Homesteads have abruptly morphed into workplaces, as widespread shelter in place orders have forced millions – and millions - of workers out of their offices and into their living rooms.
Unprecedented amounts of people are now working from home, including our own system integrator, technology partners, and end-user customers.
The increase in cybercriminals looking to exploit the coronavirus crisis is, sadly, already making headlines in both the mainstream and security media. A recent CNBC report stated that “Cyber threats, including phishing scams and spam, are spiking as online criminals take advantage of the coronavirus to attack remote workforces and corporate systems, and tech vendors, such as SaaS providers, are less able to respond in the current situation. 36% of executives on the CNBC Technology Executive Council say that cyber threats have increased as a majority of their employees work from home, according to a CNBC flash survey that included responses from 33 out of 157 members of the Council who serve in senior technology positions at large companies, as well as at government and nonprofit organizations. One respondent said their organization has seen phishing and other cyber scams rise 40%. Some experts say the level of cyber risks is likely even higher than the survey indicates.”
These are sobering numbers. Fighting the physical infection of COVID-19 is a humongous enough task in and of itself. Having to fight hackers intentionally hurling Malware infections during such precarious times seems so senseless and unwarranted. Yet, we must vigilantly fight off cyber security threats, as well, to ensure we can safeguard workers and the companies they work for to keep the economy as solvent as possible during these challenging times.
In addition to desktop computers and laptops, mobile devices are also subject to risk. And they’re being used more than ever. So it’s important to keep in mind that credentials used to access corporate networks can also be compromised and be vulnerable to malicious software. Mobile and remote working extends the transit and storage of information and data outside of the corporate infrastructure. Which can be risky. But there are three key areas that businesses should address to mitigate cyber-attacks during these days when business is largely being conducted remotely. They are Policies, Watching out for Phishing scams, and Maintaining Communication.
Now, more than ever, organizations should asses their risks and create a remote and mobile working policy. While most will already have one in place, there’s never been a better time to update it. Seek updated advice on how to correctly secure home Wi-Fi systems, and request that all staff avoid using public open networks wherever possible.
If your company is working with highly sensitive data, it’s critical that you warn authorized employees entrusted with that data against working in public areas where their screens can be seen and information compromised. Consider supplying staff with privacy screens specifically designed to mitigate this threat.
Make sure hardware has up to date security software and patches. Many organizations are still experiencing supply chain shortage of laptops, so while approved corporate hardware is on order, make sure any BYOD (bring your own devices) are vetted by IT departments and have up to date anti-virus software.
If you don’t already use one - look at VPN solutions – and make sure they are simple to use and reliable especially since many staff will be unfamiliar. Opt for a standard, secure video conferencing solution rather than leaving employees to choose– not all video conferencing and video tools have end-to-end encryption. And the recent Zoom meeting vulnerabilities are also ones to be considered. Attackers are trying their luck in this “Zoom roulette” pandemic.
Other policy changes to consider enacting include asking that staff share and store data on corporate intranets and rather than using unsecured email to transfer proprietary material or on save to laptop hard drives. Enforce strong passwords and, where possible, implement Two-Factor Authentication (2FA) to access company applications. Make sure you have the support and backup of adequate IT resources in place to support teleworking and respond to security incidents such as the compromise of a device.
Watch Out for Phishing Scams
There is already an increase with cyber criminals exploiting the Coronavirus situation. Make sure staff are vigilant to ward against phishing emails, fake adverts, and WhatsApp messages–particularly any that reference coronavirus or COVID-19.
Such scams have included emails claiming to offer medical advice, ads that have used urgency to encourage the purchase of personal protection equipment (PPE), and cybercriminals targeting company email accounts with fake policies. The result of clicking some of these surly scams – malware and ransomware – can have serious impacts on business continuity and financial repercussions. The time is now, more than ever, to educate your staff on how to spot one.
Beware of any request for personal information – especially login information or social security numbers
Triple-check the email address or link – scammers will create links that resemble a respected government agency or major corporation
Look out for spelling and grammar errors and generic salutations such as “Greetings Sir or Madam” – a sure sign content has been developed by organized criminals using cheap labor in foreign countries.
Provide staff alternatives to find useful information – such as the Center for Disease Control (CDC).
Communication – Keeping the Lines Open is Key
Many security and safety professionals are well aware that, in any crisis, the way a business communicates with staff and other stakeholders is critical. Cyber security cannot simply stop after the guidelines change. Continually review polices and adjust to the required changes to keep your staff informed.
Make sure to maintain regular communications by email and other company communication tools to maintain awareness and vigilance, alerting personnel to new and evolving threats.
Encourage two-way communications and have employees flag suspicious emails so other staff know what to look out for.
And if your business is experiencing increased threats and has successfully used tactics and tools to mitigate them, then share those best practices you‘ve implemented within your wider business community via regular company communications, be that a blog, newsletter, or social media channels.
At the same time, if you’re a small business without IT and cyber staff, then please look for more detailed advice provided by the Federal and State governments.
Cyber threats are not new, so many of your technology partners including IDIS will have the expertise and guidance to offer that you sorely need. Reach out, ask for advice, and get practical tips. We’re all in this together. We truly are. Stay well and safe.