By Marty Puranik, President & CEO, Atlantic.Net
The COVID-19 pandemic has engulfed the world’s population, crippled global economies, and changed the way of life for almost every single person in every single country around the world. Nearly six million infection cases have been confirmed. Over two million people have recovered, but over 350,000 deaths have been registered so far, and sadly this figure is expected to grow substantially in the coming days and weeks.
Governments around the world have encouraged employees to work from home wherever possible. Frontline key workers are still required to continue their occupations but unfortunately, many millions have lost their jobs, and tens of millions have been furloughed on government financial aid.
Currently, there is an enormous workforce engaged and actively working from home, keeping businesses alive in one of the biggest challenges to face a generation. Some reporters are referring to this shift in working behavior as the greatest work-from-home experiment.
With this paradigm shift of working behavior, additional risks and security concerns must be considered to protect organizations from things like wire transfer fraud, ransomware, and exploitation. There is a vast amount of evidence to suggest that cybercriminals are out in force to take advantage of the COVID-19 pandemic.
The most common attack vectors seen in recent weeks are targeted and extensive phishing email campaigns and spoofing using SMS and mobile communications platforms such as WhatsApp.
What can you do to protect your workforce and business from being compromised? We have compiled a list of some of the most effective measures to be undertaken to protect your organization.
Make Sure Your Security Policy Is Valid
The COVID-19 outbreak has highlighted that most organizations’ cybersecurity policies, especially policies regarding mobile computing and teleworking, may be inadequate. Businesses have been scrambling to change the guidelines to adapt to the pandemic. Very few organizations would have had a business continuity strategy that solved all the issues brought about by the seismic shift to home working.
Specific policies to update may revolve around the physical protection of company IT equipment, making sure children or relatives do not use company assets, which can help to keep assets in good working condition. If additional technology is needed by the employee, such as extra monitors, keyboards, or printers, a formal process should exist to track where company assets are located. Perhaps logging a service desk ticket for management teams to approve the removal of company technology. This process greatly improves how assets can be tracked.
Other control measures can be introduced or updated to define the organization’s rules and regulations on the usage of laptops, computers, handheld tablets, mobile phones, and digital media, including disks and memory sticks.
Keep Data Protection Relevant
Maintaining data protection is critically important for organizations, even more so when employees are working from home. Organizations are duty-bound by government regulations to uphold data protection. The regulations still apply no matter where the employees are working, be that an office-based role, or when working from home.
All laptops should have some form of data encryption software installed, such as Microsoft BitLocker. This software protects the data stored on the employee’s physical device. In the event a company device is lost or stolen, the data is secured and encrypted. Domain policies can force remote terminals to lock the screen after a few minutes of inactivity during the lockdown period.
All portable equipment should have a machine or boot-up password, and a domain user account that should be required when powered up. This may be a BIOS protected screen lock, or it might just be the Windows Logon utility. Either way, the device must not boot straight into the operating system without prompting for credentials. This will stop unauthorized access to the data stored on the equipment.
Secure Physical Assets
High valued assets must already have the standard security features such as usernames, passwords, and PINs. Extreme care should be taken with mobile computing being used outside of the organization’s premises. In the home environment, extra care should be taken to secure customer and organizational data.
Protection should be in place to avoid unauthorized access or disclosure of the information stored and processed by the equipment. No other person should be able to access the equipment or view information on the screen, and you should guard against eavesdropping. Do not openly discuss confidential or Payment Card Information where you may be overheard.
Create Strong Passwords
Ensuring a strong and robust password protection policy might sound like common sense, however, the weakest point of security on a corporate network is the end-user. Enforcing system-wide, managed password policies can help to create a hardened perimeter on the network.
Support teams may have to do a little extra work to unlock and reset user accounts if the password is forgotten, but instilling a complex password policy, and a regular, enforced password expiration date will help to give the best protection to the remote workforce.
Introducing multi-factor authentication (MFA) for home workers can add extra security for business assets. Using MFA to access cloud storage such as Onedrive, or when accessing Exchange email systems and collaboration tools such as Slack, Teams, or Skype for Business, will add an extra layer of security when out of the office.
Communication and the Training of Homeworkers
Lots of people have worked from home in the past, but for many, COVID-19 has forced employees to use technology and work from home for the first time. For many, this change is extremely difficult to adapt to. Not only at a technical level, but adapting to online meetings and working on your own.
This introduces many security risks. Employees may not remember all the rules of home working. They may bring their device or they may unintentionally share confidential information on social media.
Clear and concise communication channels from senior management or HR should communicate a consistent message defining what the expectations of the employee are. The messaging should describe how the business intends to function during a lockdown and what the company priorities are.
Combine that with training sessions, online classes, or one-on-one training about how to use collaboration tools, cloud productivity tools, and how working from home affects access to everyday user applications.
Engaging with employees regularly is a great way to promote wellbeing at work, and keep productivity and engagement throughout the business. This benefits morale, and importantly creates a greater understanding of how to use computer systems securely.
System Updates / Antivirus
Security updates to operating systems and applications have never been more important than during the COVID-19 crisis. System administrators have the responsibility of ensuring that the mobile workforce information technology is up to date and has the latest security updates.
When an employee’s laptop connects to a corporate network, it will typically check in with a centralized administration portal, such as Microsoft System Center (SCCM). Toolsets like this manage the update schedule of thousands of laptops, computers, and mobile devices over a VPN or standard Internet connection.
Administrators can force updates out on demand to keep antivirus, antimalware, and system updates at the latest level. This creates the best line of defense against malware and ransomware attacks.
The software on the portable equipment must comply with the organizational standards to ensure it is supportable. As mentioned earlier, up-to-date antivirus detection software is installed to protect local systems. No unauthorized software should be loaded on to company assets, no matter how trivial. The software should not be tampered with to circumvent security measures put in place, such as disabling antivirus system scans.
Any tampering of the software should be considered a disciplinary offense, and the antivirus suite should be configured to audit user behavior. When used to access the Internet, the user’s device should utilize a proxy server where the activity is logged and monitored.
About the Author
Marty Puranik co-founded Atlantic.Net from his dorm room at the University of Florida in 1994. As CEO and President of Atlantic.Net, one of the first Internet Service Providers in America, Marty grew the company from a small ISP to a large regional player in the region, while observing America’s regulatory environment limit competition and increase prices on consumers. To keep pace with a changing industry, over the years he has led Atlantic.Net through the acquisition of 16 Internet companies, tripling the company’s revenues, and establishing customer relationships in more than 100 countries. Providing cutting-edge cloud hosting before the mainstream did, Atlantic.Net has expanded to seven data centers in three countries.