Computer Safety During COVID-19
Even before the COVID-19 crisis hit, many businesses were increasingly shifting from in-office operations to offsite ones. But now, the steady stream has become a flood--and because of this rapid push to remote, companies and their computer systems are now more vulnerable to security attacks and risks. Let's look at a few of those issues, and how to remedy them.
Phishing E-mails
THE DANGER: When the world gets scared, criminals see opportunity. Major cybersecurity firms are reporting a sharp uptick in phishing e-mails--specifically, e-mails pretending to offer important information about COVID-1. When the employee clicks a link in that e-mail, dangerous software is installed that gives a hacker possible control of company systems.
THE REMEDY: Train, retrain, and remind employees not to click on links or attachments unless they are expecting or recognizing the file or file link. They can also right-click a link, which shows its URL (without actually activating it); if it looks suspicious, they can go to a service like Virustotal and do a scan for malicious content. The same right-click trick works to identify the sender: Often the name in the "from" line appears to be familiar, but the viewing the full address reveals it's from a totally different source. As a last resort, encourage employees to text, call or e-mail (using a known e-mail address) the sender and ask if they intended to send a message with a clickable payload.
Stolen Log-Ins and Passwords
THE DANGER: Ever since the 2017 Equifax data breach that exposed the personal info of millions, the security of apps and websites has been a source of concern. But it isn't always the firm's fault. For example, a story recently came out saying that more than 500,000 Zoom users' usernames and passwords had been found for sale on the dark web. Zoom has had some security issues, but in this case, hackers found those 500,000 accounts largely by "credential stuffing"--locating information from a past data breach on another site, and using it to try and log into Zoom. It worked because people employ the same username and password on multiple platforms.
THE REMEDY: When employees create accounts via company systems, they MUST use drastically different passwords for each account. That's true of both business and home. Never reuse a password. Use a password manager that creates, encrypt, and store your logins for all the sites you visit; you just type in the same master password to activate it each time.
Vulnerable Home Offices
THE DANGER: If your company's servers are physically located in your office (as opposed to being a cloud-based service, which stores data online), then it's crucial that your employees' home-office setups have the same security standards. Otherwise, those onsite work servers risk compromise from a breach.
THE REMEDY: A virtual private network or VPN. Think of a VPN as a private tunnel between one place and another--in this case, an employee's desktop or laptop and the office server. The VPN allows the employee to securely use their company computer at home the same they would if they were onsite.The best way to set up a VPN is through the business's IT company or in-house staff, to ensure that it only allows traffic from clearly defined, vetted sources.
For companies that don't have a sophisticated network, there are many do-it-yourself, "plug and play" VPN services like NordVPN or Teamviewer. While made for easy deployment, they would not be considered "secure" for accessing high-value assets or extremely private data. There are also apps for mobile devices; one low-cost but high-quality example is the 1.1.1.1 app from Cloudflare.
Hasty Decisions
THE DANGER: Companies that serve the technology space are aggressively targeting businesses with solutions that may or may not be appropriate. And because business owners may not hold the expertise to properly vet the quality and cost of the solution--but are feeling pressure to upgrade their systems fast--they may inadvertently put their company at risk from a security perspective and/or violate compliance requirements.
We're living in a time when company leaders are making decisions at an unprecedented pace. Decisions that would have normally taken months of due diligence are now being made in days and sometimes hours. Although companies around the world are learning that they are far nimbler than they've given themselves credit for, due diligence when it comes to your IT is essential, not only because it makes good business sense, but because companies are still under certain compliance standards.
THE REMEDY: First, remain slow to sign up for new services. Granted, that's hard in the current economic atmosphere of "adapt or die." You can tackle the immediate emergency issues with a slightly accelerated process. But for all others, use the same due diligence that you normally would--especially if your firm operate under Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry (PCI), or other compliance standards.
Have a trusted technology partner that can help you evaluate potential solutions. Ask another business owner who and what they use for their tech, ask a question on a Facebook or Reddit message board, or ask one of your IT vendors. This is a time when herd mentality works to your advantage. If everybody is using a solution and report good results, you're probably safe but make sure you have an implementation plan before purchasing.
One key question you might have in our brave new remote-work world: Do employee homes require extra security equipment? The good news: No, they don't. If the company has locked down employee computers appropriately, created the proper security on company networks, and trained employees on how to spot malicious e-mails, an employee should be able to work from anywhere without creating outsize risk for company assets.
Tim Parker is co-founder and President of The Web Group, an IT consulting firm based in Florida.
© Copyright IBTimes 2024. All rights reserved.