The Rush to Remote Work
Amid COVID-19, Businesses Fail to Employ Necessary Safety Nets
The COVID-19 (Coronavirus) pandemic made everyone rush to start working from home. Most of this quick-start remote work was launched without considering the employment of necessary security features such as multifactor authentication, antivirus programs, and safety nets for the internet of things (IoT) devices. As a result, many businesses are being hacked and are paying the consequences for failing to be prepared for employing an instant remote workforce.
Did You Forget the Safety Nets?
With nearly no notice, a multitude of businesses and employers were asked to continue operations with a remote workforce the likes of which has never before been seen in modern history. Due to the global COVID-19 pandemic, businesses were either deemed “essential” or “nonessential” by our local governments.
Those that were essential were asked to keep working through the crisis despite the health risks. This has included many businesses such as grocers, truck drivers, healthcare professionals, postal workers, fast-food chains, and more. While most of these frontline workers must still attend work in their regular capacity, other businesses that were non-essential were forced to either shut down completely or find an alternative means for their work to continue. The obvious answer was using technology to produce an instant remote workforce.
With access to a computer and the internet, most businesses found their employees could continue working, at least to some degree, from the comfort of their own homes while under shelter-in-place or stay-at-home orders. While this modern technology has allowed many companies and organizations to stay afloat amidst the chaos of such an unprecedented time, many have overlooked the basics of security hygiene in the rush. This means many businesses gave up their proper security safety nets in exchange for a fast fix to keep moving forward.
Where’s Your VPN?
Most business leaders now know that when working remotely, all of your devices should employ a virtual private network (VPN) to help keep hackers at bay. It also provides a fast and reliable platform for your remote workforce to plow forward despite their location. Though many businesses may have offered up a VPN for their traveling salespeople, many companies failed to provide them to all of their remote workers when the COVID-19 pandemic began.
This failure can be dangerous, as many unfortunate organizations have already learned. While working from home without the cover of a VPN, people are working on computers with unsecured networks. Cybercriminals can easily take advantage of such unsecured networks to access your company’s valuable data from personally identifiable information (PII) such as employee social security numbers to proprietary information and trade secrets that could cost your business millions of dollars or worse.
This is one reason VPNs are so vital to anyone working remotely. A VPN is a private network that can attach to a public network such as the internet to securely connect remote sites and users. The VPN uses a “virtual” connection routed through the internet from a business’s private network (or a third-party VPN host) to your remote workforce. This VPN offers additional security for your business data by encrypting it so it can’t be read by a hacker.
Today’s VPNs feature lightning-fast speeds, unlimited access for a multitude of remote workers, and advanced security including military-grade encryption, privacy safeguards, and TrustedServer technology. Modern VPNs allow remote workers access to a business’s intranet resources so they can continue to work as if they were at their office desktop. Furthermore, if your business conducts communications and/or online transactions, a VPN really is a must to ensure that your business remains private and your data is secure even when your employees are working from home.
Once this health crisis subsides, you can continue to utilize your VPN to boost your business. Imagine allowing your employees the ability to flexibly work from home for any reason such as caring for a sick child, while away on vacation, or while ill themselves. Additionally, you can continue to use it for your traveling salesforce.
Multifactor Authentication
Multifactor authentication is another security feature that should accompany the use of a VPN. This technology ensures that the people logging into your network are who they say they are. It works by requiring additional authentication from anyone attempting to access your company’s information.
Computer users (your remote workers) are required to successfully present two or more forms of evidence (factors) in order to be given access to your business network. The first is something only your employees should know such as their personal login and password. Now we all know these can be stolen pretty easily by a seasoned bad actor, but that’s where the second factor comes in.
After providing the first key pieces of information, multifactor software will ask for additional authentication such as a one-time access code that is sent to the employee’s mobile device. Once they provide additional information, your employees will be granted access. The odds that a cybercriminal could crack the login and password of your employees while also stealing their mobile device are slim to none.
Authentication factors can be implemented in multifactor software or applications in the four following ways:
· Something You Have- some physical object the user has in their possession such as a secret token, bank card, key, etc.
· Something You Know- some bit of knowledge only the user would know such as a password, login, personal identification number (PIN), etc.
· Something You Are- a physical characteristic such as biometrics including voice patterns, fingerprints, typing speed, etc.
· Somewhere You Are- this is the connection to a specific network or global positioning satellite (GPS) signal to authenticate your location.
Again, this will continue to be a valuable technological asset post-COVID-19. Prior to the pandemic, it was clear the move to remote work was already underway. According to a blog by HubSpot, the number of people who work remotely at least once each week grew 400 percent in the last decade and between 2017 and 2018, telecommuting increased by 22 percent.
Keeping Antivirus Software Updated
In addition to employing VPNs and multifactor authentication, your business will also need to ensure that all of its antivirus software is updated in the office and for each employee’s devices. Antivirus software is designed to detect, prevent, and disarm (or remove) malicious software such as viruses, malware, worms, and Trojan horses from your computer(s). Some antivirus software also removes unwanted spyware and adware in addition to other nasty programs that could create problems for your organization.
Antivirus software begins by checking all of your computer programs and checking them against known viruses and malware. It will also scan your computer for behavior that’s indicative of an infection such a new, unidentified malware. Antivirus programs typically scan in three ways:
· Specific- The antivirus searches for known malware through a set of specific characteristics.
· Generic- The antivirus looks to detect malware that are variants of know malware with common codebases.
· Heuristic- The antivirus hunts for previously unidentified viruses and malware by seeking out suspicious activity or files.
