Working from home (WFH) or teleworking will remain business as usual for the foreseeable future with COVID-19 gaining momentum in the US and across the globe. Businesses have scrambled to adjust to this new normal. WFH has strained IT department resources and it is testing cybersecurity as criminals look to take advantage of an unprecedented situation. It’s important to keep in mind that cybercriminals are not giving anyone a pass and it’s important to remain defensive.
- Be vigilant to phishing and social engineering scams.
- Disinformation is being spread and cybercriminals are taking advantage. Be aware of watering hole attacks. According to The National Institute of Standards and Technology (NIST), in a watering hole attack, the attacker compromises a site likely to be visited by a particular target group, rather than attacking the target group directly.
Here are some steps and measures to consider for your company and WFH offices:
Make it harder for cybercriminals to gain access to your information.
- Consider a password manager application to help you create and track unique and complex passwords. Credential reuse is an issue where the application helps you to remember and implement stronger passwords.
- Turn on Multi-Factor Authentication or Dual Factor Authentication with banking, e-mail accounts, password manager applications, and smart devices in your home, etc.
- Set up a guest network for visitors to your home and adding smart devices to this network.
- Check with sites like SpyCloud or Have I Been Pwned to track breach exposure and force password resets if your information has been compromised.
- Reset your router’s password or update the device.
- Do not connect to public Wi-Fi. There are security risks associated with logging on.
Blocking and Securing Devices
Malicious software and zero-day exploits are an everyday occurrence. It is important to be prepared.
- Verify anti-virus is enabled and up to date on your devices.
- Utilize next-generation antivirus for your home environment.
- Think about blocking pop-up ads.
- Unplug your smart speaker while working from home if you work in a role that involves highly confidential information.
Cybersecurity Training and Awareness
Many Cyber Liability policies provide training resources and modules that can be assigned to employees for cybersecurity training. In addition, they may offer phishing and security awareness training.
- Research implementing cybersecurity training for all employees.
- Use phishing simulations to train employees and provide additional education for those that fail the simulations.
- Confirm your organization’s Incident Response Plan is up to date and includes your Cyber Liability Policy information and claims contact.
Data Security and Software Vulnerabilities
Patch management is critical for all software and devices.
- Remember to encrypt data while at rest and in transit. Be sure to include encryption on portable devices as well.
- Back up data and make sure it is secured properly. It may be a good idea to keep physical copies in the event backups are compromised.
- Make sure you are patching Software Vulnerabilities.
Web Video Conferencing Cyber Security Tips
The proliferation of web and video conferencing tools during this pandemic has led to increased risk and security concerns. While many IT departments will have built-in security features with the purchase and execution of enterprise-level contracts with these services, it doesn’t account for the multiple users within a household that may be using free versions of a tool, or other in-home security issues tied to unsecure networks, etc. For example Zoom, which has experienced explosive growth and utilization and with it compromises to security (like unwanted call crashers), released a statement from its CEO along with helpful user guides, like the following, How to Keep Uninvited Guests Out of Your Zoom Event.
Please consult with your information security teams on the issues specific to your business and remote work setup.
For any questions, please contact us here.
Sources: (csrc.nist.gov, wired.com, McAfee.com, gizmodo.com,)
Note: This communication is for informational purposes only. Although every reasonable effort is made to present current and accurate information, ISBC makes no guarantees of any kind and cannot be held liable for any outdated or incorrect information.