Page 79 - Cyber Defense eMagazine for September 2020

P. 79

alerts about someone needing to pay fake bills during quarantine. As the pandemic continues, there’s
more phishing schemes produced that tout false vaccine news or encourage people to donate to phony
charitable organizations. Employees need training that helps them to spot the hallmarks of phishing
emails, including misspelled words or links in the email, urgent language, or a request for the recipient to
submit personal information. Remind employees that deleting emails is always a sound best practice, or
at the very least screenshotting the content and asking the security team to review.

In addition to phishing training, security should also detail the dangers of vishing and smishing scams.
Vishing social engineering attacks involve tricking someone to provide private information through a
phone call, for example through the common ruse of an automated message urging the recipient to call
their “financial provider.” Text and SMS messaging is under attack from “smishing” which hackers use to
send alerts and requests for information, for example a text might pretend to come from Amazon and
direct people to update shipping and credit card information. Security teams should provide information
about these scams to staff, which should include visual examples of each type. Remote workers are
especially at risk for these types of attacks due to often using their own device to access both corporate
and personal networks and email platforms, which increases the number of suspicious messages they
receive.

The Right Tech and Protections

SMBs that stick with remote work for the long haul will need to devote resources to shore up security. A
first step is to provide staff with their own laptop or workstation preloaded with the proper malware
software, firewall protection, and various company protocols. What about BYOD? As remote work
becomes the standard, many firms will curtail BYOD due to staff using their own devices for riskier
behaviors, in terms of cybersecurity threats. There are multiple issues regarding BYOD data storage and
movement through various devices. Many firms will find it is easier to avoid potential privacy issues with
BYOD by issuing corporate phones and laptops. There is also the device support and updating
headaches with BYOD, and corporate devices bring uniformity to updates and device-specific policies.

Further protections for remote work include mandating the use of encryption software for all employee-
produced data, which creates a layer of protection from theft or loss of the device. Employees should
also use encrypted internet connections, and for the optimal protection consider end-to-end encrypted
email and file sharing tools used in tandem with VPNs or remote desktops. Remote workers will adjust
to using VPN connections while at home or on the road. They’ll need explicit company policies and best
practices about using the VPN, including; staying updated with VPN patches and configurations, 100%
adherence to using the VPN, and knowing when to disconnect from the VPN when utilizing bandwidth
for non-work purposes (video streaming, etc.).

Remote workers should also utilize two-factor authentication for all company passwords. They need
context for why this extra step is necessary and to understand any risks to such authentication. For
example, the ways social engineering attacks can still exploit two-factor authentication.

Monitoring

As remote work expands into multiple sectors and types of roles, firms will start to implement more
intensive monitoring. This will include web camera feeds during work hours, real-time keyboard logging,
and live shared screen views. Such initiatives bring about a host of privacy concerns, especially for
workers sharing their Wi-Fi or devices with family members. Employers instituting monitoring will need to
create written policies, so employees are aware of the extent of such efforts and their implications. On

74 75 76 77 78 79 80 81 82 83 84