Traditional antivirus software has employed one scanning engine but the most modern programs employ multiple scanning engines that offer a more robust scan to detect infected files, malicious apps, or security breaches. By running multiple anti-virus and anti-malware scanning engines simultaneously, you improve the odds of preventing attacks while filtering out any threats. This is known as multi-scanning.
In addition to the scanning engines, antivirus programs contain virus definitions that need to be updated regularly. Every virus or spyware application has a unique code and identification information which is known as a virus definition. Your security software uses these definitions to seek out, identify, and destroy invasive viruses, malware, and other malicious programs in your network. It’s imperative to keep your anti-virus and anti-malware software up to date as new viruses, malware, spyware, and the like are discovered. This allows your security programs to quickly identify new threats.
This is true not just at the office, but for every remote worker as well. Ensure the computers they are working on from their desktop and laptop to mobile devices such as smartphones and tablets have the latest antivirus software available. A feature of some of the best VPNs available is that they will check the security posture of devices before allowing them to connect. For example, they can be set up to check for adequate antivirus, firewall, and updates. This will help further protect your company’s valuable data. Furthermore, it behooves you to send frequent reminders or auto-updates to these devices to keep your antivirus updated.
Locking Down IoT Devices
While your employees may have embraced the convenience of smart devices in their homes, they may not realize that their IoT devices may be spying on them and your company as a result. By allowing your employees to work remotely, you’re putting your company assets on the same Wi-Fi network as their IoT devices which are constantly collecting data. This creates a new entry point for malicious individuals to attack your business. The good news is there are ways to reduce the intrusiveness of these devices to protect your employees and your business.
Think about all of the smart devices you or your employees may have in their homes from smart speakers and TVs to thermostats, their Ring doorbell, and video surveillance programs. Even smart pet feeders and litter boxes have the potential to spy on their owners. How?
Most IoT devices have microphones and cameras that are always online. This is an invitation for hackers who can use them to spy on us. A bad actor can use these smart devices to listen to conversations or even watch us in our own homes. This can create not only a terrible intrusion into one’s personal life but can wreak havoc on a company when someone is working remotely from home.
So how can you prevent such issues? It begins with set up. Odds are when you set up these devices, you don’t read the entire privacy policy but it’s imperative that you check the default settings when you get started with your IoT devices. This allows you to find out what data is being collected and how it’s being used. Take a few minutes during the set up of your IoT devices to turn off unnecessary data sharing.
Consider your home router the front door of your digital world. It is the connection between your smart devices and the internet so it needs to be secure. Most people use the router provided by their internet service company but they aren’t always very secure. Ask questions about the security of the router they provide. If you’re not happy with what they have to offer, many independent companies also sell routers. A move to more secure routers is a great first step in securing your employees from threats of IoT devices.
Next, name your router. Don’t stick with the name the manufacturer gave it. Each router comes with an administrator login for managing the router. Change both the login name and password for yourself. The other name and password you will want to change are the Service Set Identifier (SSID) which is the network name (how it will appear as a Wi-Fi network). Make it an unusual name not associated with your address or street name so it doesn’t give away personal identifiers. In router settings, use a strong encryption method like WPA2 when you set up Wi-Fi network access. This further aids in keeping your network and communications secure. Be sure to set up a guest network for visitors that log into a separate network that doesn’t tie into your IoT devices.
Also, check to see if your router has been infected with malware. In 2018, the VPNFilter malware infected more than 500,000 consumer routers. IoT devices are connected with the internet via routers. Symantec has a free online tool to check if your router is affected by the VPNFilter malware. Use this free tool to check your router from time to time.
Ensure your employees have done their homework about the IoT devices they have purchased or are considering for purchase. Tell them to check the privacy policies for each device and find out if the provider stores the data or sells it to a third party. Also, tell them to find out how updates are enabled on each device.
Other ways to increase the security of your IoT devices is to keep your software updates, conduct and audit of the IoT devices you are already using, and disable any features you may not need. Be sure to change all default usernames and passwords on your IoT products. Also employ strong, unique passwords for your home Wi-Fi networks and device accounts. Two-factor authentication can also be set up for smart device apps associated with most IoT devices. Encourage your employees to use it for their privacy and the protection of your company data.
Breaches of the COVID Crisis
Several businesses have suffered breaches among the Coronavirus pandemic. According to TechCrunch, Princess Cruises posted a notification on its website in early March about unauthorized access to a number of email accounts that contained the personal information of employees, crew, and guests including social security numbers, names, addresses, and information from government identification.
Silicon Angle reported that Samsung also experienced a breach. According to the report, a “technical error resulted in a small number of users being able to access the details of another user.” When Samsung became aware of the problem, it reportedly removed the ability for people to log in to the store on the website until the issue was addressed.
Zoom, an industry leader in modern enterprise video communications and digital meeting platform, experienced serious problems just last week when the credentials to more than 500,000 users were stolen and sold on the dark web for less than a penny each. According to a piece by the Daily Mail, the credentials included personal meeting URLs, email addresses and passwords, along with host keys that allow hackers to enter meetings and carry out “Zoomboming” attacks whereby questionable content is shared during Zoom meetings such as racist or pornographic material.
The Post-COVID World
Once the dust settles post-Coronavirus, it’s expected many people will continue working remotely at least part-time. A remote workforce forecast by Global Workplace Analytics suggests that the longer people are required to work from home, the greater the adoption we will see when it’s all said and done with COVID-19. So the employment of all of the above technologies will continue to serve businesses well by protecting their networks and most valuable data as remote work moves full steam ahead into the future.
Still have questions about securing your business for its remote workforce? Contact the IT and security experts at Dox Electronics now at (585) 473-7766.