Ozitem/ Blog/ Focus on IT security: the keystone of teleworking!

Focus on IT security: the keystone of teleworking!

2D07D7BF-C5AC-4574-A642-AED771594587@2x Created with sketchtool.

Teleworking has become possible, and often necessary, by adopting a hybrid format (teleworking/on-site working) and is especially essential for maintaining activity, thanks to the use of new technologies. However, this creates a risk in terms of IT security.


Have you adopted best practices, particularly by securing your data?

It’s never too late to increase the level of security of your IS, and the Ozitem Group can offer you some best practices.

IT security concerns every element of an information system, from computer security and disaster recovery to user training. Organising and implementing teleworking urgently and on a massive scale, without all the relevant skills, can create risks for a company’s activity.

Make your passwords more secure

Use sufficiently long, complex and unique passwords for all equipment and services you access, whether personal or professional. The majority of attacks are due to passwords that are too simple or have been reused. If in doubt, or just as a preventive measure, change them and set up double authentication where possible.

Phishing

Data theft via a form of spam (an unsolicited message), phishing is a technique which involves sending a message to a web user in order to steal their personal information (login details, passwords, bank card number, etc.). Most often, users receive an email impersonating a trusted third party, such as an energy supplier, a bank, or even a public body. By clicking on the link, they find themselves on a duplicate site, where they are asked to enter their confidential information in order to harvest it. Phishing – which has grown rapidly in tandem with teleworking – can have different objectives: accessing your work email, entering your company’s information system, making a fraudulent bank transfer, or installing software. For example, many Italians received an email that appeared to be from the World Health Organization (WHO), inviting them to download a document outlining the precautions to be taken to guard against “the large number of coronavirus infections in the region.” The message was actually fraudulent and the attachment was infected.

Data theft

This form of attack consists of penetrating a company’s network or its Cloud in order to steal its data, either to demand a ransom, resell information, or disclose it in a harmful manner. To achieve this, a hacker may compromise an employee’s computer – via phishing, for example – or directly hack into the company’s system in order to gain remote access to it. Sites related to Covid-19 pose a higher risk.

According to a cybersecurity expert*, in 2020 more than 4,000 coronavirus websites were created within two months. Compared to an ordinary site, they are reportedly 50% more likely to be malicious and to take advantage of fears and anxieties to deceive web users.

*Source: Update: Coronavirus-themed domains 50% more likely to be malicious than other domains – Check Point – 2020. Phishing

For companies choosing to use the cloud, it is necessary to ensure that the selected provider has ISO 27001 certification.

The Ozitem Group has been ISO 27001-certified since July 2020. This certification demonstrates that the Group has implemented an effective Information Security Management System (ISMS) based on the international reference standard, ISO 27001.

This standard sets out a methodology for identifying cyber threats, controlling risks associated with the organization’s critical information, and implementing appropriate protective measures to ensure the confidentiality, availability and integrity of information.

The objectives of the Ozitem Group’s ISMS are to:

  • Maintenir la relation de confiance entre les clients et le Groupe Ozitem en préservant leur patrimoine Maintain the relationship of trust between clients and the Ozitem Group by preserving their information assets.
  • Formalise Ozitem’s practices in order to guarantee the homogeneity and quality of the security measures implemented.
  • Open up new markets by applying appropriate security processes and measures.

Update security and backup solutions

Since zero risk does not exist, we recommend that you strengthen your data backup policy, especially in times of crisis. In addition to being performed regularly, backups must be tested to ensure that they are working correctly, and they must be disconnected from the company network and stored on an external hard drive for example, to prevent them from being hit by an attack such as ransomware. Your cloud solutions can also present a risk. You must therefore ensure that your provider (email, data hosting, etc.) guarantees a sufficient level of protection and performs regular and protected backups. Today, there are weaknesses in certain parts of so-called legacy infrastructures, such as Microsoft’s AD. As a result, third-party solutions, such as Tenable.AD, have emerged to contain cyberattacks, such as those orchestrated by hackers.

Mobilise your resources

Remote working has become the norm for a lot of companies nowadays, whether it is offered on a full-time or ad hoc basis.

The slightest security flaw can represent a risk for the company. As such, it is important to mobilise all your resources – both human and organisational – around compliance with security rules. Remote workers: the first line of defence against cyberattacks. We advise that you set up one or more training and awareness sessions to tell your team about what they can do to protect your company. We will show you some examples later in this article. Managers: you as an employer, as well as other managers, have the opportunity to share the right information and good security practices with your employees. The company: internal processes must also be put in place so that you can react quickly in the event of an attack. Such processes may include performing a risk assessment, creating a business continuity plan (BCP) that takes the threat of a cyberattack into account and defining procedures to be implemented in the event of an attack (access blocking, assistance from a third party, etc.).

Find out more and discover more IT security tips in our free e-book!

I download the ebook