With the increase in employees working from home, a comprehensive cyber security plan is imperative now more than ever. Remote access to your business’s network, especially from personal computers and devices, is a weak link in your cyber defenses. This makes the need for comprehensive employee training essential to your cyber security plan. One successful phishing attack combined with remote access can provide bad actors a direct path from your employee’s computer to your business.
Work from Home Safely
For many businesses that suddenly gained a remote workforce, employees are the first line of defense against cyber attacks. Employee education for phishing attacks and basic cyber security measures are essential tools in your business’s defense against a network breach.
Phishing in the Time of COVID-19
While cyber security education has improved employees’ ability to spot phishing attempts, the COVID-19 pandemic opened new avenues for bad actors to exploit in their phishing attacks. The tactics aren’t new. Bad actors continue to trick the distracted or unsuspecting into clicking a link or downloading an attachment, and they continue to target specific individuals for business email compromise (BEC) schemes.
What has changed are the lures used trick the recipient into action. Bad actors have shifted their message to capitalize on the uncertainty around the novel coronavirus. Emails spoofing health organizations such as the WHO and the CDC contain links or attachments that claim to contain information about the coronavirus pandemic. An employee who may know not to click on a random link sent to them in an email, even from a known contact, might not be so careful against a link purporting to inform them about updated COVID-19 news.
Train your employees to be skeptical of all emails or messages related to the COVID-19 pandemic. Most major organizations are not going to be directly emailing individuals. If an email claims to be from an official source, do not click the link, but rather go directly to the organization’s website. Any updated information or legitimate news will be posted there.
Put into place policies and procedures to protect against BEC schemes. Bad actors have tailored their messages to take advantage of the isolation of the remote workforce. BEC attacks rely on the recipient not verifying a request for funds or access with the person or company being impersonated, thus failing to discover that the transaction is illegitimate. Their new tactic to ensure this is to include a note that the requester can’t be contacted due to COVID-19 quarantine, or not to tell anyone so their stated COVID-19-positive status is not known publicly.
Every business should have policies that require all changes to account numbers or unplanned transactions to be verbally verified through known channels (not the email’s contact information) before being enacted. This simple policy reduces the chance of successful BEC attacks from happening in your company.
Bring Your Own Devices
Many businesses don’t have the capital to buy new hardware for their newly-remote workforce. This results in what is referred to as BYOD or Bring Your Own Device. With BYOD, employees use their personal computers or mobile devices to access company data, whether through VPN, web portal, remote desktop application, or software-specific application. This is a cost-efficient option for those working from home, but it comes with risks and can be difficult to secure if you’re not a trained IT professional.
No home network is going to be as secure as a properly set up office network with an enterprise-grade hardware firewall, but there are measures that your employees can take to strengthen their home defenses. Make it policy to ask these basic security questions before allowing employees to work from their personal computers:
- Do they have a router with WPA2 or higher password protection enabled?
- If they live with others, do they have their own password-protected profile on the computer?
- Are all passwords unique and meet your company’s password policy requirements?
- Can they work in a place where others cannot see company data?
- Can they limit browser extensions or use a separate browser for work to avoid data leakage?
- Is their computer operating system and anti-malware/virus software up to date?
- Have they been trained to identify problems with their computer systems that may indicate infection?
- Do they know who to call if they suspect their computer may be compromised while connected to your business network?
- Have they been trained on all work-from-home policies and procedures?
- Have they been trained in cyber security best practices, including how to spot phishing attempts and suspicious websites?
The computers may belong to your employees, but the data they’re accessing is your business. Make sure to reduce the risk of remote access as much as possible.
Training Is Key
The best defense against compromise is a comprehensive, on-going training plan for all employees. They can’t spot phishing if they don’t know how to identify it nor use strong passwords if they don’t know what’s secure. When employees work from home on less secure networks, it is even more important to ensure they are informed and prepared for any cyber security challenges that may arise. Annual training with cyber security professionals can keep you and your employees up to date on the trends in security threats and how to defend against them. Don’t wait until it’s too late to give your employees the information they need to protect your business.
A remote workforce is a weak link in your cyber defenses, but that doesn’t mean you can’t set it up as securely as possible. Verify security measures and provide the necessary training and policies to keep your employees and your business safe.