Companies all over the US are starting to send employees home during the workday (schools are also shutting their doors). The problem? Most organizations have not implemented work from home plans that consider cybersecurity threats introduced in a work from home environment.
With social distancing from COVID-19, comes a greater threat to your organization’s cybersecurity.
BUT with the threat of coronavirus continuing to spread, organizations have not considered planning from a cybersecurity standpoint to make sure their teams are safe in work-from-home environments.
One thing is clear—as your organization considers sending its employees home to adhere to well-advised social distancing policies promoted by health officials, you may be making it easier for cybercriminals to target remote work forces, giving them open doors into attacking your network.
While working from home is obviously not a new concept and many might engage in working at home here and there, the mass migration of work forces to entirely or prolonged remote work does lead to dramatic changes in how people are working and how they are being protected.
Working from home may put your employees in entirely different environments, leading to greater distraction, different rules of the road, or a different level of cautiousness/ cyber hygiene than normally accustomed at the office.
In addition, security technology in homes may vary and is likely less secure than what you are used to at work. Unsecured home WiFi networks and less firewall capability may be two big protections your teams may not initially see as potential threats. Once working from home, many of the perimeter-based security tools will no longer be available to them, leading to greater exposure to phishing attacks and network attacks in general.
Attacks HAVE already been ramping up for COVID-19.
Cybersecurity researchers are seeing a rash of coronavirus-targeted phishing attacks and attacks on remote workers. Criminals are vigilantly watching news stories of businesses and organizations closing their doors for remote work and are starting to target individuals within organizations that may be working remote in effort to hack into your organization’s network.
Attackers have started leveraging coronavirus-themed cyberattacks, exploiting the pandemic we are currently facing within the US to get onto networks. We have seen malware embedded in coronavirus maps and phishing attacks with links to seemingly legitimate websites, leading to users giving up credentials and downloading malicious software and applications onto their machines.
The World Health Organization (WHO) even released a notice yesterday warning that scammers and attackers have been spoofing their site and emails to get concerned or panicked individuals to click on malicious content.
When you are in panic mode, you will be LESS likely to stop to think whether an email, correspondence, or link is legitimate.
Attackers are looking for vulnerabilities.
In general, attackers are looking for vulnerabilities to deliver their attacks. In the case of COVID-19, they are looking for fear in people over the virus. If you were concerned or stressed out about COVID-19, either contracting it yourself or someone you care about getting infected, would you click on a link for more details? What if you received news about new symptoms to look for or a self-assessment to diagnose COVID, would you want to click on the link? Security experts are warning that this is the easiest way for criminals to get onto your user’s machine and, ultimately, your network.
When we are in crisis mode, we forget any security training and focus on our immediate needs of more information.
I want to remind you that organizations HAVE already been getting hit.
Experts have started to report ransomware attacks that have stemmed from the chaotic transition from in-office working to working from home. In one big recent event, Otterbein University in Columbus, Ohio, had been hit with a complete shutdown of their network in a ransomware attack. The school was forced to extend spring break at least on additional week as it tried to recover.
What to think about with your remote teams?
Lack of IT resources at homes is one big concern for cybersecurity experts and strategists. When workers are sent outside of their normal perimeter—the firewall and protections typically keeping them and their data safe on the network—there are many new open challenges that might leave your organization more vulnerable to attacks.
Have they secured their home WiFi? Are they actually using a company-issued computer? Are the ascribing to your Acceptable Use policy when at home?
When thinking about all the questions to ask, realize that your network now includes THEIR homes! Is your security program ready for this?
If you do not normally deal with telecommuting, you might be less prepared than most.
Especially in highly regulated industries—banking and healthcare for example—you might be dealing with large masses of sensitive data that a remote worker may need access to, but by granting easy access, puts your organization at risk.
When workers requiring sensitive information continuously are put in a remote environment and are limited in how they can access that information, you need to ask whether those employees are actually productive enough to be remote.
In many industries, you may also use systems, devices, or software that are rarely updated or legacy systems that may pose a threat if accessed remotely. As you’ve hardened machines running older operating systems, security analysts question their access from outside your office doors. When dealing with critical systems that are older and harder to maintain, experts warn remote access might entirely put your network at risk—or at least segmented portions where those devices or machines are connected.
So… If you have a remote workforce in place today, what are some best practices to consider?
Take a step back and make sure your workforce is prepared—The first step that an organization should do in a normal situation is go through a tabletop exercise with key decision makers as to how to audit remote work within your organization.
Inventory business applications— Identify mission-critical software and identify what work can reasonably be done remote, what can’t and how to address remote working across divisions of your organization.
Know what your teams need—What do specific roles need in order to do their jobs remotely? This likely varies role to role or department to department.
Check your VPN’s capabilities— Before changing how things are done, you will probably want to test or validate that your VPN connectivity is good enough for remote workers (or the necessary volume to accommodate remote work within your organization).
Issue a self-assessment for ALL employees working remotely—Have employees take a risk assessment of their home environments. Make sure that they each have secure WiFi (i.e., that they have found out how to secure their connection so that it is no open for everyone to connect to), have appropriate materials and are reminded of social engineering threats and distractions that put remote workers at risk of cyberattacks.
Catalog and communicate what devices should be used remotely—Make sure to catalog what devices are approved for remote work—especially connecting to your network and be clear with each employee as to what is expected of them and their usage of those devices when assigned to work remotely.
Identify and communicate what work/software cannot be used remotely—Another big consideration is on-premises software that may require special licensing or applications that will not be accessible by a VPN connection.
Bottom Line: make sure your staff is comfortable and knowledgeable about working from home.
From a security standpoint, make sure everyone is up-to-speed with the latest info on coronavirus—you may want to enforce a ‘No social media” policy during working hours to eliminate distractions and risks of coronavirus-content.
And keep reminding your workforce that scammers are looking to take advantage of their fears and weaknesses. Remind them to stay vigilant and question links sent in emails and coronavirus-related information.
If you are concerned about your staff’s vulnerability, you may want to consider a computer hygiene assessment before putting them on at-home work.
