COVID-19: How to Keep Employees Cyber-Safe While Working From Home
March 30, 2020
As the global COVID-19 outbreak worsens, organizations are scrambling to keep their employees safe and their businesses running. Companies have had to shift entire operations home in a matter of days, overwhelming IT infrastructures, support systems, and equipment suppliers. These workplace disruptions also present an unprecedented opportunity for hackers to exploit global anxieties and target worried populations, disrupted workers, and struggling businesses. Cybercriminals can now access sensitive data through unsafe home Wi-Fi networks, unprotected devices, and corporate data centres strained by the surge of traffic.
It is imperative for businesses to strengthen their existing defenses, protect data from exposure, and educate all employees on the potential cyber threats they face.
Here are practical, immediate steps that businesses, managers, and workers can take to mitigate the impact of heightened cyber risk:
1. Beware of phishing campaigns and email fraud.
Phishing refers to the use of fake emails by cybercriminals to coax users into revealing sensitive data, such as usernames, passwords, credit card numbers, network credentials, and more. Attackers will typically impersonate high-ranking executives from the user’s company (like the President or CEO), client firms or other trusted organizations (like Canada Revenue Agency) and send out an appeal for immediate action (like making a bill payment or confirming financial details).
Given the public’s thirst for information, fraudsters are preying on those with real-world concerns, posing as health agencies, like the World Health Organization (WHO), or government programs, like the Canada Emergency Response Benefit (CERB), and deliver malware to unsuspecting individuals. These phoney emails, or “scareware,” often claim to have a test or a cure for the virus, offer protective health equipment or financial aid (like the Canada Emergency Response Benefit), or even encourage people to donate money to fake charities.
With the spike in phishing scams exploiting the COVID-19 crisis, the WHO has set up a link to report any suspected scams here. The Canadian Anti-Fraud Centre has also posted a link of reported scams here.
Here’s what to do:
- Be on the lookout for suspicious emails or fear-mongering messages from unknown senders;
- Don’t click on any attachments or forward them to family or friends;
- If you receive an email from a seemingly legitimate source, verify the authenticity of the sender by checking their email address and the link;
- Be wary of any websites that start with “coronavirus” or “COVID”—many opportunistic crooks have already registered relevant domain names for malicious use;
- Advise all employees on how to spot phishing emails, and to report them immediately;
- Heighten email system security protocols with advanced threat protection (ATP) to detect malware immediately. Consider caution banners for all emails received from an external source and verbal authentication procedures for any email requests involving payment information or similar requests for sensitive data.
2. Take steps to reduce the vulnerability of your IT infrastructure.
As companies pivot to support a remote workforce, more organizations are relying on VPN and telework capabilities to enable their business functions. A virtual private network, or VPN, allows remote users to safely access their company’s applications, content, and resources through a secure network connection that encrypts data in transit between the user and its services.
With a significantly higher volume of employees working from home than ever before, VPNs are particularly susceptible to distributed denial of service (DDoS) attacks. DDoS attacks flood the bandwidth or resources of a targeted system, like a VPN server, with hundreds of useless connections, causing it to reallocate resources towards the surging traffic and crash as a result.
To combat this risk, follow these steps:
- Employ multi-factor authentication and a lockout feature for multiple incorrect attempts;
- Ensure all security patches are up-to-date;
- Limit and monitor remote access to applications, content, and sensitive databases;
- Set download limits;
- Backup data to a central location daily and make sure that IT staff tests restores regularly;
- Schedule forced password changes every 60-90 days;
- Coordinate with your network providers (or engage new business partners) to increase your VPN and desktop virtualization licenses, capacity, or bandwidth if your organization normally has a limited number of remote users;
- Consider “whitelisting” certain programs so only safe and necessary applications are allowed to run on systems.
3. Limit the use of personal devices, or secure them if needed.
For maximum control of cybersecurity hygiene and visibility, it’s best to provide portable IT equipment when possible. Before being delivered to staff, these devices should undergo your organization’s regular security onboarding process and be encrypted at all appropriate levels.
