COVID-19 has challenged business to think about operations in a new way, and in many cases, companies have started supporting a remote staff for the first time. Even among organizations that have used a remote workforce, most had to make quick adjustments or expansions to their plans, including managing remote devices.
The increased risk of COVID-19 and cybersecurity scams due to remote workers should not go unnoticed – as cyber criminals wait to prey on these potential new vulnerabilities to your business. For this reason, organizations need to stay vigilant and keep customer data and users safe by creating new policies and leveraging technologies while working in their remote and home environments.
- Perform a Remote Cybersecurity Assessment
- Do you have a set of standard, practicable measures to ensure IT security and system availability for a remote workforce?
- Have you performed an IT risk assessment to identify remote access risks?
- Have you assessed the effectiveness of the mitigating controls/strategies and adjusted your corresponding IT Business Continuation Plan?
- Do you provide remote devices to your employees, or allow a ‘Bring Your Own Device’ (BYOD) security scheme?
- Have you informed and educated your workforce about the additional dangers during this time?
- Implement Remote Countermeasures and Risk Management Techniques
Whether your users are working on company-issued remote devices or BYODs, the following tips can help secure remote use:
- Perform an IT Risk Assessment that covers all aspects of remote accessing. If you performed an IT Risk Assessment pre-COVID, you should re-assess risks and identify if there are new gaps to address.
- Re-assess the effectiveness of your IT Business Continuation Plan and make adjustments where mitigating controls/processes were not effective. Assess all aspect of the BCP including dependencies to 3rd party vendors.
- Ensure users have changed the default name of their home WiFi and confirm network passwords are unique, strong, and changed.
- Additionally, advise users to turn on their wireless router’s maximum encryption setting (any router with encryption settings below WPA2 should be replaced with one that is more capable), and disable SSID broadcasting to the general public.
- Ensure the wireless router’s firewall is turned on/or install a good firewall solution.
- Ensure user devices have up-to-date operating systems, security software, and firewalls. Tools can be used to verify the most up-to-date patches have been applied.
- Use a virtual private network (VPN) or remote desktop protocol (RDP) to access your network.
- Assess and advise employees of risks associated with home Internet of Things (IoT) devices, such as smart TVs, speakers, sprinklers, thermostats, video doorbells, printers, and more… These devices should not be on the same network used to access company data, but rather on a secondary or guest network.
- Ensure any third-party systems used are following similar or better security practices.
- Ensure Physical Security of Devices at Home
Bad actors, hackers, and thieves rely to a great extent on weaknesses in users. Organizations should consider the following weaknesses to ensure employees’ devices are physically secure:
- Discourage employees from sharing their login credentials with others, including individuals they may trust in their home.
- Do individuals, such as kids or significant others, have separate computer accounts on the systems? These systems are at an increased risk of exposure to malware.
- If you allow printing from home, provide protocols for protecting and disposing of printed material.
- Ensure employees have mandatory hard-drive encryption.
- Ensure data on your employees’ devices are backed up on a regular basis and centralized on the company’s systems. This will mitigate risks associated with Ransomware.
- Request that laptops be stored in a secure area when not in use.
- Consider appropriate actions for furloughed or terminated employees. Hardware, office keys and badge recovery, physical printouts recovery/destruction are critical actions for the security of the organization, including personally identifiable information.
- Engage in Proactive Assessments and Planning
When something as significant as the COVID-19 pandemic happens, the ripple effects of business disruption may seem incomprehensible. The shift to remote work required quick access to new technology and training.
Organizations should assess the following when planning proactively for business disruption:
- Internal technology needs and availability
- Training requirements.
- Vulnerability of new systems, or heavy systems usage
- Defined procedures to conduct business, and potential disruptive events
- Security compliance of older systems and upgrades to new security standards
- Maintain Security Awareness
Organizations should customize their IT Security Awareness Program for remote users to ensure employees, and adopters of your services, are mindful of security threats and avoid common pitfalls. User vigilance is the most effective component in keeping your data and systems secure. Phishing simulation software does a good job at identifying those who need training, and in many cases automatically directs them to training.
Companies transitioning to more remote work, either in response to the pandemic or growing employee demand, must respond to the unique security challenges involved in managing a mobile workforce.
Contact a K·Coe technology advisor for a cybersecurity assessment or implementation guidance.