By Brett Creasy, CCE, CISSP
The coronavirus pandemic (Covid-19) has caused changes in the lives of everyone world-wide, including the way many now conduct their day-to-day work. Businesses, educational institutions and governments have quickly adopted remote work policies to adhere to social distancing to slow the spread of Covid-19, but in doing so may have opened the door for another type of virus, the computer virus and other security threats. This post shares the key best practices for businesses and individuals who find themselves suddenly working remotely from home without the traditional controls and access afforded by their normal place of work.
The quick and dramatic shift to remote work affects organizations that have experience with remote staff and those that don’t in different ways. Businesses with some remote staff experience may have difficulties in scaling current policies or implementing and expanding technical solutions. Companies, however, that have never had remote workers may not even know where to start. Whether you are part of a large business, and a seasoned road warrior, or a first-time work-at-home member of a small organization, we recommend considering and implementing the safeguards addressed below.
The #1 Threat
While some cyber-criminals may have committed to refrain from attacking hospitals and other health care providers during the COVID-19 crisis, no such cease-fire exists for individuals, businesses, and governments. Phishing emails, text messages and robocalls by scammers that are tied to Covid-19 news, government assistance programs, tax filing changes and anything remotely related are increasing dramatically and are designed to prey upon the uncertainty and fear felt by many. IBM recently reported a clever attack using an email purportedly from the U.S. Small Business Administration (SBA), which appears to the untrained user to be a legitimate SBA notice regarding the SBA’s loan program, while in fact the email contains malware capable of stealing credit card information and login credentials. Triple to quadruple increases in volume of these sorts of attacks are being reported and add to the huge financial impact that Covid-19 is having on the world. So, what are some top concerns that we can focus on to help protect our businesses and ourselves?
Education and Training
It’s a near impossible request to ask employers and individuals to protect sensitive company and personal information without the basic understanding of what some of the most common threats are to that information. It is especially true in an unfamiliar environment so many are faced with today in working remotely. Our first recommendation is therefore education and, if at all possible, guided training to reinforce it. The earlier “SBA” phishing email is a perfect example; a trained eye may realize that the SBA probably would not use the word “centres” in place of the word “centers.” Even if that somewhat obvious flaw didn’t exist in the body of the message, what other steps can a user take to spot some of these scams? The most basic step is simply asking yourself, “am I expecting this communication?” Many scams rely on our instinct to quickly respond to direction, however, slowing down that response with some healthy skepticism is a key defensive measure. More detailed approaches for dealing with COVID-19 and similar scams can be found from resources such as the U.S. FTC or businesses that focus on security education and training such as Proofpoint and Cofense. (If you find a training program may be beneficial for your business, bit-x-bit can help you get started and even address the ongoing management of the program.)
The use of a strong password and secure authentication mechanisms are critically important in securing access to sensitive information. In a remote work environment, this could come in the form of a virtual private network (VPN) connection which, at its most basic level, creates a secure tunnel between the home computer and the company resources through which all data travels. A VPN is best practice from a security perspective but may not be necessary depending on the work that needs to be accomplished. Today, many applications are accessible through a secure website such as company email hosted in Microsoft Office 365 or customer relationship managers such as Salesforce. In the instances where sensitive company information is stored outside of the “four walls” of the company in the cloud, the most common method of accessing that information is by supplying a username and password. Most often, however, the username is simply the employee’s company email address, e.g. firstname.lastname@example.org, which means all a would be bad actor then needs is the password. As a user, one way you can ensure your password is sufficiently strong and easy to use is to use a password manager. Many password managers are free to use for individuals (with perhaps a limit on the number of passwords) and can seamlessly integrate across mobile phones and traditional laptop and desktop computers. If a password manager feels like too much of an initial step for the novice computer user, a quick password generator may be a good first step.
A highly recommended addition to a strong password is the use of two-factor (“2FA”) or multi-factor (“MFA”) solutions which provide an additional layer of authentication to the login process. Most commonly that means a text message is sent to your mobile phone, but slightly more secure ones may involve an application on your mobile phone or a physical security fob. It is also possible to use 2FA/MFA solutions on personal accounts such as bank login, Google or Apple accounts and many more. We can’t recommend their use enough. The majority of business email security incidents that bit-x-bit responds to could have been avoided or thwarted if MFA was in use, which is one of the reasons we always place it at the top of our list for the proactive security help we provide.
Another basic area to help protect your computers and devices, and the important data on them, is to ensure they are up to date with any operating system fixes and especially security patches. This starts at the operating system, e.g. Microsoft Windows or Apple OS X for your laptop are the most common and Apple iOS or Google Android for your mobile phone. The next layer comes in the form of various applications that you use. The most common web browsers are Chrome, Safari, Edge, and Firefox. Online attacks frequently will look for weaknesses in the web browser or the add-ons to them (such as Adobe Flash, etc.) as a way to breach the underlying computer or device. This means keeping your web browser up to date and the add-ons to them limited or secure is extremely important. Rounding out the topic is the security products themselves, antivirus tools from those built into the operating system such as Windows Defender to third party solutions such as Trend Micro and Norton.
Where to Find Help
Because significant planning and technical changes are required for a business to operate remotely successfully, attackers are aware of the deficiencies that many remote staff face and are exploiting these opportunities. That is why having a roadmap to first identify and then secure your information is critical to stopping attackers and strengthening your ability to continue a smooth transition to the remote work environment. To learn more about many of the best practices mentioned above and putting together that roadmap, you can put bit-x-bit on your short list. We are a member of the Center for Internet Security and help guide our clients through the process of securing their environment by using the highly recommended CIS 20 controls.
Last, ensuring each employee knows who to contact for help is an important step in keeping things running smoothly for remote staff. Depending on the size and complexity of the business, it may make sense to separate purely technical and security issues from business operational questions. Finding help because the VPN won’t connect versus obtaining assistance with how to submit a form that was previously done in paper may be two very different resources. The creation of a clear “here is who to contact for help” guide for your employees may go a long way in delivering a smooth transition to the remote work environment.