Wake up, brush your teeth, say, “Good morning,” get cup of coffee, log into computer. This is the new normal for many of us as the COVID-19 pandemic continues to cause headaches and stress for our personal and professional lives.
Connecting to our company networks remotely provides us the necessary flexibility to remain productive during these times. Organizations most likely have spent a great deal of time and resources to prepare for increased teleworking demands. We can all do our part and support these efforts by ensuring we still practice appropriate cyber hygiene while working remotely. Though it may come as an afterthought with all the news surrounding us these days, practicing appropriate cyber hygiene remains an important part in your organization’s cybersecurity preparedness, whether in the office or not. In addition to adhering to organizational information security practices and trainings, keep the following in mind when deploying teleworking capabilities (for IT teams) and working remotely (general personnel):
- Enable virtual private networks (VPN) and multi-factor authentication (MFA) where possible
- Requiring users to provide an additional layer of identification greatly reduces the chances of compromised accounts logging into your network.
- VPNs provide a secure connection to your network from remote locations. Certain VPNs can also require devices connecting into the network to have security related tools active and up to date prior to permitting a connection.
- Ensure password requirements are appropriate and consistent with security best practices; per the annual Verizon DBIR, weak passwords continue to be a common driver for data breaches.
- Continue due diligence in identifying malicious and phishing emails
- Have processes or tools in place for personnel to be able to report suspicious emails to IT/Security.
- Have processes or tools in place to scan attachments for malicious files prior to being opened.
- Ensure security awareness training includes content related to the identification of malicious emails.
- Be wary of fraud and social engineering attempts
- Disasters and emergencies are often prime times for criminal activities to occur and take advantage of people’s heightened anxiousness. Continue using your best judgement in visiting websites related to donations and data for COVID-19 or when unknown numbers pop up on your phone. Reports continue to be noted regarding websites and interactive data charts and tools that are frequently embedded with malware.
- Keep systems up-to-date to the best of your abilities
- Some companies will have tools in place to automate these processes as soon as users log into VPN, while others will require manual intervention on the user’s part. Regardless, perform the necessary due diligence so that your operating systems and supporting security tools (e.g. antivirus) remain up to date even outside the office. If not already being done, consider enabling automatic updates.
- Incident response processes remain key
- Ensure you and your teams know who to contact in the case of a suspected security incident or general security questions.
- For security teams, have an incident response plan documented and ready to act upon in the case suspected data breaches become a reality.
Security considerations for a remote workforce is nothing new for many organizations, and a deep collection of knowledge on the subject is already out there. SANS.org, a leading information security training provider, has published a great free resource for securely working at home, , which we recommend for those wanting to practice strong cyber hygiene while working remotely. Continue reviewing and assessing the knowledge out there to identify what works best for your organization during this time and considerations for down the road, once a return to normalcy starts to happen.
Be safe. Be prepared. We’re all in this together. For more information on this topic and other risk advisory matters, contact Renzo Portella at 301.231.6200.