The Information Systems Audit and Control Association (ISACA) has warned the public to protect their systems from potential cyber attacks, saying there could be higher chances of threats with the Remote Work Model (RWM).
Mr Ime Udoko, Director, Research and Marketing of ISACA, Abuja Chapter, gave the warning on Wednesday in an interview with newsmen.
According to Udoko, the COVID-19 pandemic has encouraged the RWM or Work From Home syndrome by businesses, institutions and if precautionary measures are not taken, they can be attacked by cyber criminals.
“The RWM model mandates organisations’ personnel to connect remotely to their respective offices to do their work and access business emails and applications using home devices.
“Unfortunately, most often, home devices are not protected by the corporate firewalls and anti-phishing security controls.
“Most times, connections are made using home routers which are ungoverned, browsers on many computers provided by companies hold sensitive information like User IDs and passwords.
“Already, attackers find these as easy targets to gain remote credentials and perform malicious logins to corporate network.
“With the low level of security awareness, phishing campaigns through email makes employees at home a soft and easy target,” Udoko said.
He further said that some people believed that connections to corporate networks in the Work From Home model were done through Virtual Private Network (VPN) and could be secured.
The director discredited the believe, adding that VPN of a system used for corporate work could easily be manipulated, thereby exposing the organisation to threat.
He recalled that prior to the COVID-19 era, there were already some disturbing statistics about Nigerian internet space by the Threat Intelligence Reports of CheckPoints, an institution monitoring cyber threats globally.
“Typical organisations in Nigeria with internet presence is being attacked 1,292 times per week in the last six months compared to 411 attacks per organisation globally.
“88 per cent of the malicious files targeting institutions in Nigeria were delivered through emails, compared to 66 per cent of malicious files globally.
“The most common vulnerability exploit type in Nigeria is Remote Code Execution (RCE) which is impacting 70 per cent of organisations in the country,” he recalled.
Udoko said that COVID-19 had changed business model thereby creating every avenue to double the rate of attacks which could be blamed on low cyber risks awareness level.
He added that the attacks stated by CheckPoints were being launched on organisations operating 90 per cent physical model and less than 10 per cent cyber dependence.
He advised that government, private institutions should consider setting up a Cyber Risk Management team to evaluate all possible risk scenarios, ensure adequate IT resources to support staff.
“Companies should invest more on creating awareness on the do’s and don’ts while working from home, ensure employees’ devices comply with organisations’ internal policy, have up-to-date security software and security patch levels.
“Ensure all the corporate business applications are accessible only via encrypted communication channels, ensure Data at Rest (DAR) on employee laptops are encrypted to protect against unauthorised disclosure in the case of theft or devise loss.
“Where possible, get full protection from credential theft through phishing or social engineering as well as malware, exploits, ransom ware, and other email-delivered threats, by investing in relevant services.
“Safeguard access to application portals through the use of multi-factor authentication mechanisms, vet Bring-your-own-device (BYOD) such as personal laptops or mobile devises from the security standpoint,” Udoko said.
He also advised inistitutions to ensure policies for responding to security incidents and personal data breaches were in place and as well keep the staff informed.
According to him, the processing of personal data by the employer in the context of remote working should be in compliance with the local legal framework on data protection such as Nigeria Data Protection Regulations (NDPR).
Udoko said that employees should be discouraged from sharing the virtual meeting URLs on social media or other public channels, adding that unauthorised third parties could access private meetings and breach business confidentiality.
He warned that citizens should be careful with any emails referencing the COVID-19, as they may be phishing attempts or scams.
ISACA is an international professional association focused on Information Technology governance.