Enhancing Cybersecurity For Remote Employees In Your Organisation - Victor Onyenagubom

yeah so my name is Victor and I'm a Lector in cyber security at cide University the campus in we have a campus in mboro also have a campus in London so I'm in London I came from London so really nice to meet you guys so today I'll be talking about a topic called um digital NAD real risk the cyber security challenges of working remotely and how organizations can help their employees to actually overcome these challenges um I'm guessing that some of us work many of us here would be working in Tech and a couple of years here we working remotely you know and um there are many benefits of working remotely you know especially when for instance

you're a parents it gives you more time for child care you know gives you that flexibility you don't commute time is less and stuff like that so but um what could actually go wrong um so we looking at some things that could actually go wrong on the technical aspect and of course around social engineering and we also be looking at um if you are a manager of an employee who works remotely what are your obligations to that employee and we'll be looking at how um cyber attacks against remote employees are going to like evolve in the coming years um so basically there've been an increase in the rise of remote work in fact HSBC announced last year that they moving out

of their you know the office in can and they're moving to like an office that is a bit smaller because of mostly to like hybrid working you know most companies today the organizations work remotely there's increased flexibility you can work anywhere for some companies there staffs are working from some of them in Ireland some of them in America Canada so there's that flexibility and there's that work life balance you know you you you do what you want to do you're more you're more organized you can go to the gym when you want do things when you want you just finish your tax basically and of course the Advent of remote work gives organization that's access to a

global talent pool right if I'm in Brazil and I have a job and I have a job that somebody in um the UK can do for me with with remote work they can actually help me achieve that right so with um remote work you have a whole lot of um a whole lot of talent to pick out to pick from you know people from anybody from any part of the world can help you achieve something provided it can be done on with with their system okay then there's also the issue of cost saving you know like I said about cost commute um the cost of commuting you know time to you save time you don't have to move

you don't have to wake up like very early you don't you don't have to wake up very early to go out for work you know you don't have to like deal with the traffic if you live in a very busy City like like bam or London or Newcastle sometime you don't have to deal with all the traffic you know you at home you you have your time to yourself so you save time organizations too on that is on the employees side but for organizations on their own end they saving cost in terms of like operational cost like energy energy savings you know in terms of rent they don't have to pay for an office space they don't have to maintain an

office space you know so many things they don't have to do you know so they it's actually something that mutually beneficial to the employee and the employers but um yeah so we'll be looking at some technical attacks next around remote works so um remote work is good but with remote work the attack surface for an organization is increased with remote work you know because now um the organization you you have employees who are working for you but they are not under your fcal view you know you can't really fiscally monitor them you can rely on what you can do virtually right so the attack surface increases dramatically because the and this employees have they probably have your organizational laptop

they probably have your devices phones you've given to them and things like that and they in different locations across the world with different regulations and all that so there's an increased attack surface for employees who work remotely also um when you go to the airport you go to the train station you have fre Wi-Fi you know you go to the cafes you see people working on the laptops you know the laptop the the they tell oh we have free we have free internet here connect they'll show you the password and stuff like that people are working remotely you know so um but the challenges to this is that some of these networks you know some of them

this public network sometimes the people administer this networks do not take out enough time to actually make sure that they are properly secured and encrypted you know and what if your your employee is actually doing something sensitive for you you know working on a job that is actually sensitive for you you know what could be what could be the case what how secured would that be you know what are the effects of that you know so there is that challenge of the fact that your employee could be connecting and working for you in you know with using a network that is not secur so that's for that and also their home network to not just the cafes right because at home we

have Wi-Fi most of the time you have broadbands and stuff like that how secured is their home network too you know so that's one that's one of the ways then we also have the lack of physical security I mentioned that obviously since you have employees who are working for you you probably give them some devices that they could use you know to work for you but um physical security is something right in terms of um in your organization normally you have security guards sometimes you need to use a badge to scan you know and get into a building so what are what what are the how secure do you think the devices giving your employees are how

