With recent events, many organizations have quickly switched from onsite offices to a fully remote workforce and with inability to control the spread of this virus at this point some businesses are looking at working remote as a long-term solution and potentially the new normal. While remote work was growing in popularity before it became a necessity, there are still many people across industries like government, finance and education who have never had to work like this before. For these types of industries, the move to a remote working model came quickly rather than being able to transition gradually. They’re now required to navigate an entirely different way of getting their jobs done while helping their kids with homeschooling and many other chores while working from home. If more organizations are seeing that their employees can be just as productive from their homes, it could accelerate a recent push to expand decentralized workforce. Any company that has seen effective remote work during the pandemic will consider expanding it to cut office costs and expanding their workforce beyond their city wall.
With that in mind, the security framework many organizations established at the beginning of the year have radically transformed to support this new remote work framework. Organizations have been looking to have security embedded in their policy and procedures, in order to minimize their exposure to risk as much as possible.
Cyber crime is an everyday reality. Attackers have launched a wave of phishing, ransomware and social engineering campaigns taking advantage of the confusion and distraction. Some cyber attack attempts are superficially work-related like a phony email from IT asking the user to click on a link to reset their password while some make emotional appeals looking for support of a “decent cause” or use government stimulus or other financial incentives as the hook.
According to a Check Point Software & Dimensional Research survey, 71% of IT and security professionals globally report an increase in security threats since the beginning of the pandemic. Just over half (55%) cited phishing attempts as the leading threat, followed by malicious websites claiming to offer information or advice about COVID-19 (32%) and increases in malware and ransomware (28% and 19% respectively).
According to Brent Arnold, partner and cyber security specialist at Gowling WLG, there has been an emergence of thousands of domains with COVID-19 related names and themes even some presented as government websites that are being used in attacks.
Due to nature of my job I have regular conversations with IT managers and C-levels of different organizations and it’s clear that staying ahead of known and emerging threats in this new landscape has added even more levels of complexity to an already complicated job. CIOs and CISOs at organizations everywhere are looking for the best way to handle these challenges while keeping employees safe and productive. We also have to keep in mind that the new environment has put some cyber security decision-making in the hands of remote employees.
Therefore, we must have an action plan in place in order to help remote employees make the right decisions. Some items to consider for this action plan are:
1. Train employees to recognize social engineering
2. Protect against online fraud
3. Protect against phishing
4. Don’t fall for fake antivirus offers
5. Protect against malware
6. Develop a layered approach to guard against malicious software
Social engineering is used by many criminals, both online and off, to trick innocent people into giving away their personal information and/or installing malicious software onto their computers, devices or networks. Social engineering is successful because the cyber criminals are doing their best to make their work look and sound genuine and legitimate, which makes it easier to deceive users. Information collected from social networks or posted on websites can be enough to create a convincing scam to trick your employees. Teaching people the risks involved in sharing personal or business details on the Internet and training them to recognize red flags while using online services can help you partner with your staff to avoid both personal and organizational losses.
Online fraud takes on many forms that can affect everyone, including small businesses and their employees. It is helpful to maintain consistent and predictable online messaging when communicating with your customers to prevent others from impersonating your company. Be sure to never request personal information or account details through email, social networking or other online messages. Let your customers know you will never request this kind of information through such channels and instruct them to contact you directly should they have any concerns.
Phishing is a form of social engineering used by online criminals to trick people into thinking they are dealing with a trusted entity. Small businesses face this threat from two directions: phishers may be impersonating them to take advantage of unsuspecting clients, and phishers may be trying to steal their employees’ online credentials.
Again, Employee awareness and training is your best defense against your users being tricked into handing over their usernames and passwords to cyber criminals. Also, Businesses should ensure that their online communications never ask their clients to submit sensitive information via email. Make a clear statement in your communications reinforcing that you will never ask for personal information via email so that if someone targets your clients, they may realize the request is a scam.
Effective protection against viruses, Trojans and other malicious software requires a layered approach to your defenses. Antivirus software is a must but should not be a company’s only line of defense. Instead, deploy a combination of many techniques to keep your environment safe.
In Summary a combination of spam filters, antivirus protection, proactive malware protection, firewalls, strong security and password policies, encryption of data at rest or in motion, access control and authentication policies, retention policy and employee training can significantly lower the risk of a data breach.