25 May 2020
As businesses are increasingly working remotely, cybercriminals have been quick to take advantage of the vulnerable and unprepared. The FBI has warned of a surge in COVID-19-related cyberattacks. Cybersecurity companies claim that malware and phishing scams are on the rise.
Workers accustomed to face-to-face meetings might be finding it difficult to adapt to the new remote working environment. IT departments, too, are struggling to help workforces to get up and running at home.
This is a time of unprecedented financial turmoil for many businesses. But don't neglect the infrastructure that allows your employees to communicate and keeps your company's private information safe.
Perhaps you've been managing remote workers for years. Or perhaps this environment is uncharted territory.
Either way, you can consider this an opportunity to take stock of your company's remote working practices and work towards the highest standards of cybersecurity.
It's important to remain up-to-date about emerging threats to your company's privacy and security.
You should also regularly check for updates to your online platforms and service providers. Companies such as Zoom and Microsoft regularly update their blogs to alert users about any vulnerabilities exposed in their software.
Your employees' home networks and devices are unlikely to have the same level of security as is available at your business premises.
Mistakes can be costly and can lead to a breach of your company's or your customers' private information.
Cybersecurity and data protection training should be an essential part of your employees' development. If you've never conducted such training with your staff, now's the time to start.
Let's look at some of the elements of an effective cybersecurity training program.
Your company is obliged to comply with certain privacy and data security laws. Depending on where your business and your customers are based, such laws may include:
It's not enough for your CEO and your IT department to be aware of your company's legal obligations. Everyone in your business is accountable under the law.
Your cybersecurity training can explain:
There has recently been an unprecedented rise in "phishing" scams, whereby malicious actors trick people into giving up their personal or sensitive information.
Phishing scams take many forms. A common type of phishing scam is known as "domain spoofing," where cybercriminals set up a fake website that looks near-identical to a legitimate website to trick people into entering their login credentials.
Other phishing scams involve sending fraudulent emails or social media messages requesting personal or financial information.
Your cybersecurity training program can explain:
Whether it's out of necessity or a desire to stay in bed, your employees are more likely to access company information from their personal devices when working from home.
Using personal devices may be permitted, forbidden, or unavoidable. In any case, your cybersecurity training program can explain your company's rules on personal devices and provide instructions or advice on how to mitigate the associated risk.
To ensure employees' home workspaces aren't vulnerable to cyberattacks and data breaches, consider asking them to install security software on any device used to access personal or sensitive data.
Anti-malware software is a crucial addition to any business workstation.
Attacks involving sophisticated malware, such as ransomware, are increasingly common. Protecting against such threats requires advanced cybersecurity software.
Anti-malware software should:
Poor password habits are a major source of data breaches.
Your employees should not be securing online accounts using easily-crackable passwords such as "password123." They also should not be using the same password for all of their accounts.
It's easy to resolve these poor cybersecurity practices by using password manager software. A password manager generates strong passwords, stores them securely, and automatically enters login information online.
Many password manager providers offer business packages that allow IT departments to centrally manage employees' passwords without invading their privacy. Password managers can also reduce the burden of resetting forgotten passwords.
When employees access your company's data remotely, there is a chance they will do so via an unsecured Wi-Fi network. This leaves your company's data vulnerable to so-called "man-in-the-middle-attacks."
Network security is a key vulnerability when using unknown or public Wi-Fi networks. While none of your employees is likely to be working in a coffee-shop any time soon, their home Wi-Fi network also might not be sufficiently secure.
To facilitate secure remote access to your company's servers, consider setting up a Virtual Private Network (VPN).
A VPN allows remote workers to access all resources on your office IT network via a secure, encrypted connection. A VPN will encrypt data flowing to and from your company's network even if accessed via an unsecured public network.
You can set up a VPN with a third-party provider without needing to install any physical hardware at your office. Reputable VPN providers such as NordVPN, ExpressVPN, and IPVanish all have ready-to-use VPN software solutions for business customers.
Multi-factor authentication (MFA) adds an extra security step when logging into company accounts.
When using MFA, your employees will need to verify their identity by providing multiple pieces of authenticating data. For example, as well as entering a password, they might be required to enter a verification code received via their email address or mobile device.
MFA is a requirement under certain cybersecurity laws, such as the NYDFS Cybersecurity Regulations (23 NYCRR 500, available here), and the EU Payment Services Directive.
Many workers have had to familiarize themselves with new software applications in recent weeks. Using new service providers comes with privacy and security considerations.
Businesses subject to the CCPA or GDPR must only share personal information with service providers subject to a written contract.
Using video conferencing software involves inherent cybersecurity risks. Whatever platform you choose, it's worth conducting a risk assessment.
If your team is working from home, this means cloud storage is more useful and convenient than ever.
Remotely sharing and collaborating on documents is simply not possible without using a cloud storage platform.
Whether you've used a cloud storage provider for some time, or you've only started recently as a result of the pandemic, think carefully about your practices.
It's crucial to maintain a robust and comprehensive IT Security Policy to help employees navigate your rules when working from home.
You can't expect to be able to hold employees accountable for lapses in security unless your company's rules are clear.
Your IT Security Policy can detail information such as:
You should review your company's Data Breach Policy to ensure that it is appropriate in the current circumstances.
Your Data Breach Policy should explain:
Your company may not necessarily require a standalone Data Breach Policy. This information can be integrated into your IT Security Policy or staff handbooks.
In any case, it's essential that anyone with access to personal or sensitive data understands how to identify, contain, and respond to a data breach.
Be as transparent as possible about how your business uses consumers' personal information.
Managing your remote employees' cybersecurity practices might be a challenge. But you remain legally and ethically obliged to protect personal and sensitive information in your company's control.
Some ways to make this transition to remote more secure include: