As businesses everywhere rapidly mobilize to enable their employees to work from home, cybersecurity vigilance is as important as ever. Cybercriminal organizations and rogue nation-states notoriously exploit crises to target victims when they are most vulnerable. Some recent examples include:
- Malware and advanced persistent threats (APTs) - State-Sponsored Hackers Are Now Using Coronavirus Lures to Infect Their Targets
- Phishing campaigns - Watch Out for Coronavirus Phishing Scams
- Ransomware attacks - Czech Hospital Hit by Cyberattack While in the Midst of a COVID-19 Outbreak
- Scams, misinformation, and rumors - Coronavirus Scams Include Costco 'Stimulus Check' Ploy, FBI Warns
- Teleconferencing hacks ("Zoom-bombing") - FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic
Here are a few tips to help keep your employees, systems, devices, and sensitive information safe while working from home:
- Anti-malware protection - Ensure your employees have anti-malware protection installed on all their home PCs, Macs, and mobile devices and that they are running the latest threat protection updates. If they do not have current anti-malware protection, run Windows Defender Antivirus on Windows devices (you can install Microsoft Defender ATP for Mac if your company is licensed for Microsoft Defender ATP; if not, you may need to help your employees download and install suitable anti-malware protection for their non-Windows devices). Also, have them run an initial Full scan and schedule regular Quick scans on all their devices. Lastly, configure a Custom scan to scan removable storage devices. Remember, malware on any device in a network can potentially compromise other networked devices - including devices and systems on corporate networks that are connected over a VPN.
- Encryption - Turn on BitLocker to encrypt all data on device hard drives and BitLocker to Go to encrypt removable storage devices. If your employees are working on a personal device, they may need to upgrade from Windows 10 Home to Windows 10 Pro (cost: $99) to use BitLocker.
- Firewalls - If your employees have a network firewall protecting their home network, help them verify that it is set up and running correctly. If they don't have a network firewall, turn on Microsoft Defender Firewall for their Windows 10 PCs. If they need to use a VPN or certain apps, you may need to help them configure the firewall to allow access.
- Teleconferencing - In Microsoft Teams, you can manage meeting policies (such as scheduling private meetings, controlling screen sharing, and requiring guests to be admitted by an authenticated user) and settings (such as preventing anonymous users from joining meetings). Also, verify that meeting invitations are sent to the correct participants and do not post invitations or meeting details on social media.
- Untrusted devices - For employees that don't have a company-issued laptop/desktop PC or mobile device that is trusted (hybrid Azure AD joined or marked as compliant in Intune), use Conditional Access (CA) to protect sensitive information. You can build CA policies to enforce Multi-Factor Authentication (MFA), limit access in Outlook on the web and SharePoint Online, and change session controls (such as sign-in frequency and persistent browser sessions). If your company is licensed for Microsoft Cloud App Security (MCAS), you can also enable access control policies for other third-party SaaS-based apps. You'll need to consider the impact of these policies on employee productivity versus the company and/or individual risk profile (particularly for personal devices that may be shared with other family members).
- User accounts - If your employees are using a personal device, ensure they are not using shared accounts (for example, with other family members or roommates). Turn on Windows Hello on modern devices to enable biometric (fingerprint or facial recognition) authentication.
- VPNs - If you require your employees to run VPN software, you may need to re-visit your remote access policy. With most of their employees working from home, many companies are finding their VPN concentrators are at or near capacity and/or that they aren't licensed for the high volume of concurrent VPN connections. Consider enabling split tunneling to reduce the network load on your VPN concentrators (as well as your corporate WAN), but carefully assess the risks that may be introduced (new attack vectors to the corporate network and loss of traffic control/perimeter protection for connected devices). Alternatively, unless you are in a highly regulated industry that requires it, consider limiting VPN use based on the nature and sensitivity of the individual employee's work.
- Wi-Fi security - It's likely that most of your employees' home networks were set up by their ISPs and their Wi-Fi passwords haven't been changed for a while (if ever). Encourage your employees to contact their ISP (or your IT service desk) to ensure they are using WPA2 (or better) security, change their Wi-Fi passwords, and verify the identity of all devices connected to their home networks (including other PCs, mobile devices, gaming consoles, TVs, and smart appliances).
- Windows updates - Verify that your corporate-owned devices continue to get updated. Also, help your employees verify their personal Windows 10 devices are up to date to patch known vulnerabilities and get the most current protection from zero-day threats. Many companies have conditioned their employees to leave their office PCs on at night so that software packages and updates can be installed. However, most home networks do not have the same enterprise-grade security as your corporate offices. Your employees should power down their PCs at home when they are not using them. Leaving a PC on a home network powered on overnight gives an attacker 8 hours of unfettered access to install malware, steal information, send spam, and mine cryptocurrency.
Finally, whether in the office or working from home, people are often the weakest link in an organization's cybersecurity posture. Working from home potentially exposes employees to many threats that don't get through on-premises security defenses in the office. Additionally, working from home under the current circumstances leaves many employees feeling isolated and unsure of who to turn to for help or information. These factors - along with anxiety, distraction, fatigue, fear, grief, and illness - make everyone more susceptible to clicking on a malicious phishing link or accidentally sending a sensitive document to the wrong email recipient. Be proactive in your end-user security awareness training and IT support efforts. Ensure your employees are getting the most accurate and up-to-date cybersecurity information directly from you, and that you are getting good information from reliable sources (such as the Federal Trade Commission (FTC) - Consumer Information Blog and ZDNet's Special Feature - Roundup: Coronavirus COVID-19 Pandemic Delivers Array of Cybersecurity Challenges) as well as trusted partners like Valorem.
Special thanks to John Allhiser, Tyler Plesetz, and Charlie Smith.