We are living uncertain times and experiencing a crisis we couldn’t even picture a couple of months ago. The COVID-19 pandemic pulled the rug under our feet and surfaced a range of potential grim outcomes – some of which are already unfolding.
With physical safety and health concerns being top of mind for everyone, it’s difficult to find the mindspace for something else. But security has the same underlying principles no matter if it’s applied to the physical, health, psychological, or cyber context.
But here’s why we have to, especially as business owners and security-oriented people.
The massive shift to remote work multiplies entry points
Either proactively or compelled by state of emergency regulations imposed by governments across the world, companies are now shifting towards remote work. That means people of almost all ages and in a huge variety of roles are changing not just where they work from but also how they work.
This forced transformation has far-reaching ramifications and clear cybersecurity implications. Think of people working from their own home networks whose security setup doesn’t match the one they had in the office (which worked without them thinking about it). Think of employees who aren’t as tech savvy as it’s required to figure out how to use a VPN, how to safely share files and passwords, and the list can go on.
Don’t expect cybercriminals to ignore the sudden multiplication of entry points. They’re ramping up their operations, not scaling them down.
Cybercriminals will exploit confusion, anxiety, and fear
Malicious actors have always done it and now the epidemic has set up the context for them. When people are confused, anxious, and in a state of fight or flight – triggered by fear – it’s easier to influence and trick them into acting against their best interest.
Cybercriminals know this full well since social engineering and all the types of psychological manipulation that it includes are part of their usual m.o.
We’re already seeing massive waves of COVID-19-themed phishing and spam emails. EFF, the FTC in the US, and the ACCC in Australia have already warned users of the surge in malicious activity.
While you may think that falsely selling coronavirus-related products online may not be a direct threat to your business, but fake emails or text messages that seek to harvest personal data are. All it takes is one click to compromise one of the key people in your company to generate additional issues that no business owner needs right now.
Cybercriminals have no morals and no boundaries
Just because there’s a worldwide crisis going on, don’t expect attackers and scammers to just stop what they’re doing. The myth of the thief with a heart of gold we often see depicted in the movies has no basis in real life.
No matter what story they tell themselves, cybercriminals remain immoral and deceitful. That’s their reality and they will continue to engage in “business as usual” even though they won’t be able to escape the consequences of this pandemic themselves.
What this means for you, as a business owner, is that you have to do what’s in your control, never relying on the potential good nature of an attacker that might focus on your business in either automated or targeted attacks.
Vulnerabilities are not taking the day off
Although some may feel a bit paralyzed these days, the world keeps moving, albeit in a different way than before. Still, the software we rely on to work, connect, and, most importantly, solve problems is still ridden with vulnerabilities.
For example, the most recent major flaw in Microsoft Windows that’s being actively exploited in the wild. It affects all supported Windows versions and a fix is still work in progress, according to the Microsoft advisory.
“There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.”
What you can do about it
To help you cope with this situation and ensure your business can continue to operate as close to normal as possible, we put together 9 security recommendations for remote work:
1. First and the most important is to use a VPN. Most wifi setups can have blind spots, especially the ones from your employees’ homes. It’s important to train your team how to use a VPN as it’s the best way to encrypt online communication. A reliable, trustworthy VPN routes the data through a secure virtual tunnel between the user’s computer and the VPN server, making sure snoopers can’t access or read it.
2. Make it mandatory for your team to use 2-factor authentication (2FA). We recommend adding this extra layer of security to every online platform you and your employees access. The first and basic layer is the combination of a username and a strong password. Adding one more step of authenticating your identity – through a time-sensitive, unique code sent via SMS or an authenticator app – makes it harder for an attacker to access accounts and steal confidential data. This list of 2FA guides for most common platforms can be your starting point.
3. Apply software updates on all apps and devices. It’s very important to always update your systems as vulnerabilities appear frequently. An updated version ensures a safer workspace.
4. Anti-malware protection is also a must. Whether you choose an antivirus-firewall combo or an advanced anti-malware product, make sure it’s properly installed on laptops, tablets, phones, and other devices you and your employees might use. Don’t worry about performance issues – those were worked out years ago and they shouldn’t be a deterrent, especially in this context.
5. Consider limiting or restricting access to sensitive systems where it makes sense to do so. It’s better to postpone some activities rather than expose them to attacks. If you don’t have a prioritized list of your most valuable assets, there’s no time like the present to create it.
6. Define a clear procedure to follow in case of a security incident. With phishing attacks surging, it’s very important to train your employees to recognise a potential scam. If something should happen, they also need to know what to do: what they can do to limit the damage and to whom they should report the security incident.
7. All your important files and assets should be backed up regularly to make sure that in case of an emergency, your business won’t lose essential data. Teach your employees and try to make it easy for them to back up their information. If you already work in the cloud, make sure you have backups in other secure locations, with at least one of them offline.
8. As a business owner, you have to make yourself available for questions around security. Employees tend to follow signals from management or leadership, so the example you set matters, both in how you talk and what you do. If you don’t have the knowledge, appoint someone in the team to handle these conversations, questions, and requests for help.
9. Get the help you need from specialists who’ve done this a thousand times over. If you feel overwhelmed or don’t know where to start, you can reach out to us. We’re here to help with guidance on security setups, securing workflows, tool recommendations, and training options. We know what it’s like to be pressured to act and to handle complex decisions and projects at the same time. Cybersecurity can’t wait, but you don’t have to figure it out on your own.
We’re in this together.