Between social distancing guidelines and stay-at-home orders, it’s clear that we’ll all be spending a lot of time at home.
While many of us might normally work from home a day or two out of each week, few firms are used to having all their staff work from home for weeks at a time.
This means that many companies have not implemented security measures that are most appropriate for a fully remote team.
To help you make the adjustment, here are some big-ticket vulnerabilities along with recommendations on how to best mitigate them.
1 – Using personal devices
The laptops and desktops your firm owns are secure. They have up-to-date patching and anti-malware. They have simple but important polices like an automatic screen lock. They’re backed up and might even have hard drive encryption and remote wipe capabilities.
Do the personal devices accessing your data even have anti-virus beyond Windows Defender? Are any running Windows 7, which has been out of support for months?
If a vulnerable machine is accessing your firm data, that data becomes vulnerable.
Best practice is to only allow your people to work from firm-owned equipment. If you try purchasing new equipment today, though, you will probably run into significant delays with manufacturing. Your second-best option is to roll out workstation management software to these personal devices. Your IT team can help with this.
2 – Heightened scam activity
Scammers are having a field day with this pandemic. We’re anxious, we’re distracted, we’re working with new and unfamiliar technologies, and we’re accessing confidential data outside of our secure office network.
In a span of just seven hours, cybersecurity company ESET detected 2,500 infections from malicious emails that played on COVID-19 themes. Phishing emails that appear to come from legitimate sources like the World Health Organization offer links or attachments with information about the spread, face masks, a vaccine—anything that will tempt recipients into clicking and infecting their machines with spyware, ransomware, or otherwise.
And the massive success of these scams means that hackers will double-down.
Fortunately, we can avoid these scams by practicing the same awareness tactics you’ve heard before:
-Don’t click links or download attachments you weren’t expecting.
-Watch for poor grammar and generic greetings (sir/ma’am)
-Don’t offer up personal information unless you can verify the request (by calling the sender, logging directly into your Facebook account, etc.)
Regarding coronavirus specifically, be sure to stick to official websites (WHO, CDC) for the latest news on the outbreak.
3 – Not using multi-factor authentication
Multi-factor authentication keeps you protected even if you make a mistake—which, as I mentioned above, is a lot more likely in today’s landscape.
Say you fall for a phishing scam and enter your Office 365 credentials onto a fake web page. But, your Office 365 account is set to send a verification code to your cell phone. Even with your email address and password in-hand, the hacker still can’t access your account unless they’ve also managed to steal your cell phone.
In January 1.2 million Microsoft accounts were compromised. Microsoft has said “multi-factor authentication would have prevented the vast majority of those one-million compromised accounts.”
Work with your IT team to (forcibly) enable multi-factor authentication on as many applications as you can. This is often not labor-intensive, and it can do wonders to keep your accounts locked down.
4 – Sharing devices with others
If you live with roommates or family members, you may find them asking to borrow your machine for anything from their distance learning assignments to streaming movies.
Whether this machine is personal device or owned by the firm, letting others onto the same equipment being used to store and access client data puts that data at risk. It only takes one wrong click to put your threat detection and response software—assuming any is installed—to the test.
And in some cases, someone just seeing an open document on your machine is a compliance violation.
Your firm policy may already have guidelines against sharing devices, but keep in mind that this is new territory for all of us, and that some may need help finding an alternative.
_________________________________________________________________
Heinan Landa, CEO and Founder of Optimal Networks, a globally-ranked IT services firm, and author of The Modern Law Firm: How to Thrive in an Era of Rapid Technological Change.