While the world is focused on the systemic threat posed by Covid-19, cybercriminals around the world undoubtedly are poised to capitalize on the crisis by launching a different kind of “virus.” More and more employees are working remotely by the day, and companies may eventually face the prospect of functioning with little to no personnel on-site or skeleton crews in IT and other important support functions.
Against this backdrop, both employers and employees need to take the utmost care to protect themselves as well as confidential company information. Here are some things for employers and employees to keep in mind to minimize the risk:
- Be Extra Vigilant About Phishing Emails
Cyber criminals love a crisis. Be on the lookout for phishing emails designed to entice you to click on the latest and greatest offer related to coronavirus protections, or with urgent instructions from your boss who is out of the office, all with the intent of getting you to unwittingly download malware onto your device and the company’s systems.
The past few weeks have brought a sizable uptick in business email interruption scams (where Office 365 or Gmail accounts are hacked through a phishing email, and the hacker then sends fraudulent invoices purporting to be from legitimate vendors, with changed wiring instructions with the money going to the hacker’s account).
Enable multi-factor authentication on whatever accounts you control, and certainly be sure it is in use for Office 365 email accounts. That step will thwart all but the most sophisticated actors. If you have any question about the validity of an internal company email, don’t hesitate to contact the sender — and certainly do so before wiring any money or following changed payment instructions.
- Practice Good Cyber Hygiene
Make sure your devices — including your internet router — are up to date on their anti-virus protection and that you’re using secure and known connections. Avoid the temptation of using Bluetooth in a public place — it is an easy way for hackers to connect to your device. Use multi-factor authentication on any accounts for which it is available. Follow company guidelines on internet use and use of your own device.
- Only Use Secure WiFi
Only work on secure, password-protected internet connections. If you have to use public WiFi, be sure to verify with the owner that the network to which you’re connecting is their legitimate network and is secured through a password. Avoid accessing any confidential or sensitive information from a public WiFi network. Hackers will try to trick you by mimicking the name of a secure network, so look closely and verify to make sure the one you’re joining is legitimate. If you don’t, you can give the hacker control and access over everything you do on the internet.
- Report Lost or Stolen Devices Immediately
Remote work increases the potential for the loss or theft of your devices. Be sure to report any lost or stolen device immediately to company information security personnel to minimize the risk of fraud.
- Set Up Remote Access Now
If you have personnel who need remote access, get it assigned now before an office closure. It is more difficult to issue multifactor authentication tokens to offsite employees who are working remotely for the first time and to install similar technology without physical access.
- Confidential Information is Still Confidential
Remind employees to use the same care or more with confidential information as they would if they were in the office. Personal email should not be used for any company business, and employees need to keep track of what they are printing at home. If the printed document would be subject to shredding in the office environment, take care to segregate and shred that same document at home, or refrain from printing it in the first place.
- Remind Employees Not to Use Personal Laptops for Work
Ask your employees to use company-issued laptops or to contact your information security personnel if they are unsure about the equipment they are using. Use of personal devices creates problems around document preservation matters and add increased risk. In addition, the software powering some home equipment can be months or even years out of date.
- Update Your Emergency Contacts
Be sure your company has an “out of band” way to contact all employees — whether a cell phone number or other way to contact the employee outside of company systems. That way, should your company fall victim to an attack (malware, ransom, DDoS or other type), you’ll be able to communicate with your employees. For key personnel or senior management, set up a group on a secure texting application such as Signal so that if the systems are down and email is unable, senior management will be able to communicate without fear from interception by cyber criminals.
Remote access tools have advanced in ways that were inconceivable even as little as 10 years ago, making en masse remote work possible. As with all data security, however, remote access is only as strong as its weakest link. With a strong combination of technology and employee know-how and training, it can be done safely and smartly. Stay safe and be careful out there.