SEC are they how secure is their house premises the location they live in do they live in a third country you know where it's not secure do they live somewhere you know the devices you sent to them how secured are those devices you know so physical security is a big challenge too when um somebody's working remotely especially when they stay in a place where it's not safe then unpatch devices you know since your employee um do not work in the office they might not be getting that regular to like they might not get that regular they might not take patching up like taking security updates so seriously you know so they might actually be using devices

or softwar that are not packed to actually access resources on your system or on your network things like that so that leaves you vulnerable to exploits and malware so those are some the other ones but these are just some technical attacks surfaces that um remote employees could be exposed to looking at some solutions to this um technical attack before we look at the social engineering attack part of this then what could be the solutions to an increased attack surface it could be most organizations are already doing that they have a multiactor dedication most organization that use Microsoft have a Microsoft authenticator before you log into their systems there's also VPN with VPN you able to obviously

encrypt you know the end to end connection between your employee and yourself you know there's a direct Tel you know you have that kind of control a form of Access Control to understand okay how this employees actually accessing your resource if if if um whatever is going on you're able to like monitor you know with the VPN then um it's also very good practice for you to encourage your staff to update software um then in terms of um unsecure networks unsecure Network some solutions could evolve around you know using only trusted networks one of the ways would be to ensure that I know um W3 W3 protocols W3 encryption w w pa3 encryption is not really widely adopted

at the moment you know but it's something to actually consider you know it's more secured offers things around um forward secure you know the um open and enhanced where you know even if your employee can actually connect to a network without putting in the password they still that level of encryption with W wp3 you know encryption then using the usage of mobile device um mobile device um management tools you know with mobile device management tools you are able to like securely you know enroll devices that you your employees using and of course you also have that that um Power to actually that authorization to wipe devices you know that you've given your employee if there's actually a security

Bridge right you can remotely do some things with the mobile device management tools then for physical security to for physical security in terms of the solution for fysical security um an obvious an obvious way an obvious um solution would be for you to provide locks for laptops and saves for sensitive documents if your employee is using is working on sensitive documents for you on a sensitive Pro for you you know you probably want to give them locks for their laptops you also want to enforce clear deex policies you know as regards when they working for you they need to make sure that they a clear X policy so that they don't actually leave behind something you know that could actually

breach your network um with the mobile device management tools you have um the opportunity to actually um Implement remote WIP capabilities you know when somebody actually steals maybe a hard drive or maybe a phone you know maybe a laptop you know with with um with remote wipe capabilities in your system you can actually remotely you know delete stuff you know and also fcal AUD check maybe check every once in a month that your employee actually has the laptop you or you give him or her you know to ensure that they actually have all the um physical security invent all the physical devices you actually give to them then you probably want to also Implement an automated patch management

system since your employee is human there's that probability that they might actually um they might actually forget to they might actually forget to update you know forget to update a software you know so if there's an automated patch management system they can actually the the um the systems can actually be patched updated regularly and of course um you should also restrict your company's resources from unpatched devices then the most the one I think is really really important is the one around social engineering attacks which um most most um organizations are keen on providing physical SEC um technical most organizations are really committed to providing technical security they they invest a whole lot of money around

technical security billions and millions you know to for for technical security but not so many organizations are paying attention to um the issues around social engineering you know around social engineering the human part because first of all um the weakest link in cyber security are humans right you know so you might have all these technical measures in place but if the human part of your cyber security infrastructure is not actually um covered then you might still you might still be um vulnerable to attacks so some possible social engineering attack will be out which is like something really important because since your employees are actually working in different areas they actually they could actually be working anywhere

even around some employes some some of employees actually let me do some job and let me do some work you know show where your employe is working and somebody could actually pass through and see something you know um that's also a challenge because not to not not if you if you if you if you are in a train for instance you probably see some people who just be carelessly you know doing stuff on their system and you can actually see the software they on you can actually see some things you can actually see you know have an idea okay this is what they doing and Stu like that so that's that's a cost for concern

especially when your employee is working on something that is really sensitive there there's also dumbster diving in your organization how what is the um what is the disposal mechanism when you want to dispose of your devices of documents or your physical documents how safe how safe you how what's what are the secure ways you dispose it because if you do not dispose documents properly there's that tendency that a malicious actor might actually go into the be check through the be and if he see something useful and that might actually come back to haunt you so there's that challenge of dumpster diving for your employees working remotely if he or she does not it does not um proactively

dispose of sensitive documents well then there could be a challenge from that point and there's also the case of digital normally tating in his normal sense is the fact that somebody could follow you into a building you know claiming to be like maybe an employee or you know somebody that works there or somebody that schools there something like that there's that challenge but getting might have a scenario where somebody could actually join a meeting when they not supposed to be there at the moment right you know that digital tating now you have scenarios where you probably need to do a meeting quickly and there's no need for a video call let's just do it audio wise you know and

stuff like that so there's that challenge of digital getting where somebody could actually be you know in a meeting or you know join something where they not supposed to join or join a slack Channel where they not supposed to join and you probably discussing or sharing files that are sensitive so that's a challenge it's a very big challenge then there's also pretexting right there's also pretexting where you know your employees who are far away in different areas you know they might fall to where they might actually be in a whereby somebody a malicious actor could claim okay I'm from it help Tex um there's been an issue with your system you know and every all your colleagues

