. The Estonian version of the collection of measures and relevant short instructions and instructional videos in Estonian and Russian can be found at https://www.ria.ee/et/kuberturvalisus/ennetus-ja-nouanded/nouanded.html. In its original language – English – the measures can be found here: https://www.cisecurity.org/controls/cis-controls-list/.
Even though it might not be possible for you to implement these measures before the end of the current emergency situation, it is still worth doing it consistently in medium and longer term perspective. This way you will safely survive both possible future single cyberattacks and future emergency situations.
Additionally, see https://www.itl.ee/uudised/itl-soovitab-ettevotetel-kaugtoo-korraldus-labi-moelda/.
Are the special rules in force regarding the processing of personal data during the emergency situation?
The Data Protection Inspectorate has issued detailed positions on this:
a) About processing the personal data of employees in the context of the coronavirus (https://www.aki.ee/et/uudised/tootajate-isikuandmete-tootlemisest-koroonaviiruse-kontekstis).
b) The statement of the European Data Protection Board regarding COVID-19 (https://www.aki.ee/et/uudised/euroopa-andmekaitsenoukogu-avaldus-seoses-covid19-ga).
c) Can an employee be compelled to reveal everything about his health condition? (https://www.aki.ee/et/uudised/kas-tootajat-saab-kohustada-raakima-koike-oma-tervislikust-seisundist).
What should be kept in mind after the crisis?
After the crisis is over, everybody should keep continuously following the requirements of cyber hygiene. Both authorities and companies should remember the fact that the IT field has long ago stopped being a small fraction of the company that has only a supportive role, rather becoming sometimes the most critical part, as all work is being done in computers and the information necessary for the company or authority to function is stored in servers or on hard drives.
What are the five most important recommendations for safe online conduct?
- Don't open attachments or links from unknown senders.
- Don't believe threatening letters from unknown senders that demand that you act quickly.
- Don't give an unknown caller access to your computer.
- Make sure that you are using the latest version of software and that all security updates have been installed.
- Regularly back up the files in your computer and on your phone.
Also see the newest entries at https://blog.ria.ee/.
Is there more cyber fraud than usual during the emergency situation?
No, rather the number of cyber incidents registered by the Information System Authority has remained at a level similar to the period before the crisis. But, considering the extent of distance working that is currently being done, the total risks have still increased. The information Security Authority has seen that cyber fraudsters both in Estonia and the rest of the world are trying to take advantage of the coronavirus in a new way – for instance, an e-mail containing malware has been disguised as virus-related information from the Health Board.
For more specifics, see https://www.err.ee/1068027/tonu-tammer-kuberkurjamid-rakendasid-koroonaviiruse-oma-vankri-ette and https://www.ria.ee/et/kuberturvalisus/olukord-kuberruumis.html.
More news on the same subject
11.05.2020 - The Estonian Information System Authority (RIA) has compiled a comprehensive overview of cyber security in Estonia. “Cyber Security in Estonia 2020”, available at ria.ee, explains the landscape, the responsibilities and activities of different public sector organizations in Estonia who all contribute to keep Estonians safe online. From setting up a cyber security standard to combating cyber crime to training military cyber defence operators, every agency has a vital role to play.
This week, the Information System Authority (RIA) launched a new cybersecurity campaign, ‘Be especially IT-conscious during the emergency situation’, which warns people about cyber threats related to teleworking. All tips for safe distance learning and working at a home office are gathered on the website www.itvaatlik.ee.