As we all adapt to our “new normal” of increased digitization amid the coronavirus pandemic, cybercriminals have not relented from seeking ways to exploit the crisis and find cracks in our digital systems. Millions of Americans have shifted to remote working, presenting a unique threat to personal data and company-wide systems and threatening collapse for organizations that are ill-prepared.
Therefore, it is imperative that every organization takes the necessary measures to tighten security. Here are 10 key steps every company can take to protect its employees and digital assets as we navigate the Covid-19 crisis:
1. Beware of phishing scams
Times of crisis are the best breeding ground for social engineering. Many security firms have reported a surge in phishing scams, with customized campaigns aimed at remote workers to steal credentials and spread malware. With employees no longer being in the secure confines of the highly protected company network, they are more likely to fall victim to an attack and jeopardize their own and their organization’s security.
Key tip: Make sure employees use multi-factor authentication (MFA) on their corporate accounts. MFA reduces the risk of account takeover considerably. Also, remind them not to click on links or open attachments unless they are absolutely sure about the source.
2. Deploy a trusted VPN
Many organizations use a virtual private network to allow their employees to access corporate applications and assets without making their network open to the public internet. It is important, however, to note that the security of the VPN itself is paramount. If a cybercriminal gains access to the VPN credentials, it will give them a foothold into the corporate network. Nothing good will come from that.
Key tip: If you’re using a VPN for remote work, make sure to secure it with multi-factor authentication to avoid unauthorized access to your corporate network.
3. Use a secure SSO platform
Some companies rely on multiple cloud services and online platforms for their daily operations. This puts an extra burden on employees, who will have to deal with managing passwords for different accounts. And as the number of passwords increase, so does the likelihood of human error and security mishaps.
Key tip: Use a single sign-on (SSO) portal with secure, multi-factor authentication. SSO will allow your employees to use a single set of credentials to access all their accounts while also minimizing the risk of account takeover.
4. Update update update
Every IT team knows that a key component of any security policy is always to keep operating systems and applications up-to-date and patched. Many organizations automate the process to avoid having to rely on employee awareness. For instance, Microsoft Active Directory enables network administrators to automatically roll out updates to all employee devices. But the problem is, with employees working from home, those automated updates and central policies no longer work.
Key tip: IT teams must have practices to make sure all employees have access to critical patches and update their operating systems and devices regularly.
5. Review privileged access
Traditional corporate security puts a lot of focus on keeping hackers out of the organization’s network. But in the Covid-19 world, the home of every employee has become the corporate network, and securing the perimeter becomes much more difficult. This requires a different perspective and more focus on every single account.
Key tip: Review organizational security policies to conform with the “principle of least privilege.” Make sure every employee account only has access to the assets and features the employee needs and nothing more. This will make sure that in case an account is compromised, the attacker will not be able to exploit some unwarranted privilege to inflict damage.
The work-from-home norm has increased the need for online collaboration tools as employees no longer have access to conference rooms and the watercooler to share ideas and coordinate on tasks. But not every online collaboration tool is safe, and organizations must be wary of the applications their employees use.
Key tip: Work closely with your employees to understand the needs and provide them with the necessary collaboration tools that your security team approves. If you don’t provide them with the tools, they will probably find their own insecure ways to collaborate and share sensitive company information.
7. Back-up your data
Another convenience lost in the pandemic is the automated backup of corporate data. While working on their devices at home, your employees might no longer have access to their network-attached storage (NAS) and online drives that are being regularly backed up by the IT team.
Key tip: Make sure your employees understand the importance of backing up their data and have access to proper online and offline backup tools. Also, make sure those backups are working.
8. Plan for upcoming helpdesk needs
No matter how much you prepare for remote work, there will be surprises and unexpected twists down the road. Moving to remote work is bound to bring some unexpected IT needs from employees.
Key tip: Pay special attention to your support team. Helpdesk teams are crucial at times of change to guarantee continuity of work. Keep the helpdesk well-staffed to make sure they’re not overwhelmed. At the same time, try to minimize preventable issues such as password resets and renewals (the previous tips will help you achieve this).
9. Encrypt sensitive data on edge devices
Remote work increases the physical risks of data loss. People lose their laptops and storage devices as they take them around with them. This highlights the importance of protecting corporate data stored on employee devices.
Key tip: Make sure employee devices are encrypted. Most mobile and desktop operating systems support full-disk encryption. Thumb drives can be encrypted too. Encryption will make sure that the loss of devices does not lead to the loss of data.
10. Educate employees on IT security basics
Home networks don’t have the stringent safeguards of the corporate environment, and they can become a great risk to business-related assets. After years of being pampered and watched over by the IT security team, your employees must now learn to fend for themselves.
Key tip: Now’s a good time as any to educate users on the basics of security. Teaching your employees basic security practices on handling sensitive business data, setting up passwords on routers, and securing smart devices can go a long way toward protecting them—and by extension your organization—from security mishaps.
Raz Rafaeli, CEO and Co-Founder, Secret Double Octopus