I’m sure you are getting a lot of these emails, who isn’t? While we will definitely give you some tips through the course of this article, just know that if you have been a customer of one of our assessment products, you already likely have this covered. Vestige has been pointing out how to properly secure remote workers for the past decade. It is what we do.
Most of our country is on some sort of shelter in place. Only essential businesses can stay open and for those businesses they are running on a skeleton crew at the office. Most of your employees are working remotely. While some businesses are set up for remote workers, not all are and for those that are, they likely weren’t prepared for 80%, 90% or more being remote. Not all companies had the luxury of issuing company laptops to employees working from home. To cap it off, the change to a mostly remote work force came fast.
But while our IT departments are trying to catch their breath the ever ready and opportunistic cyber-criminal is already looking to capitalize on the situation. But realize that a lot of these criminals are just looking to exploit the low hanging fruit so with some basic block and tackling you can fend most of them off.
Discover 11 tips to properly secure remote workers.
BYOD and Shelter at Home
If you do not have a Bring Your Own Device (BYOD) policy, now really isn’t the time to implement it. For those that do, make sure that your remote workers are following that policy especially as it pertains to them using home equipment for work. Are those devices patched, running updated anti-virus and using their firewalls? For those that do not have a BYOD policy, you need to seriously consider implementing something. The biggest concern for companies that do not have a BYOD policy is the intermingling of company and personal data on a personal device. When that device is needed for litigation or investigations, it becomes a tricky situation to get the device when you don’t have a policy governing it. Also when the employee leaves, what processes and policies do you have to retrieve your data from their device?
Don’t Ignore Vaccines
Now isn’t the time to fall behind on your device patch management. Patch devices that are on site and come up with a plan to patch remote devices. IT departments are already spread thin, they are now even under more pressure to support a large mobile work force. Don’t lose sight of your patching process because the hackers sure aren’t losing sight of exploiting your vulnerabilities. Many attacks are taking advantage of vulnerabilities that are months or a year old so there is time, but inactivity is no excuse.
Take Your Temperature, Daily
Many organizations have centralized anti-virus distribution systems as part of their cybersecurity for remote working. Spend a few minutes each morning to check that all the machines have received the latest updates. Also compare the list of machines in your centralized AV with what you have in your environment and insure all are protected.
Don’t Let Outsiders In Your Home
If I had a dime for each customer that was a victim of an exposed Remote Desktop (RDP) connection, I would be writing this from my beach house in Florida. You absolutely cannot allow direct remote access via RDP to computers in your environment. You must protect that connection behind a firewall or use technology such as TeamViewer (properly secured) or RemotePC. Open RDP ports are a treasure trove for hackers. You’ll spend less than 1/10th the cost of remediation from a ransomware attack (which quite commonly use RDP) by putting in a proper firewall and VPN capabilities.
Take Time to Wash Your Hands
If you haven’t heard about Zoom bombing, you are taking social distancing to a new level! Follow the recommendations from your virtual meeting provider (Zoom’s are at https://zoom.us/docs/doc/Zoom-Security-White-Paper.pdf) and spend a bit more time securing your meetings to keep them clean. You don’t want secretive information making it out in the wild and you don’t want the embarrassment of someone crashing your meeting with inappropriate sounds or videos.
One of the best things you can do to protect your login to email, VPN, etc., is the implementation of two-factor authentication (2FA). Usually 2FA is in the form of a code sent via text, email or otherwise that helps protect your account. Use 2FA for banking, logging into email, VPN and anywhere else where you can implement it. But it isn’t just to protect your logging in to an account, it also protects social engineering of the company who holds that account. Yours truly has seen the benefit of it personally as hackers have tried to call into tech support, pretend that they are me (I pity someone that has to go to that depth) and gain access to my account. Support immediately sends a 2FA code which comes to me, not the hacker. Account protected.
Don’t Spread Your Germs
This tip is for those working from home. If you give your phone or computer to a child or family member for use in a social setting close out of your documents, email and VPN so as not to expose that data to others. My son has used my computer for virtual meetings with his Scout troop and I make sure everything is closed. I don’t need an accidental screen share or otherwise to expose a document that shouldn’t be.
Don’t Get Phished
Another disaster, another avenue for hackers to use in social engineering. “Click here for your CARES Act money” or “the IRS needs your social security number to distribute to you your $1200, click here”. The hacker may ask for your social security number, address, phone number, PayPal, email credentials, etc. They’ll come up with a reason, crazy or not, to get that information. It’s already happening: https://www.techradar.com/news/this-new-malware-locks-you-out-of-windows-but-theres-a-simple-fix
Bundle Up, In Layers
When you venture in the cold or rain, you have multiple layers to protect you. If your bookkeeper has their credentials stolen, what additional layers of protection do you have to protect your financial data and accounts? If an employee gets hacked, what additional layers of protection do you have to protect the data in your company?
Wipe Away Former Employees
Sanitary wipes, toilet paper. What are things I can’t find at the store, Alex? Luckily you don’t need either to review your list of accounts and remove, disable, or otherwise secure accounts of former employees. Hackers get in on accounts that are actively being used without being noticed, what do you think they can do with an account that isn’t being used?
Flattening the Curve
If companies do not shore up their work from home cybersecurity defenses by minding the simple tips above, 3-6 months from now I predict a rash of new data breaches (data breach identification usually comes months after the incident occurred). Take the time now to get a healthy cybersecurity posture.
Coronavirus Hackers are now launching dozens of email scams each day
by Greg Kelley, BS, EnCE, DFCP,
Chief Technology Officer at Vestige Digital Investigations
For more information about cybersecurity in decentralized environments CONTACT US.