Promoting Cybersecurity as COVID-19 Develops

Don’t Forget to Focus on Security Best Practices in Addition to Employee Safety

By now, many organizations have transitioned their teams from in-office to remote in an effort to protect employees and prevent the spread of COVID-19. Employees are being armed with laptops and other remote work equipment, and companies are committing to meeting via conference or video calls only. These efforts are admirable and necessary to protect employees as well as their partners and customers during this difficult time.

However, because of the rapid spread of COVID-19 and the need for organizations to act, cybersecurity best practices aren’t always being addressed. Right now, cybercriminals are taking every opportunity to exploit COVID-19, using everything from phishing and fake mobile apps to various forms of malware and ransomware.

One recent phishing attempt targeted students and staff members at a university. Attackers prepared an email that appeared to be coming from the university’s board of trustees and directed recipients to a page with information about how the university was responding to the situation. Knowing that people would be more likely to click on the email, the URL was modified to a fake Office 365 login page aimed at stealing users’ credentials — a smart attack given that recipients would’ve been annoyed at having to log in again and would have likely just entered their credentials to get to the information.

Office 365 users: Get our recommendations for enhancing your existing security settings and features to take your security to the next level.

Sadly, this is just one example of many COVID-19 cybersecurity incidents. Despite the stress of getting set up to work remotely, companies must not lose sight of cybersecurity best practices. It’s far too easy to hastily make changes throughout the organization (often at leadership’s urgent direction) and skimp on the security settings that otherwise would have been implemented or observed. Of course, protecting people comes first — but it’s critical that steps are taken ahead of time to protect the organization’s network, devices, and data as well. Otherwise, companies may be facing even more challenges later.

What to Consider When Transitioning Teams to Remote

Many organizations that weren’t set up for remote work have been scrambling to procure laptops or various permissions and licenses that employees can use on their personal devices. Both of these routes have their own security challenges. New devices, as well as devices that aren’t part of a company’s device or asset management program, may not be set up to follow the organization’s cybersecurity policies or use the same security tools.

Whether a company decides to purchase new hardware for its team members or start essentially following an emergency bring-your-own-device (BYOD) policy, it’s critical that attention is paid to how employees will be connecting to the organization’s network, accessing and using data, and communicating with one another as well as outside parties.

Employees using their own devices should be educated on an ongoing basis about how to observe and practice good cyber hygiene on their personal devices. Details on how to patch software and operating systems, install and run antivirus software, and other recommendations should be shared (or even validated as a requisite for remote work).

Virtual Private Networks

One of the most immediate needs will be a virtual private network (VPN) licenses for new laptops. This goes for any existing laptops that company IT teams may have had in inventory yet not held licenses for due to non-use. VPNs allow employees to access company networks securely by masking IP addresses so activity is essentially untraceable and encrypting that connection well beyond even a secured Wi-Fi connection. This is important because organizations can’t guarantee that employees have done all they can to make their home Internet connections secure.

For companies with an existing VPN structure, it’ll be important to consider whether your existing VPN infrastructure can scale up to support the surge of users. As we’ll cover shortly, your bandwidth is about to skyrocket. Make sure to consider this as you evaluate your existing network and determine what number of licenses to add.

Two- and Multi-Factor Authentication

Additionally, companies must ensure they have two-factor authentication (2FA) — and preferably multi-factor authentication (MFA) — enabled for all devices that will be accessing their networks. These security settings require users to provide two or more pieces of information that only they would know, have access to, or be able to access. The more information required from employees, the less likely it will be for a cybercriminal to gain access to the company’s network through their accounts. However, there are some exceptions that we’ll cover shortly.

If 2FA or MFA can’t be enabled, organizations should consider additional measures such as lengthening password requirements to include more complexity or even filtering access by IP address. Depending on the size of the organization, IP addresses for employees can be provided to the IT department (it’s easy for people to find this — they can be instructed how and given a time frame for providing it). This way, companies can reduce the chance that an attacker will be able to access an account, though not as much as if 2FA or MFA were enabled.

Additionally, many companies are now considering third-party tools for support in this area. However, the ability of these tools to keep an organization secure is drastically reduced without a 2FA or MFA solution included. They’re great for keeping passwords and other data secure, but what prevents the tool from becoming compromised itself? MFA and 2FA will be critical to use for these solutions.

Remote Desktop

You may be considering using Remote Desktop or RDP for remote workers. However, these services are not recommended for use unless they are secured with MFA, a proper VPN setup, or other means.

Bandwidth

While not completely security-related, bandwidth will also be important for companies to consider as more of their team members transition to remote status. With more inbound requests coming into a network versus the expected amount from within a company’s existing device footprint, networks can quickly become strained and limit users’ ability to do their jobs. While this can impact productivity, it does pose a slight security risk in that less patient employees may become frustrated with delays and no longer follow security best practices. Companies must ensure they have sufficient bandwidth for remote teams.

Additional Considerations for Ongoing Security

Firewalls

IT departments may be considering opening holes in their firewalls to allow more employees to access their networks and systems. The need for this is understandable, but it’s critical that compensating controls be considered if this approach is to be taken. This might include separating certain employees’ abilities to access certain data or perform certain tasks temporarily until a better solution can be found and implemented.

Phishing and Spam

While companies likely already have anti-spam and anti-phishing systems in place, it’ll be more important than ever to educate employees on what to watch for. Attempts to gain access to user credentials, trick users to click on suspicious links, and take other actions are already on the rise. Many of these attempts result in ransomware or other forms of malware being installed on a user’s device, which then gives the attacker access to the company network. From there, it’s just a matter of time until the attacker is able to get the information they need or wreak enough havoc to bring the business to a halt. (Note that east-to-west traffic security solutions can help monitor network activity and should be considered in difficult times.)

Internal Education

Educate employees on what to look for in emails, particularly grammatical errors, suspicious links, unusual sender data, and other inconsistencies that might reveal an attempt to gain access. Learn more about what to look for with phishing attempts. Furthermore, educate employees on what your COVID-19 communications look like. It’s not far-fetched to think that a hacker would try to emulate an internal company communication and distribute it throughout your organization in an effort to bait employees to click a link or open an attachment.

Social Engineering

Going beyond email, social engineering attacks are also likely to increase. Hackers attempting to take advantage of the stress and confusion of this time may attempt to contact employees directly, posing as coworkers or vendors and requesting sensitive information (often by applying pressure to get the employee to crack).

Employees working remotely should be instructed to verify calls, identities, and other details. They should also understand that it is not appropriate for coworkers or partners to request sensitive information via a phone call or one-off, unprofessional email.

Plan Your Security Approach for the Long Haul

While we all hope that the COVID-19 spread will diminish soon and efforts are being made globally to prevent more people from becoming ill, no one is sure how this will play out. It’s important then to take security steps now to protect your business in addition to protecting your employees. Proactive efforts that are not rushed and well-implemented will ensure your organization has fewer things to worry about as it focuses on employee well-being.

If Inversion6 can be of assistance to your organization during this trying time, please don’t hesitate to contact us below or call 216.535.4100.