By Bill Delisi, CEO of GOFBA
There are many “new normal” that apply to different parts of life and certain industries. For cybersecurity, a core change to the landscape is the impacts of remote work and security issues both during and after the COVID-19 era.
Unfortunately, the willingness of SMBs to encourage remote work conflicts with a general lack of preparedness among staff and security teams for the related cybersecurity challenges. According to a June 2020 study from IBM, which found among other issues that “more than 50% of respondents don’t know of any new company policies related to customer data handling, password management and more.”
To rectify the vulnerabilities that come with remote work, SMBs need to increase training and mandate the usage of the proper tech tools. Here are some other considerations.
Phish, Vish, and Smish – The Need for Training
Phishing schemes continue to wreak havoc during COVID-19, as hackers consistently prey on people’s fears. During the early days of the pandemic, there was a rush of scams about COVID-19 testing, or fake alerts about someone needing to pay fake bills during the quarantine. As the pandemic continues, there are more phishing schemes produced that tout false vaccine news or encourage people to donate to phony charitable organizations. Employees need training that helps them to spot the hallmarks of phishing emails, including misspelled words or links in the email, urgent language, or a request for the recipient to submit personal information. Remind employees that deleting emails is always a sound best practice, or at the very least screenshotting the content and asking the security team to review.
In addition to phishing training, security should also detail the dangers of vishing and smishing scams. Vishing social engineering attacks involve tricking someone to provide private information through a phone call, for example through the common ruse of an automated message urging the recipient to call their “financial provider.” Text and SMS messaging is under attack from “smishing” which hackers use to send alerts and requests for information, for example, a text might pretend to come from Amazon and direct people to update shipping and credit card information. Security teams should provide information about these scams to staff, which should include visual examples of each type. Remote workers are especially at risk for these types of attacks due to often using their own device to access both corporate and personal networks and email platforms, which increases the number of suspicious messages they receive.
The Right Tech and Protections
SMBs that stick with remote work for the long haul will need to devote resources to shore up security. A first step is to provide staff with their own laptop or workstation preloaded with the proper malware software, firewall protection, and various company protocols. What about BYOD? As remote work becomes the standard, many firms will curtail BYOD due to staff using their own devices for riskier behaviors, in terms of cybersecurity threats. There are multiple issues regarding BYOD data storage and movement through various devices. Many firms will find it is easier to avoid potential privacy issues with BYOD by issuing corporate phones and laptops. There is also the device support and updating headaches with BYOD, and corporate devices bring uniformity to updates and device-specific policies.
Further protections for remote work include mandating the use of encryption software for all employee-produced data, which creates a layer of protection from theft or loss of the device. Employees should also use encrypted internet connections, and for optimal protection consider end-to-end encrypted email and file-sharing tools used in tandem with VPNs or remote desktops. Remote workers will adjust to using VPN connections while at home or on the road. They’ll need explicit company policies and best practices about using the VPN, including; staying updated with VPN patches and configurations, 100% adherence to using the VPN, and knowing when to disconnect from the VPN when utilizing bandwidth for non-work purposes (video streaming, etc.).
Remote workers should also utilize two-factor authentication for all company passwords. They need context for why this extra step is necessary and to understand any risks to such authentication. For example, the ways social engineering attacks can still exploit two-factor authentication.
As remote work expands into multiple sectors and types of roles, firms will start to implement more intensive monitoring. This will include web camera feeds during work hours, real-time keyboard logging, and live shared screen views. Such initiatives bring about a host of privacy concerns, especially for workers sharing their Wi-Fi or devices with family members. Employers instituting monitoring will need to create written policies, so employees are aware of the extent of such efforts and their implications. On the security front, monitoring should check remote workers’ adherence to best security protocols, such as usage of VPNs, or risky search behaviors. To combat risks during work times, employers will turn towards secure search engines and communication platforms such as GOFBA which provide intelligent filtering for pornographic, violent, and potentially malware-ridden internet content.
Many SMB owners and managers are not eyeing a return to office buildings and commutes. A May 2020 survey from Intermedia found 57 percent of SMBs that instituted remote working due to COVID-19 said they will likely allow such arrangements in the long term. The survey found business owners noted increases in employee availability, and boosts to both job and life satisfaction as positive reasons for remote work, along with the corresponding lowered overhead costs. There are multiple benefits for remote work if companies increase their training, technology, and policies to protect company data from cybersecurity risks.
About the Author
Bill DeLisi is one of the world’s most authoritative experts on cybersecurity. He is currently the Chief Executive Officer, Chief Technology Officer and a founding member of the Board of Directors for GOFBA, Inc. DeLisi has more than 30 years of experience in the computer industry, including holding the position of Chief Technology Officer at several companies. He has worked closely with Microsoft Gold Certified Partners, helping pioneer “cloud” computing and creating security infrastructures that are still in use today. DeLisi is responsible for the development of proprietary technology that serves as the backbone of GOFBA’s platform and has over 30 certifications with Microsoft, Cisco, Apple, and others, which includes the coveted Systems Engineer with Advanced Security certification, as well as expert status in Cloud Design and Implementation.