With daily reports of the spread of coronavirus, many companies are asking their employees to stay home when possible and to work remotely. While the thought of riding out a global pandemic from the comfort of one’s home has a certain appeal, for many companies, it’s significantly easier said than done. Even worse, it opens companies up to a greater threat of cyber attack. Here are some tips to help keep your remote workforce secure.
What Can You Do?
Provide a VPN: If employees are accessing assets on a work network, consider requiring a virtual private network (VPN) for them to connect. This has two benefits - 1) when enabled, it routes their traffic through your network, and makes any transmitted data subject to the same firewalls and network-level protections and 2) it limits the number of people able to access your network and makes anomalies easier to spot.
Even if you don’t have the time or need for a corporate VPN, at a minimum consider providing a commercial VPN to employees who are connecting to your network via public wi-fi. Many people who don’t typically work from home need to rely on cafes and publicly accessible internet connections to work remotely - a well-vetted VPN provider can help add an extra level of encryption and security to their devices.
Confirm email communications: A major tactic used in phishing scams is Business Email Compromise (BEC) where seemingly innocuous emails are sent from a known co-worker or colleague to get sensitive information such as network access, payment information or even money transfers. Google and Facebook were both hit with this tactic to the tune of $100 million in 2019 - any time anyone in your office gets an email asking for anything potentially sensitive, require a follow up phone call, Slack, text message, etc. Never trust an email, even if it looks legitimate.
Require 2-Factor Authentication: Having a workforce suddenly connecting remotely means that it’s harder to distinguish between legitimate activity and potentially compromising activity. Add 2-factor authentication to require a text or another means of verifying the identity of whomever is checking an email account or connecting to a shared network drive.
Consider providing hardware: Providing equipment for remote employees can be expensive, but it can also save money in lost time and resources due to poor cybersecurity (data breaches are expensive, often catastrophically so). If you are going to have a remote workforce, providing the hardware that they’ll be working from means you can ensure a fully up-to-date and patched device and even put restrictions on their ability to install sketchy or non-secure software.
If you work in video, it may be necessary to send drives with project data home, as the connection speed at the office is usually going to be much faster than what can be achieved via a remote VPN connection, especially if many of your other employees will also be connected to it.
Your employees can still use a VPN to move smaller project files, while keeping the bulkier media files on a local drive. If necessary, send artists home with computers to work on if they don’t have home equipment that’s up to the task. Be sure to check with your IT support regarding licenses and other possible configurations that may need to be updated in order for the system to properly function elsewhere.
Much like the thought of a global pandemic, the prospect of a cyber attack on a workplace can be frightening, but it shouldn’t be met with panic. By following a few basic best practices, it’s easier to maintain a relatively secure workplace, even when employees are connecting remotely.
Why is This Necessary?
Hackers and scammers are typically loath to let a crisis go by without exploiting it, and coronavirus is no exception. As soon as the outbreak started to make headlines, phishing emails started showing up in inboxes, posing as medical or health organizations. While phishing emails are nothing new or even uncommon, these campaigns have been widespread and, to date, successful enough that the Secret Service and FTC have issued warnings urging extreme caution when reading emails or opening attachments relating to coronavirus.
How Do Remote Workers Figure Into It?
This isn’t to say that everything was secure and safe before the outbreak of the coronavirus - every business with at least one computer, mobile phone, or internet-connected device is threatened on a regular basis by a wide array of malware, phishing scams, data leaks, ransomware, and more.
What it does mean, however, is that what’s called the attackable surface for a workplace increases when more workers are connecting remotely.
A single office can operate on a single network, meaning that the bulk of its internet traffic is being channeled through a single internet connection. It’s easier in this case to have a firewall and implement security software that can ideally block suspicious traffic and known threats through a single point. It also means that the IT and support staff usually have access to devices connected to the network and are able to ensure that their software is fully patched and up-to-date. It doesn’t protect fully against cyberthreats, but it does provide greater oversight and protection. To put it in coronavirus terms, you’re a lot less likely to get sick staying in one spot than you are riding the subway.
Once workers are accessing your network from outside of the workplace, the number of different access points that are potentially vulnerable increases exponentially. An email that may have been stopped at your office firewall can be transmitted freely to a laptop on a residential connection, a USB key or removable drive with malware might be used to transmit files, or an employee working from a cafe might have their laptop stolen or their data intercepted through a public wi-fi connection.
There’s definitely an added level of stress trying to factor cybersecurity into the adjustment around the coronavirus - unfortunately, that’s what hackers are counting on. The coronavirus is (we hope) a temporary outbreak, but the damage caused by a malware infection or data breach is permanent. Plan accordingly, and encourage everyone in your office to do the same. Data hygiene is much like public hygiene - it requires a group effort.