The risks caused by the COVID-19 outbreak are rising beyond the public health crisis, it’s causing unemployment and economic spirals. Cyberthreats, including phishing scams, are increased as hackers take advantage of the coronavirus to prey on millions of workers transitioning to work-from-home situations. Employees could either be the greatest risks to organizational security or they could be the first line of defense against cyber-attacks.
Since the coronavirus outbreak opens up a myriad of cyber-security risks, it’s important that businesses apply the top-down approach in attempting to minimize the threats. In this model, managers play a key role in establishing a framework for initiating and implementing security practices in the company. At best, managers must ensure company’s work-from-home guidelines and policies regarding accepted applications and collaborative platforms are clear and easy for employees to follow, including taking preventative measures to secure their home-working environment and avoid falling for a cyber security threat.
Here are a few recommendations for managers to leverage policies and technology to protect company confidential information while empowering employees and minimizing the risk during this uncertain time.
Be Wary of COVID-19 Scams
As employees work from home to avoid the spread of coronavirus, they are facing an increased risk cybercrime. The kind that infiltrates corporations and leaves their files of sensitive data vulnerable to cyber-attacks and data loss. Especially during this time of uncertainty, hackers are seeking to exploit the thirst for news and updates to attack companies and employees. In most cyber incidents, human error accounts for over 90% in which data breaches involving phishing emails as a delivery vector.
To prevent employees from becoming victims, business leaders should encourage staff to use usual diligence to any electronic communication and exercise extreme caution in opening, downloading, or clicking on outbound links embedded in emails or texts. Most commonly, cyber criminals are using coronavirus-themed phishing emails, which often appear to come from trusted parties such as the World Health Organization, the Centers for Disease Control, or even from company’s own HR department, to lure employees into typing their credentials into forged sites or clicking malicious links that download malware that permits data exfiltration or network access on their device(s).
Separate Personal and Work Devices
When employees bring company-owned devices home, those devices should not be used for personal use nor shared with or used by their family or friends. This reduces the risk of unauthorized access to protect company confidential information. In addition, use of company-owned facilities for personal purposes should also be prohibited as it increases the risk of exposure to malicious malware and lets hackers gain access to company data.
In case employees use their personal devices for work, managers should consult their IT teams and make sure all employees’ personal devices meet the same level of cybersecurity protections before letting them access corporate networks. Business leaders can consider installing EMM or UEM agents onto employees’ personal devices to verify their identity when they try to access company data.
Avoid Using Unsecured Networks
Some cyber threats such as exploits and lateral spreading of attackers, eavesdropping, and malware can’t be prevented by VPNs. Thus, it’s important that managers urge employees to use secure connections to access corporate networks. Employees working from home should connect their laptop or workstation to the router with a network cable. This provides additional security while enhancing internet speed compared to using wireless.
If home WIFI networks need to be used, employees should secure their home router with a strong password, use multi-factor authentication, update latest firmware, enable strong encryption (WPA2 or WPA3), and keep all of in-house appliances that are connected to home networks such as smart thermostats, gaming consoles, TVs, speakers, etc. up to date as they present potential routes to their home internet connections.
Employees should also avoid accessing any company confidential information from a public or unsecured network as hackers may try to trick victims by mimicking the name of a secure network. If they need to connect in public, using a trusted provider or their phone hotspot plus the company VPN. Turning off the “Connect Automatically” option for WIFI is a good step to avoid hackers gaining access by setting a portal that devices automatically identify as a safe network. Beyond concerns about insecure internet connections, the temptation of using Bluetooth in a public place should also be refrained as hackers can easily access devices via Key Negotiation of Bluetooth (KNOB).
Practice Good Cyber Hygiene
Remote work presents additional complexities and potential vulnerabilities for cyber criminals to exploit, particularly if staff let cyber hygiene slip.
Some good practices employees can implement to prevent them from exposing vulnerabilities for hackers to exploit including:
Using strong passwords and multi-factor authentication wherever possible to add another layer of security to all of their accounts and in-house devices connected to their home networks.
Turning off “Remember password” functions when staff remotely log into company networks and systems from their personal devices.
Encrypt sensitive information that is stored on or sent to or from remote devices.
Uninstall unused software and plug-ins from their personal devices to prevent hackers from gaining access through out-of-date patches.
Never download or save company sensitive information to their personal or non-encrypted network drives or devices such as thumb drives or cloud accounts.
Back up files and documents regularly to prevent data loss in the event of a computer virus or other malfunction.
Keep all software on internet-connected devices up to date and install anti-virus software on all devices including PCs, smartphones, tablets, in-house appliances to reduce risk of infection from malware.
Enable screen lock whenever they leave their computer, particularly if they live in a shared space.
Use only company-approved email and application, avoid using personal accounts to do work, and only install a new app with IT’s approval.
Always use VPNs or company-issued third-party service to access the company network. If this isn’t a viable option, look into remote connections that are easy to install to the employee’s personal device. This solution securely connects their work and personal device, so they have easy access to their work files.
Keep Communication Flowing
Even with effective technology controls, remote workers must still exercise good judgment with confidential information as they would if they were in the office. Employers should also remind staff of the types of sensitive information that they need to be extra careful about such as protected intellectual property, trade secrets, confidential business information, work product, customer or employee information, and other personal information.
Besides providing a clear guidance for employees to follow, managers should also instruct staff to notify the IT department about any suspicious activities and report lost devices immediately to minimize the risk of fraud. If they are unsure whether an email request or update is legitimate, try to verify it by contacting their supervisors directly using information provided on the company account and not information provided in an email. If they accidentally click on something suspicious, they should disconnect their devices from the VPN and network, then contact the IT department immediately.
With a strong combination of technology and clearly defined security guidance for employees to follow, remote work can be done safely and smartly while enhancing productivity and empowering your staff. Securing remote-working arrangements and a collective caution when it comes to remote working will help organizations and employees avoid falling victim to cyber criminals during this disruptive time.