US Pro Insurance Services, America’s Cyber Expert, provides our valued customers the following information and best practices to use during the current COVID-19 crisis.
With the government’s social distancing recommendations currently in place for the remainder of the month, many businesses are shuttering their doors across America. Businesses of all sizes in cities and towns across every state are impacted.
In this and similar disaster and emergency environments, cyber criminals increase their attacks knowing that vulnerabilities of people are much increased. As you go about keeping your business moving working from home in a remote capacity, some tips to consider are in order in two key areas:
Remote Security Processes:
Crowdstrike is well-known for its information and understanding of the attack vectors in Cyber, and they recommend six (6) areas of concern to consider in their March 11, 2020 blog:
- Make sure you have a current cybersecurity policy that includes remote working. Strong security policies may already exist, but it is important to review them and ensure they are adequate as your organization transitions to having more people working from home than in an office. Security policies need to include remote working access management, the use of personal devices, and updated data privacy considerations for employee access to documents and other information. It is also important to factor in an increase in the use of shadow IT and cloud technology.
- Plan for BYOD (bring your own device) devices connecting to your organization. Employees working from home may use personal devices to carry out business functions, especially if they cannot get access to a business-supplied device as supply chains may slow down. Personal devices will need to have the same level of security as a company-owned device, and you will also need to consider the privacy implications of employee-owned devices connecting to a business network.
- Sensitive data may be accessed through unsafe Wi-Fi networks. Employees working from home may access sensitive business data through home Wi-Fi networks that will not have the same security controls — such as firewalls — used in traditional offices. More connectivity will be happening from remote locations, which will require greater focus on data privacy, and hunting for intrusions from a greater number of entry points.
- Cybersecurity hygiene and visibility will be critical. It is not unusual for personal devices to have poor cybersecurity hygiene. Employees working from home can result in an organization losing visibility over devices and how they have been configured, patched and even secured.
- Continued education is crucial, as coronavirus-themed scams escalate. The World Health Organization (WHO) and the U.S. Federal Trade Commission (FTC) have already warned about ongoing coronavirus-themed phishing attacks and scam campaigns. Continuous end-user education and communication are extremely important and should include ensuring that remote workers can contact IT quickly for advice. Organizations should also consider employing more stringent email security measures.
- Crisis management and incident response plans need to be executable by a remote workforce. A cyber incident that occurs when an organization is already operating outside of normal conditions has a greater potential to spiral out of control. Effective remote collaboration tools — including out-of-band conference bridges, messaging platforms and productivity applications — can allow a dispersed team to create a “virtual war room” from which to manage response efforts. If your organization’s plans rely on physical access or flying in technicians for specific tasks (e.g., reimaging or replacing compromised machines), it may be prudent to explore alternate methods or local resources.
The National Cyber Security Alliance has also offered these tips to consider:
- Connect to a secure network and use a company-issued Virtual Private Network to access any work accounts. Home routers should be updated to the most current software and secured with a lengthy, unique passphrase. Employees should not be connecting to public WiFi to access work accounts unless using a VPN.
- Separate your network so your company devices are on their own WiFi network, and your personal devices are on their own.
- Keep devices with you at all times or stored in a secure location when not in use. Set auto log-out if you walk away from your computer and forget to log out.
- Limit access to the device you use for work. Only the approved user should use the device (family and friends should not use a work-issued device)
Increased Malware and Ransomware Awareness
The second threat to businesses will be malware and ransomware attacked. Increased awareness of these events is important.
Businesses should deploy stringent protocol on how employees should respond to requests made to them in this remote and sequestered environment. Utilizing the tools discussed above by Crowdstrike are excellent to mitigate the security controls in place being manipulated through vulnerability gaps.
However, as is the case in routine business environments we used every day, it is not that the door was left open by an employee, it is that an employee opened the door. How is the door being opened?
Covid 19 Alerts
The 24 hour news cycle has been cut in half with the combined elements of curiosity/thirst for information, concern about the impact to your family, and the want for bad people to capitalize on a crisis at hand. We suspect there will be a rampant increase of emails and advisements that your employees may receive in their work and their personal emails.
Avoid clicking on any links or opening any attachments included with these types of messages. If you receive them from your employer, it is a good idea to verify they were actually sent. This can be done in a new email string or by making a phone call. Do not respond or reply to emails of this kind.
Login Credential Requests
Always a popular method of social engineering is using pharming and spoofing techniques, and phishing scams, to extrapolate login credentials from your employees. With this unique circumstance we are in of entire companies now working remotely, implement a policy of NO LOGIN CREDENTIAL PROVISION. This means that in no case should any employee provide their login credentials to any source for any reason. If your IT people or outsourced provider needs to gain access, they should do so by initiating it through a phone call.
Government Action Emails
Like Amazon emails at Christmas, emails during crisis from school districts, municipalities, and governmental agencies should be extra scrutinized. Avoid embedded links and attachments in these emails unless they have been properly scanned.
Some additional tips have been offered by the National Cyber Security Alliance as follows:
- Don’t reveal personal or financial information in an email, and do not respond to email solicitations for this information. This includes following links sent in email.
- Pay attention to the website’s URL. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com versus .net).
- If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Contact the company using information provided on an account statement, not information provided in an email. Check out the Anti-Phishing Working Group (APWG) to learn about known phishing attacks and/or report phishing.
- Keep a clean machine. Keep all software on internet-connected devices – including PCs, smartphones and tablets – up to date to reduce risk of infection from malware.