How Not to Put Your Company at Risk
By now, we’ve all heard the cliché of this being the “new normal”. Let me emphasize that there is nothing normal about the situation we’re in. The “new normal” is changing by the day, even by the minute.
COVID-19 has forced most companies to send their entire workforce into isolation, quarantine, or whatever you want to call it. The fact is, starting this week, almost everyone that can work from home is working from home. This means we have people who have probably never worked from home before being forced to be productive remotely. Some businesses and industries will be able to adapt very quickly. There are others however, whose entire business model is based on face-to-face interactions. These folks will have to navigate operating effectively in the “new normal”. Those who figure it out quickly should not just survive but thrive. One thing is for sure, no business is going to be successful unless the employees become part of the solution. If your business is worried about employees taking advantage of the situation, how to compensate them for their time, or them not being effective remotely, you’re already behind the 8-ball. To navigate this new challenge, you need to rely on and trust your employees. Be employee-centric and customer-focused and your business will have two fewer things to worry about.
The Lurking Danger
Cybersecurity introduces a layer of complexity. Criminals love panic and chaos, and they’ll use every opportunity to exploit the situation. As we adapt and try to be productive while juggling kids and multiple spouses working from home, security can sometimes be the last thing on our minds. Criminals know that. Criminals love that. The bad guys are preying on security ignorance as much as they are exploiting your fear. We’re going to see more sophisticated attacks on the new mobile workers. They will not be the traditional attacks targeted at data theft, but rather more ransomware, disruption, and financial attacks.
Since everyone is at home now, we lose some of the air cover provided by our IT departments and office systems. Now is the time to put everything we’ve learned, during our repeated security awareness sessions, into practice.
What can you do to ensure you and your company remain safe?
- Best practices still apply – These include all the security awareness training you were forced to take, videos you were made to watch. Those fake phishing emails you were sent were all for a reason. This is the time to apply everything you’ve learned about strong passwords, not clicking on ANY links in those phishing emails and text messages, not being tricked into purchasing gift cards, or responding to bank wire requests from your “boss.”
- Don’t let kids download games and apps onto your computer – If your job hasn’t assigned you a work laptop, you’re likely using a shared personal computer, one that the kids probably use for homework and games. Downloading games and apps, especially free ones, puts your computer at risk for viruses, malware, and ransomware. Nothing on the internet is free. Everything labeled “free” comes with baggage. Either you’re giving away private information, or it’s installing some other program behind the scenes. The safest option during this time is to get the kids their own computer. Or better yet, get yourself a new one. You don’t want a game or app your kids downloaded three months ago to be the reason your company’s network is now compromised.
- Use VPN – VPNs (Virtual Private Network) encrypt traffic between devices. This provides a layer of security and anonymity. If it’s a corporate provided VPN, be careful how it’s used. Depending on the VPN setup, this could route all traffic from your computer or network through your company’s network. This includes internet traffic, web browsing, movie, and music streaming, etc…That said, VPNs are still one of the most secure ways to work from home.
- Secure your Smart Devices – Install updates. Check your device app and install any available updates. Change default passwords. Most smart devices ship with an embedded default username and password to allow for quick configuration. Change these right away. Use 2-factor authentication. A second factor adds complexity to the authentication process and provides immense value in terms of addressing the risk. We’ve heard for years that 2-factor authentication should be turned on for everything, yet it’s rarely implemented. Turn it on for everything now, including your NEST thermostat, your iCloud account, your email. Turn it on everywhere possible.
- Ensure you have Antivirus/Antimalware – This is another obvious safety measure but often overlooked. Ensure your antivirus subscription is current and your virus definitions are up to date. Having antivirus software installed with a subscription that expired 7 months ago doesn’t do you any good.
- Don’t open emails from unknown senders – This applies more than ever. There is a rapidly growing number of fake Coronavirus-themed emails going around from criminals looking to capitalize on the crisis. The bad guys are preying on your fear and sending all sorts of scams related to the Coronavirus. The top spoofed organizations are the CDC (Centers for Disease Control), the WHO (World Health Organization), HR Departments and emails from voicemail systems. Criminals are targeting voicemail systems because they know everyone is working from home. Remain vigilant and be 100% certain that the email is legitimate before opening it.
Follow these tips on how to spot fake emails:
- Examine the sender’s email address. Even though the sender’s name may appear legitimate, the sender’s email address may be completely different.
- Typos and poor grammar in the email are usually dead giveaways.
- Hovering over a link in the message shows a nonlegitimate website or one that contains typos – for example instead of www.disney.com you would see www.dlsney.com (i replaced with L).
- Demanding urgent action – this could be an email from your boss or someone else from management asking you to perform a quick action.
- Update and Secure your Router – This is something most people rarely think about or know how to do. Now that you’re home, this is more critical than ever. Follow these tips.
- Update your router’s firmware.
- Change your default password.
- Change your default WiFi network name.
- User a secure WiFi password.
- Use WPA2 encryption to secure your network.Don’t use WEP.
- Use a firewall if available.
There are numerous other configurations and best practices to secure your home network, but this is a good start. We’re all trying to figure out how to effectively and securely operate for the next few weeks (if not longer). It’s inevitable that we will get enveloped in all the dire economic predictions, the chaos of trying to keep ourselves physically safe, while at the same time trying to run our business. BUT it’s critical to keep security at the forefront of our minds as well because there are people out there trying to exploit this situation. Focus on best practices, remain calm and collected.
Following the recommendations above should at least provide a formidable barrier that will cause these criminals to look elsewhere. Steve’s best practices remain calm and collected. Following the recommendations above should at least provide a formidable barrier that will cause these criminals to look elsewhere.
Steve Tcherchian, CISSP, PCI-ISA, PCIP is the Chief Product Officer and Chief Information Security Officer for XYPRO Technology. Steve is on Forbes Technology Council, the NonStop Under 40 executive board, and part of the ANSI X9 Security Standards Committee.
With over 20 years in the cybersecurity field, Steve is responsible for the strategy and innovation of XYPRO’s security product line as well as overseeing XYPRO’s risk, compliance, and security to ensure the best experience for customers in the Mission-Critical computing marketplace.
Steve is an engaging and dynamic speaker who regularly presents on cybersecurity topics at conferences around the world.