9 tips for keeping your workforce CyberSavvy while working from home
Following the recent emergence of COVID-19, an increasing proportion of the workforce has been working from home. As we noted in January , allowing employees to work remotely presents a number of security risks and challenges. Information technology departments are working around the clock to ensure that all employees who can and should be working remotely are able to do so safely and efficiently.
As organizations and employees work from home, we can expect cyber criminals to attempt to profit off of the confusion. Here are some tips organizations should consider to protect themselves from cybercriminals during this unique “work from home” time:
1. Enable multi-factor authentication - IT departments need to be considering the method and manner by which individuals are able to remotely access an organization’s system, network, files, and data. Some remote access mechanisms are more secure than others. Employees should not be permitted to remotely access a company’s system using just a password. Instead, remote access should be allowed only if multi-factor authentication has been implemented.
2. Don’t play go phish – Phishing is always a threat, and threat actors are very good at using what is trending to their advantage. To that end, threat actors are taking advantage of our collective fears and confusion about COVID-19. Phishing emails offer COVID-19 heat maps and updates in an attempt to induce a stressed-out population to click through to computer viruses and other malicious network tools. Employees should be given frequent reminders about the dangers of phishing emails and the importance of pausing before clicking on a link. Now would be a great time to remind employees about the dangers of phishing attacks and how to identify them.
3. Beware of email impersonations - Bad actors are taking advantage of employees not being down the hall from each other and, therefore, unable to easily verify communications. Because of this, we have seen an increase in email impersonations, where a threat actor mimics a known person via email in order to gain access to protected information or divert funds to themselves using fraudulent wiring instructions. Some tactics your organization can use to protect itself from these sorts of attacks are:
- Confirm any questionable emails by establishing a secondary method of contact beyond email, either by creating a phone directory or making increased use of workplace instant messaging. As some email impersonations are carried out by an attacker who has gained direct access to an email box, confirming a questionable email through email is not reliable.
- Educating your clients and customers about fraudulent wire transfers. There are many different ways to do this, including by placing a message that you will never ask for a wire transfer, or that your wire transfer instructions are not intended to change during the pandemic, in your email footer or on your invoices. If you are concerned that an attacker has gained access to an email box in your organization, a direct email to your clients or customers saying so is recommended.
4.Use VPN wherever possible - Allowing large numbers of employees to log in from home enormously increases the number of endpoints in an organization’s network and the opportunity for threat actors to intercept organization data and messages. To mitigate this, consider installing and requiring employees to use a VPN if your organization does not already. Also, threat actors love to exploit open Remote Desktop Protocols (RDPs), so it is best to close those down.
5.Encrypt work laptops - Laptops that are kept outside of the office are increasingly susceptible to theft. Consider installing a bitlocker on laptops. Bitlockers encrypt information on a laptop’s hard drive and require a password before allowing the laptop to boot. These systems significantly reduce the impact of laptop theft on your organization and avoid having to notify any employees, clients, or customers of a potential data breach.
6.Keep personal use to personal devices – Using personal devices for work purposes can open up sensitive or personally identifiable information to the effects of malware that may be picked up during the employee’s personal use. Likewise, for the same reason, employees should not save sensitive work information on personal devices.
7.Ensure device software is up-to-date and has antivirus software – Ensure that while your employees are working remotely, device software updates are still pushing out appropriately and any potential vulnerabilities are patched. Similarly, ensure that all company devices have antivirus software or other malware blockers in place. This can stop many potential compromises before they start.
8.Avoid public WiFi – Bad actors can easily intercept sensitive information being sent via public WiFi that is not secure. Because of this risk, we recommend against you and your employees using public WiFi – especially if sensitive or personally identifiable information is being sent. Instead, employers should encourage employees to use secure home (or other known) internet or a secure hot spot.
9.Ensure you have remote work policies in place– To ensure that best practices are maintained by employees, we recommend that employers have remote work policies in place outlining how employees should be using and protecting employer devices and potential disciplinary actions applicable to employees who do not.
If you have any questions about the above or would like additional guidance on how to keep you and your employees #CyberSavvy when working remotely, reach out to our Data Privacy and Cybersecurity team.