COVID-19 is a humanitarian and social crisis of unprecedented speed and scale. Coronavirus disease has got an immediate and long-lasting impact on how people work and act in society.
The top priority is to protect people’s health and safety, including in their workplaces, through security measures compliance at home and outside. Business leaders must make rapid, highly-informative decisions, and take immediate actions to protect and support their employees and ensure that critical business operations continue in order to help societal continuity.
Sadly, criminals and hackers are also exploiting this situation. There has been a significant rise in malicious websites, with thousands of new coronavirus-related domains registered since January 2020. Hackers are selling malware and distributing hacking tools through COVID-19 discount codes on the darknet, many of which are aimed at stealing corporate data from laptops of employees who work from home.
Throughout the article, when we say “security” we mean information security. The term “information security” means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. There is no such thing as perfect security, but “being secure” means reasonable measures have been taken to enforce information security.
Security measures online: provide opportunities and coach your team
Currently, the biggest concern for chief information security officers (CISOs) and other security professionals are maintaining their organization’s cybersecurity posture during a period where the vast majority of office-based, IT-reliant workers are going to be working from home.
With that in mind, here are the steps Chief Security Officers (CSOs) and Chief Information Security Officers (CISOs) can make to keep their organization’s data and systems secure:
- Compile a list of clouds and applications which are sanctioned for use and provide a secure way for employees to access these applications.
The usage of a secure gateway, remote desktop connections, or creating corporate accounts is the way to provide access to corporate applications so that staffers can access and use their data securely.
- Whenever possible, keep the work to enterprise endpoints.
Not all workers being asked to work from home due to coronavirus will have dedicated work devices, such as laptops and netbooks. If possible, provide them dedicated equipment that they can use from home to work.
Adequately configured endpoint firewalls and anti-malware controls will make it easier to enforce good endpoint security practices.
If it is impossible to provide dedicated endpoints to your employees, consider virtual desktops. It can keep a dedicated endpoint separate, and the virtual system will be protected from all of the other users on the home system. A remote virtual desktop is another option to consider.
- Enable multi-factor authentication.
When employees access work resources from their homes, they appear as unknown network sources, making it difficult for companies to tell the difference between legitimate staff and adversaries with stolen credentials.
Multi-factor authentication, such as one-time codes sent to trusted phones or through the use of a one-time PIN generation app, can help to detect if valid credentials were indeed provided by legitimate users.
- Establish a support hotline for new remote workers.
Technical support and assistance will be necessary for workers who rarely or never work remotely. They will want to know how to configure their systems properly, set up corporate VPN if needed.
To solve these tasks, a dedicated hotline should be organized for helping workers set up their home routers properly, create a dedicated subnet for work, and otherwise correctly configure their system for optimal security.
- Use encryption.
Remote workers should use full disk encryption on their devices if it is possible. They should be coached on how to set this up properly on Windows or macOS if IT or the security department can’t do it for them.
- Provide security awareness training.
With so many new remote workers, an excellent opportunity to raise the security awareness of your company’s workforce through training appears, especially if it hasn’t been done in a while. Such training will remind people about good remote security practices, such as being careful about clicking on links, not using public Wi-Fi, and not leaving their laptops in a car.
This video describes how businesses and their employees can maximize the level of cybersecurity amid the global health crisis.
Tony Anscombe, the Chief of Security of ESET, 6 tips to maximize cybersecurity while working remotely from the ESET YouTube channel.
Online work at home: challenges of the new normal
All of the above changes and risks create a monitoring nightmare for CSOs and CISOs. We are entering into a period of digital unknown, where change will be the new normal. Data flows and topology will change. New technology and services will be deployed. Logging formats will be different.
Assuming it is not already too late to do so, IT and security teams should do their best to get out ahead of the transition to mass remote working by making sure that a work-from-home solution must protect against a variety of endpoint-related attack vectors, such as:
- OS vulnerabilities
- app vulnerabilities
- network vulnerabilities
- browser/mail vulnerabilities
- USB/external device vulnerabilities
- insider threats
It should be hard for malware to simultaneously access corporate network resources and have direct unfiltered access to the internet.
But the dilemma that CISOs face is that users prefer to use a single device with a single set of peripherals, without switching between devices. They would like to have direct connectivity to their apps and data, without any added network latency, both in the corporate network, in the cloud, and in their personal home network.
But as we prevent viruses from infecting our bodies through isolation, we look to prevent viruses from infecting our computers and keep cybercriminals away from corporate data as well. Isolation is the key to prevention. It ensures separation between healthy and ill.
When the health of corporate infrastructure is taken into consideration, isolation is implemented to separate sensitive data from anything that could potentially cause harm, including the “wild” internet.
And CISOs must walk a fine line between overly restricting user behavior and optimizing cybersecurity hygiene. If the restrictions are too tight, the risk of alienating users and choking their ability to work productively increases, but if the restrictions are too loose, you risk exposing your business to unacceptable levels of risk.
Security measures should start at your employees’ side
Remote teams do have a far larger attack surface than centralized ones. Unlike in a centralized team where confidential information can be physically locked down behind firewalls and company workstations, remote workers are encouraged or even required to use their own devices. And here comes the question, whether they correspond to corporate security compliance demands or not.
However, corporate devices with pre-installed security compliance software, do not completely safeguard sensitive data either.
Here some tips that can help you avoid information security breach while using both corporate and personal desktops or mobile devices:
- Lock your doors. If your employees tend to work remotely, confidential corporate information could be at risk. The habit of always locking doors is a key step toward improving the home office’s security. Nobody is insured against theft. Locking doors can help your employees deprive themselves of the stress of a stolen work computer or harm your company by letting its data out into the wild.
- Have your corporate data encrypted. In heavily regulated industries losing specific data could result in huge fines. Make sure that information in devices that your employees use for online work is encrypted in order to turn a disaster (data compromise) to an annoyance (loss of the device, but no compromise). In many states, breach disclosure laws do not come into effect if the data was encrypted.
- Never leave devices or laptops in the car. Advise employees to never leave their work computers or devices in a vehicle. And the trunk of a car is not any safer. It’s a best practice for your workers to keep work laptops and devices with them at all times.
- Don’t use random thumb drives. A classic hacking technique is to drop a number of large-capacity thumb drives hoping someone picks them up and uses. What if it would be your employee? The chances that an unwitting worker will pick up the thumb drive and use it are surprisingly high.
- Use a USB data blocker when charging up at a public phone charging station. If it is necessary to charge the corporate phone and the only option is an unknown USB port, a wise measure is to protect it with a USB data blocker to prevent data exchange and guard against malware. This type of USB protection allows the device to connect to power without exposing the data pins inside a device; it connects the power leads, but not the data ones.
The volume of interest in coronavirus means that cybercriminals and threat actors will continue to heavily exploit it. And depending on how long the crisis of the pandemic lasts, we could be looking at the emergence of a highly significant, long-term cybersecurity issue because wide usage of remote technologies cannot escape cybercriminals attention.
However, as is so often the case when it comes to cybersecurity, paying a little care and attention to basic security hygiene should be the first priority for both CISOs, security teams, and users. And only combined efforts can make remote working risk-free.