Data breaches, ransomware, malware, phishing scams, SMS scams. These are all examples of cybercrime that are rampant throughout the world and have only been made easier due to the global shift to working from home. If your business becomes an unfortunate target, it could end up costing you, and not just financially; your business’ reputation is also at stake.
Before COVID-19 disrupted the global workforce, there were an estimated 1.7 million Canadians (not including the self-employed) working from home. In March, on the advice of the government to mitigate the spread of COVID-19, many employers hastily put together work-from-home plans and told their employees to stay away from the office in order to maintain physical distance from co-workers, and reduce the spread of the deadly virus.
However, the speed at which this had to be accomplished created a significant risk to companies from a cybersecurity standpoint as remote work environments don't typically have the same safeguards as in the office.
Today’s cybercriminals are exceptionally clever and resourceful, and they are finding increasingly sophisticated means of getting to companies’ data. Small and mid-size companies do not usually have the security systems that large corporations do, but at least when employees are working from the office there are, in most cases, a few layers of preventive security controls to try and keep information private, including firewalls, antivirus software, VPNs and more.
Have you unknowingly left your company open to a cyberattack in the wake of a hurried company-wide work-from-home transition?
We have a few suggestions to mitigate your employees’ chances of leaving themselves—and the company—exposed to a cyber attack.
Digital Security for Remote Employees During COVID-19
1. Conduct basic employee security training
You might be surprised to learn that many employees are simply not aware of threats such as email phishing scams. Before allowing them to work from home, there should be at minimum some basic training so that they will be able to recognize the different types of scams, and what they should do when they are targeted with one. During this unprecedented time, we are likely to see an increase in work-from-home scams, targeting the vulnerable employee who is not educated about the risks that phishing attacks can pose to companies.
2. Provide your employees with VPN access
Data can be protected as it moves between your business systems and remote employees using a Virtual Private Network, or VPN. A VPN encrypts all of your internet traffic so that it is unreadable to anyone who intercepts it, providing an additional layer of security and a flexible connection to connect to different services (web pages, email, a SQL server, etc.). It will hide the user's IP address and mask the user's location.
Most larger organizations already have a VPN service in place but may need to upgrade in order to provide this protection across their entire employee base. Ensure that employees use the VPN for all business-related activities.
Smaller enterprises may need to appoint a VPN provider. Avoid free providers at all costs! Do your own due diligence before selecting a VPN provider for your company.
3. Encrypt sensitive data
Sending emails or messages with sensitive data is always going to be a risk. In fact, in heavily regulated industries, it can also result in huge fines. Without encrypting sensitive data, it could be intercepted or seen by an unintended recipient. Encrypting data means that even if a device is stolen or lost, the data is not compromised. Thankfully, many mainstream messaging services such as WhatsApp come with end-to-end encryption as default or as an option.
4. Set up firewalls
Firewalls act as a line defence to prevent threats entering your system, creating a barrier between computers and the internet by closing ports to communication. This can help prevent malicious programs coming in and can stop data leaking out.
Devices typically have a built-in firewall, but it’s recommended to seek additional protection from one of the top quality firewalls on the market.
5. Use an antivirus software
Even with a firewall, cybercriminals can still find their way in. Good antivirus software can act as the next line of defence by detecting, blocking in some cases removing known malware.
6. Implement inbound email filtering
Did you know, the number of spam emails sent worldwide every day far exceeds the number of legitimate emails sent? Filtering inbound emails helps to keep inboxes safe, secure and manageable, and reduces the chances of a phishing email making its way in.
7. Use malicious attachment and link protection
Attackers attach files to emails that can install malware capable of destroying data and stealing information. Attackers typically send these email attachments and provide email content that is sufficiently convincing to get the user to believe it is legitimate communication. For example, in Switzerland, hospital workers have reportedly received an email from the director of the World Health Organization (WHO) that contains a personalized message using the recipients’ valid username with an attachment. When the attachment is opened, it installs malware capable of stealing credentials from the computer. According to cybersecurity researchers, the messages include information about novel, preventative drugs and COVD-19 cures.
Email attachment security solutions can be put in place to reduce the chances of emails with malicious attachments or links being opened or clicked.
8. Use cloud-based applications rather than local programs
One way to protect your data is to ensure your confidential information is not stored locally —employees should be encouraged to use cloud-based apps such as Office 365 which include updated security features that are compliant with industry regulations. Any third-party cloud storage services used should be verified by your security teams before employees are authorized to use them, particularly if your business stores and uses critical personal data.
9. Have data backup plans in place
Data can be lost in a number of ways, and not just from ransomware. For example, on March 15, 2020, ransomware attacked the local municipality of Marseille, France, resulting in large amounts of data being inaccessible. Even though the government was able to restore systems from backups rather than paying the ransom, this attack was still incredibly costly as the recovery and restoration expenses will quickly add up. Keeping data backed up is just good practice. While hardware backups are still an option, one of the most convenient and cost-effective ways to store your data is with a cloud backup service which will likely come with a whole host of options enabling you to customize your backup schedule and storage options.
10. Create, implement and formalize a work from home policy
Employers should create and train employees on work from home policies to ensure there are no misunderstandings regarding expectations. This would include the security measures that employees must adhere to. Formal policies should help employees act safely with corporate devices and information even while working from home.
Within your policy, we recommend including the following:
Avoid public Wi-Fi
During the coronavirus outbreak, the expectation is that people will be working from home, rather than a public place such as a coffee shop. However, nothing should be overlooked in a formal policy, therefore, it should include restrictions surrounding public Wi-Fi. Public Wi-Fi introduces significant security risks; other people have access to that network and without a firewall between you and them, cyber-attacks are much easier.
If public Wi-Fi cannot be avoided, it’s important to find a way to protect your computer and your data. One option is to use a personal hotspot from a dedicated device or your phone which eliminates the problem of getting hacked by people on the same public Wi-Fi. With most major carriers, you can pay a nominal fee for the capability to set up a private Wi-Fi network with your phone. In many cities, 4G or 5G service is almost as fast as home Internet access. Using the VPN is another alternative. Where possible, however, work from home should be conducted from home where Wi-Fi routers are sufficiently secured.
Do not access work data from non-company computers
It can be tempting to use a personal computer if your work computer needs charging, or if you left it somewhere (a security no-no in itself!). However, using a non-work computer to access work data can be a risk for you and for the company. Your company's IT person, or team, will have ensured that your personal computer installs regular updates, runs strong antivirus scans, block malicious sites, etc. It’s probably going on in the background and you’re not even aware of it. Most individuals do not take the same precautions with their home computer increasing the risk of malware finding its way onto devices and both personal and work-related information being leaked. Introducing personal computers to a work network will compromise the safety of the company networks and put company data at risk, therefore it should be avoided at all costs.
By making this part of formal company policy, individuals are more aware of the risk and of the potential liability of extensive corporate damages though violations of the policy.
Ensure the password policy is adhered to
Passwords used to access any business services must be in line with a stringent security policy.
Employees must be reminded not to use the same password across multiple accounts as all it takes is one compromised password for a criminal to take over all of your accounts. The strongest passwords are a long string of upper and lower case letters, numbers, and special characters. These, naturally, are difficult to remember, so password managers, like LastPass, are increasingly popular.
2-factor, or 2-step, authentication should also be mandatory. The extra step could be an email or text message confirmation, a biometric method such as facial recognition or a fingerprint scan, or something physical, such as a USB fob.
Install updates regularly
Updates to device software and other applications are critical as they often include patches for security vulnerabilities that have been uncovered since the last iteration of the software was released. Usually, updates can be set to run automatically so you don’t even have to think about it.
Don’t use USB sticks or flash drives where the source is unknown.
Hackers use these to gain access to computers. In addition, do not continue to use a USB stick if you have plugged it into an unknown system that you cannot be sure is secure.
Ensure physical measures are taken to protect company equipment and data
It’s not just online threats that should be considered when working from home. Your family now lives in your office, therefore having a dedicated workspace, separated from the rest of the family space, where the doors can be locked at the end of the day is highly recommended. In addition, never leave work computers or devices in a vehicle, rather they should be on your person at all times when away from the home.
The work from home policy should also clearly state who to contact in the event they detect a security anomaly.
How can innov8 help?
Did you know your printers can be an access point for hackers? It's true, they are connected to your network and therefore are vulnerable to attacks. However, they are often overlooked as part of company network security.
With innov8’s Managed IT solution, we implement best practices for security when setting up your team with secure networks and printers in their home office to ensure they are fully protected against information loss and cyber attacks. We can also provide training for your employees on the measures they can personally take to mitigate the chances of an attack.
Our technical experts’ service and support printers, computers, routers, firewalls, antivirus software and more. In fact, we have invested in the latest cybersecurity and anti-virus tools and next-generation backups to ensure threats are minimized while also keeping your IT and administrative costs as low as possible. With innov8’s Managed IT offering, we are able to respond to calls, emails or online tickets quickly and efficiently, to ensure your business experience’s minimal downtime.
COVID-19 has disrupted the world and the way we do business. Companies have had to adapt to the government's recommendations of physical distancing, and quite frankly, no one knows how long this could last for. It could be anywhere from a few weeks to several months. Businesses must, therefore, embrace, rather than fight, this new way of working. With the right security measures in place, there’s no reason your workforce can’t be just as productive working from home as they would be in the office.