While many businesses are still shuttered or working remotely, here’s one business that is not: cybercrime. Cyber security is a major issue for businesses working from home (WFH). During a single week in April, Google saw more than 18 million daily malware and phishing emails related to COVID-19 and the FBI says that cybercrime reports quadrupled during COVID-19 pandemic.
It’s vital that you harden your agency’s cyber security for ongoing remote work. While most regions of the country will see a relaxation of stay-at-home rules in the coming weeks and many businesses will move back to their normal offices, it’s likely that some level of WFH arrangements will be with us for the foreseeable future. Many employers may choose to rotate office staff to adhere to social distancing guidelines or will accommodate at-risk or older employees with WFH. Plus, we don’t know if resurgences of Covid19 in the fall or winter might impose further geographic quarantines or stay-at-home rules.
With this in mind, it’s important to take steps to tighten your WFH security practices and communicate these requirements to those working remotely. We offer best practices and cyber security tips we’ve gleaned from trusted sources. Although some of these are common sense, they still represent the source of most breaches that occur so essential to follow.
Cyber security tips for devices
Ideally, you and your employees should not be working on personal devices. Given that you may be facing ongoing or intermittent continued WFH setups, it might be wise to invest in agency-supplied laptops that are securely configured by your IT staff/consultant. That way you can enforce security best practices, such as restricting access to unapproved third-party applications. When employees use unvetted software or apps or personal devices, they’re inadvertently complicating your ability to comply with industry regulations and develop a thorough disaster recovery strategy. If one of these third parties is hacked, and your data is exposed, the consequences can be financially disastrous. The cost of agency-supplied and configured laptops would pale in comparison.
Other security best practices:
- Password protect your office devices, including your phone.
- Have secure passwords. Vary them by site, don’t use the same password for all sites. Update them regularly or use a password manager. See The Best Password Managers for 2020 (PC Magazine) and The best password manager for 2020 (C-Net).
- Keep your computer software and browsers up to date with the latest versions on all devices.
- Make sure you have anti-virus and anti-malware software running on your computers. Install updates when alerted to do so. In addition to your preferred antivirus program, many security experts recommend the “belt and suspenders” approach of having an anti-malware program such as Malwarebytes, too.
- Enable two-factor authentication on key accounts when available. (See: Two-Factor Authentication: Who Has It and How to Set It Up)
- Lock your computer when away from your desk.
- Log out of devices at the end of the day.
- Don’t login to important accounts or financial sites when on a free, public Wi-Fi.
Phishing and social engineering attacks
Human error is the single biggest cyber security threat facing every business. It’s far more common for a cyber criminal to gain access to your systems or data via a lax employee than by a brute force hack. Phishing is using email spoofing and other tricks to get you to give up personal info or click to a dangerous website that might expose you to a virus or a computer hijack. Phishing scams by phone, email, or websites and other social engineering threats are a primary entry point, often impersonating trusted sites or people/companies that you know. Educate your employees about threats and establish best security practices for staff. Provide alerts and training on common threats like phishing, and require reports of any suspicious events.
While most of us are alert to “stranger danger,” our weak spot is in clicking links from people or businesses we know. Many of the big brands we use every day – Microsoft, PayPal, Amazon, Apple – are regularly spoofed and we are tricked into clicking when we see messages like “your account is being disabled” or “thanks for your recent purchase” when you hadn’t made one. Or am email from a colleague asking you to click or download something, or an email from the boss saying “We need your bank credentials for direct deposit of your check.” If something seems off or strange or odd, it probably is. It’s better to be safe and not sorry, so double check if you have doubt. Phishers are good at gaining our trust and exploiting our fears.
It’s vital to train your team about how to be alert for and detect phishing attempts. We’ve assembled some quizzes to give you and your team practice, but be warned, they are pretty difficult. If you take the time, however, even wrong answers will teach you something about what to look for and how to spot a fake.
- Jigsaw Phishing Quiz – from Google / Alphabet
- Are You Smarter Than a Cybercriminal?
- The OpenDNS Phishing Quiz
Here are top cyber security tips for avoiding phishing scams.
- Don’t click any links or download anything from a sender you don’t know or trust. It’s always worth double-checking. If it’s a web link from your bank, instead of clicking, go to your bank website directly by typing in the Web address in your browser. If it’s a phone call, hang up and call your bank.
- Get in the habit of hovering over links to see who the email is really coming from and where a link is actually sending you. Learn how. On a mobile device? It’s a little trickier but you can and should still learn the source of a link from someone you don’t know. Here’s how: How to Check Embedded Links on Your Mobile Device
- Phishing emails often have poor grammar or spelling mistakes. That’s a big clue that it’s a fake. Also watch for copycat domains – domains with spelling errors or wrong extensions.
- Be suspicious of any email or phone calls that demand you take action right away or that threaten you. The IRS and CDC don’t call or email to threaten you or demand money. Urgency and threats are hallmarks of fraud.
- Avoid filling out forms in email messages that ask for personal financial information. You should only communicate information such as credit card numbers or account information via a secure website or the telephone.
- Always ensure that you’re using a secure website when submitting credit card or other sensitive information via your Web browser. Look for “https” in the URL. How Can I Tell If a Website Is Safe? Look For These 5 Signs.
- Regularly log into your online accounts to ensure that all transactions are legitimate
- Always report “phishing” or “spoofed” e-mails to the following groups: forward the email to firstname.lastname@example.org; forward the email to the Federal Trade Commission at email@example.com; when forwarding spoofed messages, always include the entire original email with its original header information intact.
A recent teleconference phishing scam and security threat
With the popularity of teleconferencing while so many are on WFH arrangements, Zoom, WebEx and other popular teleconferencing apps have been the subject of phishing as cyber crooks try to get login details. TechRadar talks about the multiple scams that aim to steal video conferencing logins by sending spoofed “welcome” and “you missed a meeting” messages, among other scams. Plus, Zoom has been the subject of recent complaints for security flaws and privacy issues, which the company is now addressing. Here are tips from Wired on How to Keep Your Zoom Chats Private and Secure and from Malwarebytes: Keep Zoombombing cybercriminals from dropping a load on your meetings.
Review your Cybersecurity Insurance
Given the change in work circumstances since the pandemic, be sure to review your existing cyber insurance to see what it covers. Does it extend to working from home and does it encompass your employees? Bruce Cochrane talks about what good cyber coverage should encompass in his article Cyber Risk: The best opportunity for Independent Agents since the invention of the automobile. He notes that, “The real solution is a comprehensive cyber package protection: coverages that address the four primary exposures: property loss, business interruption, crime for theft and extortion and liability. Cyber Liability simply isn’t the solution – it’s like buying one leg of a four-legged stool and trying to sit on it. Our clients need the whole package.” The same advice would apply to your agency!
More cyber security resources
Cyber security basics – Everything you need to know about cybercrime– from Malwarebytes: “The world of cybercrime is always changing. When viruses first appeared, most of them were pranks. To stay safe online, one of the best things you can do is stay educated on the litany of threats that lurk on the web. Use this information hub to learn everything you need to know about cyberthreats, and how to stop them.”
Seven Ways in Seven Days to Boost Cyber Security While Working Remotely – from Hartford Steam Boiler: “One productive use of time while working from home is attending to cyber hygiene. Here’s a list of things that can be done simply and quickly over the next week to improve home cybersecurity and enhance digital experiences.”
The Federal Trade Commission (FTC) Coronavirus Advice for Consumers to Avoid Coronavirus Scams and Guidance for businesses on how to get support, avoid scams, and follow appropriate practices in the marketplace.
Related from our blog: