As we continue to observe social distancing guidelines and stay-at-home orders, it’s clear that we’ll all be working from home for at least another several weeks.
While many of us might have worked from home a day or two a week prior to the pandemic, few organizations are used to having all their staff work from home for weeks at a time. In fact, according to Owl Labs Global State of Remote Work report, a mere 16% of global companies are exclusively remote, and 44% have historically not allowed any teleworking.
This means that the vast majority of organizations have not implemented the sort of security measures that are most appropriate for a fully remote team.
To help you make the adjustment, here are some big-ticket vulnerabilities along with recommendations on how to best mitigate them.
1 – Using personal devices
The laptops and desktops your firm owns are secure. They have up-to-date patching and anti-malware. They have simple but important polices like an automatic screen lock. They’re backed up and might even have hard drive encryption and remote wipe capabilities.
Do the personal devices accessing your data even have anti-virus beyond Windows Defender? Are any running Windows 7, which has been out of support for months?
Recent research from BitSight found malware present on 45% of home office networks. If a vulnerable machine is accessing your firm data, that data becomes vulnerable.
Best practice is to only allow your people to work from company-owned equipment. If you try purchasing new equipment today, though, you will probably run into significant delays with manufacturing. Your second-best option is to roll out workstation management software to these personal devices. Your IT team can help with this.
2 – Heightened scam activity
Scammers are having a field day with this pandemic. We’re anxious, we’re distracted, we’re working with new and unfamiliar technologies, and we’re accessing confidential data outside of our secure office network.
In a span of just seven hours, cybersecurity company ESET detected 2,500 infections from malicious emails that played on COVID-19 themes. Barracuda Networks has reported a 37% increase in cyberattacks, and a 600% increase in phishing scams since the end of February.
Phishing emails that appear to come from legitimate sources like the World Health Organization offer links or attachments with information about the spread, face masks, a vaccine—anything that will tempt recipients into clicking and infecting their machines with spyware, ransomware, or otherwise.
And the massive success of these scams means that hackers will double-down.
Fortunately, we can avoid these scams by practicing the same awareness tactics you’ve heard before:
- Don’t click links or download attachments you weren’t expecting.
- Watch for poor grammar and generic greetings (sir/ma’am)
- Don’t offer up personal information unless you can verify the request (by calling the sender, logging directly into your Facebook account, etc.)
Regarding coronavirus specifically, be sure to stick to official websites (WHO, CDC) for the latest news on the outbreak.
3 – Not using multi-factor authentication
Multi-factor authentication keeps you protected even if you make a mistake—which, as I mentioned above, is a lot more likely in today’s landscape.
Say you fall for a phishing scam and enter your Office 365 credentials onto a fake web page. But, your Office 365 account is set to send a verification code to your cell phone. Even with your email address and password in-hand, the hacker still can’t access your account unless they’ve also managed to steal your cell phone.
In January 1.2 million Microsoft accounts were compromised. Microsoft has said “multi-factor authentication would have prevented the vast majority of those one-million compromised accounts.”
Work with your IT team to (forcibly) enable multi-factor authentication on as many applications as you can. This is often not labor-intensive, and it can do wonders to keep your accounts locked down.