To protect the health of their employees and customers, and to comply with government stay-at-home orders during the COVID-19 crisis, businesses are sending employees to work from home in record numbers.
Fortunately, today’s technologies will allow many of us to continue our work without major disruption. And while working remotely will maintain our productivity, it also comes with new risks to your data security. Thoughtful planning coupled with utilizing security tools and procedures will greatly minimize your chances of falling victim to cybersecurity.
Require remote workers to access your network through a secure channel
Use a VPN (Virtual Private Network) to insure the flow of information traveling between your employees’ device and your network is secure. Using a secure VPN connection avoids “man in the middle” attacks that could seriously compromise your data. If using a VPN, employees’ home routers and other devices should be updated to the most current software and security patches.
Alternatively, you can use a Remote Desktop Gateway (RDG). An RDG uses less bandwidth than a VPN and requires a Microsoft Server and either a virtual machine or a physical computer workstation at your office to log into. The set-up for an RDG is more complex than VPN, but it may be a superior long-term solution for your remote workforce.
Limit devices and access
Remote workers should only use company approved devices and applications. Access to devices used for work purposes should be limited to just the employee and should include automatic log-out after non-use for a set period of time.
Allow access to your critical company data on a “need-to-use” basis. Consider which employees need network or application access to complete their tasks and which employees only need access to email or cloud services to work from home. This will further limit your data exposure. Additionally, consider limiting the ability for remote workers to store, download or copy data onto their personal devices.
Use up-to-date software
With the unprecedented number of workers rapidly entering remote work situations, hackers are eager to exploit known security vulnerabilities. Make sure all devices are running the most current versions of software and that new updates are regularly installed. Updates include important changes that improve security and performance of your systems. Devices still using Windows 7 should be updated to Windows 10 to avoid remote code execution vulnerabilities.
Use strong passwords and multi-factor authentication
Passwords remain a frontline defense against unauthorized access to critical data and applications. Require employees to use complex and unique passwords that are changed frequently on all devices (whether company issued or employee’s own) and applications.
If you do not already use multi-factor verification (MFA), implement it now. MFA requires the user to use something they know (their password) with something they have (such as a secure app on their cellphone) to access the system or device. Text messages may be used at a second factor but are clear text and not as secure as an app configured for MFA.
Be hyper-alert to phishing schemes
We’ve never seen so many workers suddenly thrust into work from home situations as we do at this moment. Employees may be managing children home from school or working in a packed or noisy home environment with lots of interruptions. Add to that, financial or health stress, social isolation, fear of the unknown and challenges of daily living, and you have a lot of understandably distracted employees. Additionally, businesses are using remote tools and applications which newly remote users may not be familiar with. All these factors have created a perfect storm of vulnerability for cybercriminals to exploit.
Remind employees to be hyper-vigilant to phishing schemes now. They should closely examine any unexpected emails with links or attachments and confirm the validity of the email before clicking on anything.
There has already been a feeding frenzy of phishing schemes circulating. Some examples we’ve seen are:
• Spoofs from the CDC, WHO or other governmental agencies claiming to have information about the COVID-19 crisis.
• Phony emails from company leaders or HR departments.
• Emails with phishing links to remote meetings, “secure” documents, Microsoft, or phony voice mail.
• Fake IT requests to reset passwords, set-up remote connections or urgent access issues.
• Bogus emails from company executives with urgent demands for funds transfers or downloads of sensitive data. To combat this, always require employees to attain in-person confirmation for such requests. In-person may mean a video conference or direct phone call to the executive making the request.
Managing a workforce through a pandemic is something new for all of us. With a bit of thoughtful planning and communication with your employees, you can greatly reduce your risk of cybercrime during this crisis and beyond.