As the Coronavirus is disrupting the day-to-day lives of billions of people around the world, businesses are in the middle of what Time Magazine describes as the “world’s largest work-from-home experiment.”
Practically overnight, many companies have been forced to adjust their operations by moving millions of workers out of their offices and into their homes. While this functionality is mission-critical, allowing employees to remain productive and companies to stay operational even as offices are closed, it also comes with significant cybersecurity risks.
Cybercriminals, always ready to take advantage of a crisis, have crafted and distributed a deluge of COVID-19 phishing emails, prompting warnings from the US, UK, and other central governments about this growing cyber risk.
Meanwhile, employees working on personal devices or unsecured wireless networks can put critical information at risk. In addition, everything from remote access fraud to insider threats become more potent during a crisis, where distributed teams lack the oversight and infrastructure that typically accompanies an at-work IT environment.
Simply put, remote workers expand your company’s potential attack surface, increasing the likelihood of a data breach or a privacy violation. However, in this unprecedented moment, most companies don’t have another option. Therefore, when working remotely, here are five best practices for protecting company data.
#1 Create and communicate specific remote work data management standards.
Incredibly, in 2020, even as privacy regulations continue to emerge, many companies still don’t have a coherent data management policy that they can convey to their employees. As a result, many employees are unsure of the efficacy of using personal devices, sharing customer information, or implementing defensive tactics.
As this grand work-from-home experiment unfolds, even organizations with established data management policies need to reevaluate and reiterate their standards to employees now working in a digital environment. While the idiosyncrasies of these policies will look different for every company, every organization needs to address:
- Account password standards. Using strong, unique passwords across all accounts is a basic cybersecurity measure that every employee needs to follow. For instance, the significant uptick in remote work logins gives bad actors cover to use stolen login credentials to access company IT undetected. Strong, unique passwords can prevent this from becoming a wide-spread issue.
- Two-factor authentication. Employees have a well-documented disdain for two-factor authentication, but this simple feature can keep company accounts secure, even when credentials are compromised.
- VPN integration. Every organization needs to identify, distribute, and routinely update a reliable VPN service. While this software can go a long way toward protecting company and customer data, multiple scams have emerged touting legitimate-looking VPN services that install malware on users’ computers. At the same time, cybersecurity researchers have identified numerous flaws in outdated VPN services that could compromise account security.
- Personal device usage. Employees often use personal devices in the office, and many more will likely be tempted to access company networks remotely or to complete work tasks on these machines while working from home.
- Data sharing. Companies should clearly outline acceptable data sharing techniques while working from home. Employees accustomed to collaborating in the office are more likely to compromise data as they communicate sensitive information from home. In this regard, a little guidance can go a long way toward securing critical data.
#2 Prepare employees to identify phishing scams and other fraud attempts.
Even before COVID-19, employees responding to phishing scams were a significant cybersecurity vulnerability. It’s estimated that more than a trillion phishing scams are sent every year, and these messages are increasingly sophisticated, including recipients’ personal details and other hallmarks of authenticity.
Unfortunately, a single employee only needs to respond to one of these malicious messages to cause a data breach, making phishing scam identification a critical component of any company’s defensive posture. These initiatives need to be updated and refreshed for remote workers receiving messages during the COVID-19 pandemic, as cybercriminals are expertly exploiting a sense of fear, urgency, and unease to encourage engagement with their attacks.
At the same time, there is a deluge of other fraud attempts that pose a significant risk during this unusual time. According to the US Department of Justice, employees need to be aware of
- treatment scams
- supply scams
- provider scams
- charity scams
- phishing scams
- app scams
- investment scams.
Bad actors are eager to take advantage of our collective vulnerability during this time, and organizations have a responsibility and good reason to help their employees navigate this digital landscape.
#3 Monitor employee activity.
Employee monitoring has become a critical element of many companies’ cybersecurity strategies. As insider threats pose an increasingly prominent threat to data security, this digital oversight protects customer and company data from accidental and malicious misuse.
Now, with millions of employees operating outside of company purview, employers need to double-down on their monitoring initiatives to ensure that workers remain productive, engaged, and, most importantly, secure.
Notably, employee monitoring software is the tool that allows employers to hold workers accountable for the data management standards that will help keep their data secure during this unprecedented time. For example, monitoring company devices will allow employers to identify employees who may be working from personal devices to access and transmit company data. Similarly, employee monitoring can identify employees who may struggle with engagement or are being inundated with scams.
At the same time, a user and entity behavior analytics (UEBA) software can track employees for signs of stress or other abnormalities. Ultimately, it’s a form of engagement that can encourage productivity and well-being while mitigating the data security risks posed by remote employees.
#4 Restrict access to critical data.
While access to critical company data should always be a need-to-know directive, this is especially true with a mobile workforce. At the same time, IT admins should consider limiting employees’ ability to save, download, or otherwise extract company data.
As employees connect to company networks from uncontrolled environments, the threat landscape necessarily expands. In response, restricting access to data limits the possible exposure and lessens the risk of a data breach.
#5 Practice digital social distancing.
This year, the term “social distancing” has entered our vernacular with voracious force, and it will undoubtedly define this turbulent time. As employees practice social distancing by working from home, simultaneously practicing digital social distancing is a critical way to keep information secure.
For instance, it’s important to limit personal information posted online that could compromise accounts or make users vulnerable to highly sophisticated spear-phishing campaigns. Limit the spread of bad information by being mindful of what you share online, and ensure that your employees are always working with the best information to avoid a cybersecurity incident.
In this strange time, where companies are entering uncharted waters in the form of the largest work-from-home experiment in history, it will be impossible to account for every threat in this ever-evolving landscape.
However, that doesn’t mean that they are powerless. Many cybercriminals are not inventing new attack methodologies. Instead, they are targeting organizations that can’t or won’t keep up with best practices, exploiting their ineptitude for their own benefit. By embracing work-from-home best practices, every organization can significantly reduce their exposure, which is critical to keeping business running while we all remain at home.
This article was originally published on IT Security Central and reprinted with permission.