To protect the health of their employees and customers, and to comply with government stay-at-home orders during the COVID-19 crisis, businesses are sending employees to work from home in record numbers. Fortunately, today’s technologies will allow many of us to continue our work without major disruption. And while working remotely will maintain our productivity, it also comes with new risks to your data security. Thoughtful planning coupled with utilizing security tools and procedures will greatly minimize your chances of falling victim to cybersecurity.
Require remote workers to access your network through a secure channel
Use a VPN (Virtual Private Network) to ensure the flow of information traveling between your employees’ device and your network is secure. Using a secure VPN connection avoids “man-in-the-middle” attacks that could seriously compromise your data. If using a VPN, employees’ home routers and other devices should be updated to the most current software and security patches.
Alternatively, you can use a Remote Access Gateway (an advanced version of Remote Desktop but without the known security weaknesses). A Remote Access Gateway requires a Microsoft Server and a workstation to login into at the office and may be more complex to set-up but could be a superior long-term solution as it takes much less bandwidth and works more like you were at your computer in the office.
Limit devices and access
Remote workers should only use company approved devices and applications. Access to devices used for work purposes should be limited to just the employee and should include automatic log-out after non-use for a set period of time.
Allow access to your critical company data on a “need-to-use” basis. Consider which employees need network or application access to complete their tasks and which employees only need access to email or cloud services to work from home. This will further limit your data exposure. Additionally, consider limiting the ability for remote workers to store, download or copy data onto their personal devices.
Use up-to-date software
With the unprecedented number of works rapidly entering remote work situations, hackers are eager to exploit known security vulnerabilities. Make sure all devices are running the most updated versions of software and that updates are regularly installed. Updates include important changes that improve the security and performance of your systems. Devices still using Windows 7 should be updated to Windows 10 to avoid remote code execution vulnerabilities.
Use strong passwords and Multi Factor Authentication
Passwords remain a frontline defense against unauthorized access to critical data and applications. Require employees to use complex and unique passwords that are changed frequently for all devices (whether company issued or employee’s own) and applications. If you do not already use multi-factor verification (MFA), implement it now. MFA requires the user to use something they know (their password) with something they have (such as a secure app on their cellphone) to access the system or device. Text messages may be used at a second factor but are clear text and not as secure as an app configured for MFA.
Be hyper-alert to phishing schemes
We’ve never seen so many workers suddenly thrust into work from home situations as we do at this moment. Employees may be managing children home from school or working in a packed or noisy home environment with lots of interruptions. Add to that, financial or health stress, social isolation, fear of the unknown and challenges of daily living, and you have a lot of understandably distracted employees. Additionally, businesses are using remote tools and applications that newly remote users may not be familiar with. All these factors have created a perfect storm of vulnerability for cybercriminals to exploit.
There has already been a feeding frenzy of phishing schemes circulating. Some examples we’ve seen circulating are:
- Spoofs from the CDC, WHO or other governmental agencies claiming to have information about the COVID-19 crisis.
- Phony emails from company leaders or HR departments.
- Emails with phishing links to remote meetings, “secure” documents, Microsoft or phony voice mail.
- Fake IT requests to reset passwords, set-up remote connections or urgent access issues.
- Bogus emails from company executives with urgent demands for funds transfers or downloads of sensitive data. To combat this, always require employees to attain in-person confirmation for such requests. In-person may mean a video conference or direct phone call to the executive making the request.
Reiterate with your employees the need to remain hyper-vigilant to phishing schemes. They should closely examine any unexpected emails with links or attachments and confirm the validity of the email before clicking on anything.
Managing a workforce through a pandemic is something new for all of us. With a bit of thoughtful planning and communication with your employees, you can greatly reduce your risk of cybercrime during this crisis and beyond.
Eric Olmsted is president of Vancouver-based On Line Support, Inc., which provides technology consulting and management services for small to medium businesses in the Pacific Northwest. He can be reached at firstname.lastname@example.org.