The coronavirus pandemic has radically altered how businesses operate. Across the country, organizations are directing employees to work from home—in many cases indefinitely. This sudden and unprecedented shift creates serious cybersecurity risks for both companies and their employees:
The perimeter is gone. Many employees are now working on unsecured personal devices and home networks, dealing with sensitive software or documents outside the protection of typical office network security measures. At home on personal devices, they are also free to visit dangerous websites that employers typically block.
Ransomware can be more damaging. If computer systems go down, employees working from home cannot fall back on face-to-face interactions, backup paper records, or other in-office processes to keep operations humming. Deception is easier. The virus is driving uncertainty amid rapid market changes, opening opportunities for criminals who can leverage the sense of urgency to trick employees by “phishing” them with fraudulent communications. That email from your CFO asking for a quick wire transfer to a strange bank account may look less suspicious if you know your business is already operating outside its normal procedures.
The good news for businesses and employees is that smart working-from-home security looks a lot like working-from-the-office security. Businesses and individual employees can protect themselves against predatory criminals through relatively straightforward, low-cost, time-tested security measures:
1. Update all software
Outdated software anywhere on a computer system usually contains known security flaws, low-hanging fruit for computer criminals. Failure to update software is one of the most common causes of malicious data breaches. Ensuring that key applications and devices are up-to-date should be a top priority. Now is the perfect time to push out security patches and click “Update Now” on your personal devices.
For Employers: Inventory all software used for business and update each to its most current version. Ensure that all employees are using the same up-to-date versions. Stretch goal: Implement a patch management process that can survive IT staff turnover.
For Employees: First, update the operating system on your computer (PC, Apple, or Chrome) or phone (Android or iPhone). Second, update your web browser (Firefox, Chrome, Safari, or Internet Explorer). Third, ensure that any other specific applications you use, including security software, are also up to date.
If you’re using your personal computer at home for work purposes, make sure that you keep all your software up-to-date—regardless of whether it’s a work-related application. Computer criminals can gain access to work-related materials if they compromise your computer through an unrelated program.
2. Use password managers
Choosing weak passwords and reusing strong passwords makes life easier for computer criminals; stolen passwords are traded online and criminals will use so-called “password spraying” attacks to test known passwords against new systems. Password managers allow employees to create strong, unique passwords for many different applications without having to rely on their memory alone.
For Employers: Distribute best practices for using password managers, including having users create a strong master password, and set up a password recovery process. Explain the pros and cons of different options. Encourage employees to use password managers by reimbursing any associated costs.
For Employees: Use a password manager even if your employer does not actively suggest it. Use your browser’s integrated password manager (Firefox, Chrome, Safari) or search “password manager” in your search engine or application store to download a standalone version. Most popular password managers will do. Then make sure to replace your old passwords with new, stronger ones created and stored in the password manager. That unique-to-you but the easy-to-remember password you’ve been recycling on key sites since college? It’s time to get rid of it.
3. Use multi-factor authentication
Passwords are only one way to verify identity, and they can be easily stolen through phishing attacks. Adding additional methods for authentication can dramatically improve security. For example, by sending a secret number via text message or mobile application to an employee’s phone, a company can better verify credentials (as it is unlikely that a computer criminal would also have the employee’s phone).
For Employers: Employ multi-factor authentication wherever possible, as soon as possible. Ensure that employees can choose from multiple options for their additional factors. Stretch goal: Issue hardware security tokens for all employees.
For Employees: Urge your employer to roll out multifactor authentication for work accounts and turn on multi-factor authentication in your personal accounts, including social media accounts. Gmail, Facebook, and Twitter all make two-factor or multifactor authentication easy. Stretch goal: Buy a hardware security token for your personal email account.
4. Guard against phishing attacks
Humans are often the weakest link in a security program, and computer criminals are upping their skills when it comes to fraudulent emails that entice employees into clicking on malicious links or downloading malware. Cutting down on successful phishing attempts should be a priority during a crisis when people are working in isolation, without the regular rhythms of the business.
For Employers: Configure email accounts, so any external emails include a prominent warning, indicating the message are from outside the organization. Consider including a link to best practices for spotting phishing attempts in every warning. Stretch goal: Implement a company-wide simulation to test employees’ awareness, identify the most susceptible employees, and offer them additional training.
For Employees: Dedicate time to learning about various types of phishing attempts. Ask your employer what they are doing to provide training to employees. Be savvy in reading and responding to your email. If an emailed request from a coworker, vendor, or customer seems out of the ordinary, use a method other than email to double-check—call, text, chat, or Slack them or double-check the validity with another colleague.
Know that in these uncertain times, banks, government agencies, or company IT directors are unlikely to request account details, passwords, or other vital information by email. Be wary about entering information and passwords into web forms that mimic your regular corporate intranet or login pages. Double-check the web address bar–does the browser issue any warning?
Does the domain name (Ex: https://www.aspeninstitute.org) look right? If you see spelling or grammar mistakes on the website itself don’t ignore them–they are a common sign that the website is fake.
5. Prepare for the worst
Assume that security controls will fail, and plan for the response ahead of time so employees and managers can act quickly.
For Employers: Update your own procedures for responding to security problems, adapting it to the new conditions imposed by widespread remote working. Encourage rapid breach detection by explaining that employees should report any security incidents, even if they appear limited to their personal devices. Assure employees they will not be punished for reporting.
For Employees: If you lack access to the company cloud, ensure you still back up your digital work regularly, either in a separate cloud account or in a separate storage drive that remains in your possession only.