80% of your colleagues have already changed their password you know I've sent you a link for you to reset your password and stuff like that so that's pretexting you know where an attacker would actually claim to be somebody they are not and they would work on the psychology of your employee right they work on the psychology of employee or yourself you know to actually get information and actually get access to the system so there's that challenge of pretexting in Social Engineering attacks um so what are the what are the what are the solutions to social engineering attacks you know there other um social engineering attacks that are really because because what you need to understand about attacks is that it's

around it's more about like human psychology it's more about you know taking advantage of human emotions and all that ego kindness and things like that compliance Authority for instance I spoke about pretexting now your employees want to obey you they want to they don't want to be they don't want to be problematic to you and if your it if your it if somebody from the IT team is calling them and telling them that oh you need to do this you need to do that they would obviously want to submit to Authority and they would obviously want to do what you want them to do you know so um as humans they want to keep they

want to keep to rules and regulations and things like that so but what are the solutions what are some solutions you know that could actually help um a solution that can actually help us that would be to provide your employees or you yourself working for yourself you probably want to get privacy screens you know so that if somebody is walking past or anywhere around you they will not be able to like look at your screen wherever you are then you you want to um let you want to also avoid working in public as well as you can you know as poss as possible as you can you don't want to like um walk in public in public

places that are crowded you know places that are crowded and noisy and things like that you want to work in a quiet area where you have your space to yourself you don't want to walk where people are walking around you and stuff like that because they could see stuff they don't they not supposed to see you know so you should also conduct awareness sessions to teach your employees to be aware of the surrounding to know if somebody's actually looking over their shoulders and things like that that would actually help in a long run then there's dumpster there's in terms of dumpster diving you know and remote employees should have shredders right and when when it comes to discard

when it comes to discarding sensitive documents when it comes to discarding sensitive documents um if they really sensitive you probably want to have a designated secure location where you actually dispose of sensitive documents or sensitive devices you know you don't want to you don't want to leave disposal of some sensitive things to just um your employees say okay are you sure you actually did that you actually did it they'll say yes I actually did it you know but you're not sure you know so you have to be sure that this was actually done properly so maybe having a designated secure um location would actually help you and if you um if you want your employee to actually be the

one to dispose the physical document by a digital document properly you probably want to train them to do to do it properly you know to do it properly to delete stuff properly so that there are no Shadow files left okay that could actually cause problems for you then in terms of digital ta getting Solutions what are some solutions obviously one of the old fashioned way would be for you to manually approve people who come into a meeting for them a form of that's a form of multiactor authentication you want to actually check that okay um put them in in the lobby and check okay hello who are you and stuff like that can I can you tell me something about

this company like if you're actually going to if sensitive meting you want to actually do that to Ure that um people who are coming into your meeting are who they say they are then um for each meeting you want to use unique meeting links very important you don't want to reuse meeting links you know it can you might say oh let's just use the link I the go me link I sent you the other time just use it let's use it again and stuff like that you know you don't know who has actually had access to that link so it's actually good practice to have a unique link for each meeting you want to do especially when you're

doing stuff that are private and monitoring of access logs for your online collaboration platforms like slack you know your Microsoft teams and the like you want to actually monitor logs Orit your logs regularly to see who who has actually had access to this in this month you know that actually helps you to see okay if someone has been there who is not supposed to be there that actually helps you in terms of your access controls and things like that then um pretexting right so how can we s pretexting so with pretexting some of the solutions would be for you to actually Implement strict verification procedures for any request for sensive information so if there is um if

somebody were to come meet your employees forance for for confidential information you probably want to have a guideline you know of question they need to ask that person so that the person probably identify themselves so they be actually that okay this is who this person is who they say they are you know and um yes a clear internal communication protocol helps you know your employees should know how in what Manner the manner of salutation you know that you know the IT team is going to like contact them with things like that it should be clear communication it should be a clear Communication channel you know so it's more like a soft skill thing you know not an entirely technical

