The fallout of the Covid-19 pandemic has forced businesses globally to either shut down or resort to directing employees and executives to work remotely from their homes. Hence, most large corporations, and small and medium enterprises (SMEs) now execute employment duties electronically from home, either using laptop computers, tablets or smart mobile phones to receive and send corporate correspondences, hold virtual meetings and access corporate information. Working from home is flexible with benefits of sustaining continuous customer services and satisfaction, however with a risk exposure which many companies in Nigeria, especially SMEs, have failed to advert their minds to, or consider excessive the cost of mitigating such risks.
It was recently reported that since employees started working from home, earlier in 2020, there has been a spike in cyber-attacks, aimed at exploiting remote workers and internet users. Security researcher, Maher Yamout from Kaspersky, a multinational cybersecurity company, reported that “according to 2020 Network statistics, over the past two months we have never seen the numbers going above 45,000 attacks a day, while last week (referring to the third week of March 2020) saw this number was reaching over 300,000.” It is therefore clear that cybercriminals have intensified efforts to break into the systems of organisations, through the employees working from home, to either gain control of the said systems or get access to sensitive information.
As a company in Nigeria, you may be thinking these staggering statistics does not affect you, when however, you should be more concerned as chances are that you may have been already compromised or extremely vulnerable to a cyber-attack. How is this possible? Most businesses in Nigeria, as a matter of convenience, flexibility and cost savings and without a “bring your own device” (BYOD) policy, allow employees to use personal laptop computers, smart mobile phones and/or tablets (Dual Use Devices) for work related purposes, e.g., send and receive emails or other corporate correspondences and information, and access virtual private network (VPN) of the company.
Most times, company trade secret and confidential information also gets domiciled in these devices through this practice. Therefore, companies by conduct operate a BYOD without having an underlying policy that clarifies the extent of the programme, security measures and structures required, distribution of responsibilities and liabilities, consents, privacy and confidential information related issues, and reporting procedures in case of loss or exposure.
For instance, it has been proven that some of the ways through which a device can be attacked includes connection to another device by Bluetooth, hotspot, USB cable, Wi-Fi connection to a public or another private network and plugging the power cable of a device into a malware infested power socket, amongst others. This is in addition to issues relating to phishing and masked links attendant with several device applications widely used for remote working, e.g., video conferencing applications (“Apps”), such as Zoom and Free Conferencing Apps. Recent report has it that Zoom App for Windows is vulnerable to a classic “UNC path injection” vulnerability that could allow remote attackers to steal victim’s Windows login credentials and even execute arbitrary commands on their systems.” This vulnerability was acknowledged by Zoom’s CEO, Eric Yuan, who tendered a public apology on the 3rd of April, 2020 for the security and privacy vulnerabilities. Where does this leave your company?
The starting point is to determine the nature of control your company has over these devices and the extent of access it can have to them, especially with respect to Dual Use Devices. The use of these devices and information received with them, technically speaking, is within the control of the device owner. Some companies erroneously assume that because the Dual Use Device is utilised for work purposes, the activities undertaken by the employee with the device can be monitored and where necessary, confiscate or remotely wipe out all information contained in the device. Well, you can, but your company may likely be liable to prosecution with possible penalties in the sum of N10,000,000 (ten million Naira) as regulatory fine besides possible award of monetary damages to device owner. Is that really what you want?
It is imperative that your company reviews its remote working arrangement during this lockdown/shutdown and going forward. You should also consider enlisting the service of an expert to appraise your company’s peculiar circumstance with respect to its unplanned BYOD practice, advise on options available to your company and draw up a robust BYOD policy for your company. A breach of your corporate confidential information would not only result in monetary fines, but may also injure customer trust due to breach exposures and ultimately impact the bottom line and business continuity of your company.
Stay home. Work safe.