With the spread of Coronavirus, or COVID-19, more and more companies have turned to remote work as a precautionary measure for their employees. While this tactic is focused on balancing business productivity with the health and safety of their staff, it can be easy to overlook the safety and security of an organization’s network or data. For many companies, this will be the first time they have remote workers, which means that it is likely that they have no protocol or guidelines in place to help keep their information and devices safe from cyber threats. Hacking attempts have already started to capitalize on the COVID-19 scare making this even more important and time-sensitive.
Here are some tips and best practices for cybersecurity when you have remote workers:
Use a Password Manager
A password manager is a great way to keep all of your team’s online accounts and password secure. LastPass and 1Password are two of the most popular and well-respected password management systems for storing encrypted passwords online. This enables secure sharing of passwords and can also be used to generate so that everyone on the team has easy, safe access to whatever they need to complete their work.
Make Two-Factor Authentication the Standard
Many popular business software platforms are accessed through the cloud, which provides many advantages for remote teams such as seamless collaboration and sharing. A downside, however, is that it can be easier for someone who is not an actual employee to impersonate a user and gain access to the same data. This usually happens when weak passwords are used, which is more common than you might think. This is what makes two-factor authentication critical for remote workers using cloud-based software and why it should be implemented as a standard practice on all company equipment. Two-factor authentication is a method in which a user must provide two pieces of evidence: something you know (such as a password) and something you have (such as a hardware token or cell phone that generates a unique code). Once implemented, this makes it much more difficult for an unauthorized user or attacker to gain access to your account.
Implement Endpoint Protection Software
Securing endpoints (or end-user devices like laptops, tablets, and mobile devices) is one of the most important priorities for keeping remote workers protected. Endpoints serve as access points to a company’s network and create points of entry that can be exploited by threat actors. This becomes even more important when dealing with remote workers since the endpoint physical assets are not maintained within the company’s walls. Endpoint security software uses encryption and application control to secure devices accessing the network, controlling security on those points of access to monitor and block risky activities. Encrypting data on endpoints and removable storage devices helps protect against data leaks. Application control prevents endpoint users from executing unauthorized applications that could create vulnerabilities in the network.
Educate Your Staff on the Physical Safety of Their Devices
A highly common cause for security breaches is a scenario where a worker loses their device(s) to thieves. Whether at home, in a coffee shop, or on the road, it is imperative for workers to understand that cybercriminals are opportunists and will take advantage of any chance they come across. This means protecting any and all devices used to access any work data is crucial. Some best practices to educate employees on, include:
- Password protect and lock screens using the most secure method available for each device
- Never let your devices out of your site
- Don’t let anyone else use your device or plug anything into it, such as a USB
- Set up tracking software or “Find My Device” options for each device
- Always backup your files
- Encrypt sensitive data
Avoid Public or Unsecured Wi-Fi Networks
This will mostly apply to employees who are working outside of their home or are on the road where it is tempting to access the free Wi-Fi at a hotel lobby or local coffee shop. This, however, can be very risky as the insecure traffic, including sensitive data and log-in credentials, can be easily intercepted by a hacker. Unsecured Wi-Fi networks can also be used to distribute malware or spoof a public Wi-Fi network to draw in users and capture their data without them knowing. To stay secure, it is advisable to avoid such public networks whenever possible for use on any company devices.
Use a Virtual Private Network (VPN)
A virtual private network, or VPN, provides online privacy and anonymity by creating a private network from a public internet connection. VPNs can mask your internet protocol (IP) address so your online activity is no longer traceable. A business should ensure that their employees connect to their company network via a VPN and all key applications are accessible via VPN.
Educating Employees on Security Etiquettes
Besides the afore-mentioned security measures, companies must educate their employees to always follow certain basic security etiquettes while working remotely such as:
- Not using personal email addresses for work purposes
- Not using non-vetted online messaging applications or other software that can pose security risks
- Not using personal devices to connect to the work network.
Know How to Detect and Report Phishing Attempts
Phishing is a method of trying to gather personal information using deceptive e-mails and websites and has long been one of the most commonly used and successful methods for cyber attackers. One of the most widely-used approaches is to imitate a real-life business situation and send an email with a malicious link or attachment to an unsuspecting employee looking to gain access to their accounts. Usually, this email will come from someone posing as a member of the IT team or from corporate leadership to provide a sense of legitimacy. Such social engineering-based attack techniques help cybercriminals fool employees into revealing confidential data or credentials. To make matters worse, phishing activity tends to increase during times of crisis and uncertainty, looking to capitalize on current events and popular topics. There have already been identified instances of phishing campaigns trying to take advantage of the Coronavirus situation.
It is important to educate employees on how to detect and report potential phishing attempts:
- Don’t click on links from people you don’t know. Always think twice before clicking any links or opening an attachment.
- Verify the email address of a sender. A common tactic is to replace one letter with a similar-looking symbol or number.
- Look for the more obvious tip-offs.
- You don’t know the sender
- You don’t have any account with the company
- The message is missing your name or uses bad grammar and spelling
- The email asks for personal information, including passwords
- Have a plan for reporting suspect emails. Train employees on what to do and how to report a suspected phishing email. This can include forwarding the email to a phishing inbox that your security team has set up or just notifying your IT team and asking what to do with the email and how to handle the situation.