thing you know yeah so that's for that then um how would um cyber attacks against remote employees how would evolve you know the future how would evolve in the future I just uh because because of time you I have just 30 minutes for this talk so I just I just listed out three you know today we have a I you know AI is both a blessing and it can be a problem too there's a lot of problems with AI today and um we are only seeing like a surface of the potential that AI actually has right and in the next the near future we'll be seeing more and more cyber security effect you know some

of the effect AI could have on our cyber on the cyber security posture of organizations um so we would be seeing one of the things we be seeing would be sophisticated fishing attacks remember that one of the ways to identify fish attacks today would be that there will be grammatical errors you know there will be um maybe um gr errors there will be dis salutation should be disjointed just like my bank would Al always tell me that um when you have to be take note of first whenever I want to contact you this is how we are going to address you and things like that my bank will always tell me that that this is how we going

to address you we will never do this we will never do this you understand so but with the Advent of AI attackers could in the future can actually use AI to craft a highly personalized and convincing fishing email you know I believe that most of us like cyber security aware and stuff like that so it be difficult for us to actually fall to that but what of the average lay man on the streets you know how would they actually tell you know if some if if an attack actually craft a very good meal that looks something that looks similar to what that looks similar to what their bank or somebody or a service provider send to

or water water company send to them if an does that how would the average pensioner know you know that okay this is actually a scam you know so it's going to be a big problem with the Advent of AI and stuff like that then there's going to be an increase use of romare as a service you know with ransomware as a service you don't need to with the ransom as the service um ransomware attackers now do not necessarily need to be technical to actually conduct a ransomware attack right all they need to do is to get access to the um the software and they can actually conduct an attack you know so we transform as a service is anybody

can actually access um softwares and conduct attacks from anywhere and demand for money you know because they have access to your sensitive information and that can actually have effects on you legal legal effects sue you and things like that then deep fake and voice poofing attacks so this one is actually a very serious issue with the Advent of deep fakes now you know somebody could actually design with AI they can actually design somebody that looks like you and stay in a virtual meeting and be with with voice poofing with voice poofing attack they can actually be talking like you doing things like you in a virtual meeting so how would you now found how would you know that this

person is actually like this person is not who they say they because they've done obviously before they've done a deep deep fake of voice poofing they've done their information gathering to know do do a back story get to know about do their reconnaissance and know that you know this is you you know this is what you do and stuff like that so they can actually use that so deep fakes are going to be like a very big issue because lot of the things you are doing as a remote staff you work virtually a whole lot right so deep f are going to be a big deal and um yeah so what are your obligations as a

manager to remote worker what are some obligations you have I just listed some here what are your obligations um of course you you should establish clear security policies very important to have clear policies around how you communicate with your staff around access controls around how um um um um devices should be disposed you know you should have clear clear Communications with your staffs you know you know you should have very clear Communications with them you should have clear policies on how things should be done and how things should not be done then regular training regular security training very very important very important for your staffs to have regular training especially around um social engineering attack around cyber security awareness

it's very important for you for you to have um um Regular trainings for them because most of your employees actually they technical already they know what to do technically but in terms of social engineering attacks and how it's evolving and how complex is becoming it's also very it's also important for you to actually close that link and make sure that your your you don't just have firewalls technical firewalls that your employees are also human firewalls for your organization all right then access controls very important to have access controls in place all principle of Leist privilege access should always apply you know people should also have should only have access to resources on a need to

basis you know need to Bas and that should be regularly um reviewed to ensure that okay if this person should not be having access to this then it should be restricted and things like that then technical support there should be technical support for your staff's regular technical support and if they have any security challenges yeah then um if if by mistake you fall to a cyber Bridge yeah have 3 minutes right if by mistake you fall to a if by mistake you fall your employees fall to a cyber bridge and stuff like that you probably want to have a rapid Communication channel that your staffs would be able to like communicate with you with you know so that they they

should your staff should know that they can always reach out to you on time quickly you know and they would also they will all also get a rapid response from you and most of us here in the organization we work with we already have endpoint um detection like crowd strike Falcon you know Sentinel and things like that you know that actually help you cloudbased most of them use AI detection use AI detection to to do threat hunting and stuff like that that actually helps you you know for response for incident response then you probably want to also do a post incident forensics you know to know actually what actually happened and how you can actually and how what you can learn from

it you know so that you don't fall to the same attack again so for this there are soft like that ftk oopsy you know that you can actually use to um strengthen your defenses so um thank you for listening this was this is um just a very short talk and um thank you for listening and um yeah I hope you enjoy the rest of