For organizations that aren’t experienced with supporting large numbers of remote workers, the COVID-19 pandemic has presented significant new cybersecurity challenges. With many experts predicting that large work-at-home populations will be with us for the foreseeable future, there are some basic steps every organization needs to take to cope with this disruption. Here’s what you need to know.
Update Asset Inventory
Even organizations that do a good job of accounting for equipment they provide employees may not be prepared to handle a sudden influx of unknown home computers, tablets and connected phones. Employees who have employer-provided computers should only use those devices to access approved applications. Where that isn’t possible, IT should collect information about the devices people are using as well as to identify information such as IP and MAC addresses. These actions will cut down on false alarms when unknown devices connect to the network.
Patch and Protect
Typically, only work issued laptops and mobile devices are authorized to access an organization’s network unless the user has an approved security exception. These devices are patched and monitored by an organization’s IT group to ensure they are up to date on required patches.
For personal use computers or other devices, ensure they are equipped with the latest patches and protections including at least one layer of antivirus software and a firewall. If your organization hasn’t provided anti-virus software or a firewall for your personal device, “most internet service providers offer free or low-cost security software,” says Larry Jarvis, Chief Information Security Officer at Iron Mountain. If yours doesn’t, Gizmo’s Freeware maintains an excellent library of free software curated by its community.
Implement Multi-factor Authentication (MFA)
Most of us encounter a two-stage process of logging onto a website. After entering our username and password, the site sends a text message to a mobile phone or requires the use of a third-party authenticator app. Businesses are now rapidly ramping up their adoption of MFA. LastPass’s 2019 Global Password Security Report found that 57% now use it, up from 45% just a year ago.
If your company doesn’t use MFA to protect its network, there’s never been a better time to start. Cybercriminals are taking advantage of pandemic-related confusion to step up their attacks and password-guessing software is constantly improving. What’s more, many people still use easily guessed passwords like birthdates and the names of family members. MFA is not only more effective but often more convenient than asking people to remember long strings of random characters.
Update Acceptable Use Policies (AUPs)
These are written policies that define what people should and shouldn’t do with the devices they use for work. Policies typically cover such topics as acceptable makes and models of equipment, authorized software and services, best security practices and standards for online behavior.
AUPs are especially important now because inexperienced work-at-home employees may adopt cloud services that aren’t supported by the IT organization for such purposes as document storage, videoconferencing and messaging. An AUP guides them toward secure and supported services as well as offers advice on how to ensure that sensitive information isn’t inadvertently disclosed. Jarvis’s advice: “Only use services that are allowed under AUPs.”
Double Down on User Training
Schedule half-hour video training sessions or record an instructional video that covers best practices to keep them safe from malicious messages.
A global pandemic is a gold mine for purveyors of phishing attacks, which are deceptive email messages that contain malicious links or attachments. Phishing is the cause of nearly half of all breaches and more than 90% of ransomware infections, and recipients anxious for financial and healthcare advice are considered prime targets.
“Law enforcement and companies are reporting a notable uptick related to the government bailout plan with phishing emails, text messages and phone calls from people claiming to be part of the aid delivery package and asking for information to supposedly be used to make payments,” Jarvis says.
The best defense against phishing attacks is skepticism; remind people never to click on links or download attachments unless they’re certain of their validity. Never trust alias names in “from:” fields, which can easily be spoofed. Your IT organization might want to set up an email account where users can send suspicious emails for verification.
Users should also be wary of emails that request personal information like passwords, credit cards or bank account numbers or prompt them to log in to their account on a website. Legitimate organizations never should request details by email. Attackers sometimes set up fake webpages that look like the real thing, but which are intended to fool people into entering login credentials. Best advice: Check the website URL before proceeding.
Limit VPN use
A virtual private network is a secure, encrypted “tunnel” between remote devices and the corporate network, but it can be a security threat when an endpoint is compromised. If a user connected to a VPN inadvertently clicks on a malicious link it can unleash malware that rides on top of the VPN to invade the corporate network. Best advice: Log off the VPN when you don’t absolutely need it.
“Most employees don’t need the VPN if they’re just using G Suite services like email and meeting videos,” Jarvis said. “They should only need it to log into VPN for certain applications that are hosted inside of Iron Mountain.”
Beware Rogue Wi-Fi Hotspots
Although few people are going to coffee shops and libraries these days, they still may have reason to seek Wi-Fi hotspots. Perhaps it’s to save usage fees on mobile phones or to hop on a neighbor’s speedier network. That can be a problem, Jarvis says. “Threat actors know people are at home in some concentrated urban areas and will try to lure them to Wi-Fi access points with seemingly legitimate names,” he says. The owner of an access point can name it whatever he or she wants, so the fact that the ID is “Marriott” doesn’t mean it has anything to do with a hotel.
Attackers may try to lure people into a false sense of security by pretending to require a password when none is needed.
The security at tips don’t apply just to pandemic-related lockdowns. They’ll also serve your people – and your security administrators – well when things return to normal.