But with supply chains backed up to accommodate growing demand and few other options, many organizations are now asking employees to temporarily use their personal devices for work while they wait for new equipment to arrive. This is a necessary, but risky solution since employers cannot guarantee adequate protection from cyber threats on consumer-grade laptops and routers. And if any data is leaked or breached through a personal computer, the organization will be deemed liable since they’re not fully in control of their devices.
To mitigate these risks, be sure to:
- Implement stronger controls in your VPN or remote desktop endpoints and accounts to compensate for the potentially weak security posture of employees’ personal devices;
- Limit access to functions, files, and applications as needed (if possible);
- Review your remote work and Bring Your Own Device (BYOD) policies and update them accordingly to reduce the risk of unintentional noncompliance;
- Ensure your IT support is well-equipped to deal with complex issues across various systems and software rather than standard-issue products;
- Ensure all staff members are familiar with the organization’s policy and guidance;
- Encourage employees to communicate with colleagues using company-approved instant messaging platforms or email, especially when discussing sensitive information;
- Caution employees against allowing friends and family to use their personal device so they don’t accidentally access sensitive data or stumble into a phishing scam.
4. Communicate with Employees.
Update your employees through weekly or even daily messaging. In times of crisis, people look to their leaders for guidance. As an employer, you have a responsibility to protect your employees and keep them aware of the situation so they feel comfortable, supported, and confident in your leadership.
Additionally, communicating with your employees also reduces the potential for misinformation and with it, risk. Continuous end-user education and communication is crucial to ward off cyber threat. Even something as simple as an updated list of legitimate information sources might make employees less likely to click on a bad link or open a fake document. Provide guidance to staff through awareness messaging on:
- How to keep software up-to-date (like anti-virus protections) and why it’s important;
- How to use remote-working solutions, like VPN and remote desktops;
- How to report any problems, particularly security issues;
- COVID-19-related cybersecurity threats, like phishing attacks, fraudulent websites, and scam campaigns;
- Best practices for storing, handling, and sharing confidential information when working remotely;
- Training on any revised policies and practices where required.
5. Review your business continuity plan.
The spread of COVID-19 and the transition to remote work may have an impact on your data security and privacy breach incident response plan. Review and update them to accommodate the shifting needs of your business during these uncertain times. Confirm:
- The contact details and alternative contact details for all key stakeholders;
- If any stakeholders are affected by COVID-19 and are thus unavailable in the event of an incident;
- If you have named alternates for all incident management team members;
- If your cyber insurance policy (more on cyber coverage) includes coverage for remote working access management and use of personal devices and if not, update accordingly (learn about silent cyber);
- If any of your key external service providers (i.e. lawyers, forensics, first responders) are unavailable due to COVID-19.
6. Look into Data Security and Privacy Breach Insurance.
If you don’t have existing cyber coverage, consider Data Security and Privacy Breach Insurance. A comprehensive policy can help offset some of the potential financial loss from legal fees, damages, and associated expenses.
Your coverage will also include:
- Access to a forensic investigations team to help you determine the size and scope of the breach;
- A breach coach to advise you on regulatory compliance, guide you through the legal process of navigating a breach under attorney-client privilege, and tell you what to report and when;
- Funds to set up credit monitoring and client notification for affected parties; and,
- A team of consultants to help manage any reputational damage.
Need help? PROLINK can help you plan and protect. We can share what steps others in your industry are taking and advise you based on your operations and your unique needs.
These are trying times. With each passing day, it becomes clearer that organizations must combat COVID-19 on multiple fronts. As companies are forced to rapidly adapt to evolving work arrangements, digital protection must be front and centre for all organizations as a fundamental cornerstone of business continuity and survival through this global pandemic.
For more information, click below to connect with PROLINK. If you have questions or concerns about your business, your continuity planning, or your insurance, we are only a call or an email away.
PROLINK’s blog posts are general in nature. They do not take into account your personal objectives or financial situation and are not a substitute for professional advice. The specific terms of your policy will always apply. We bear no responsibility for the accuracy, legality, or timeliness of any external content.