As the COVID-19 (coronavirus) pandemic continues to interrupt everyday life, millions of employees have had to start working outside the office. For many, that’s a new concept and they may not be as cautious as they are in the office in securing their equipment and data.
Mike Semel, president of Semel Consulting, a Las Vegas-based IT security consultant and a member of CompTIA’s IT Security Community, shared tips with CompTIA to ensure that your business—and potentially your customers’ business—remain protected:
Q: What’s your biggest security concern about a company rapidly expanding its remote workforce as a result of COVID-19 concerns?
The rush to get people connected without considering the security risks. For example, connecting employees’ personal home computers across a VPN to a network, without first checking and sanitizing the computer, could allow malware to steal credentials to corporate systems and the sensitive, proprietary, and regulated data they hold.
Q: Are you concerned about cybercriminals looking to exploit the inexperience of traditional office workers now working remotely?
Cybercriminals are smart and have long exploited office workers using social engineering skills to get people to believe they are their boss or an executive. They won’t stop now and will use their skills to try to convince workers to transfer money, buy gift cards, share sensitive information, and redirect payroll direct deposits. Always verify in person by phone that a request is legitimate.
Q: What are some new schemes/tactics that cybercriminals are using to trick new remote workers?
Cybercriminals will take advantage of the news to trick workers. Recently I have seen restaurants and online companies advertising gift cards for people to buy for themselves and to give to housebound friends and family. It wouldn’t take much to spin that news into a request from ‘the boss’ to buy cards and send the card numbers “because we want to support our workers at home.” If you get that request, call to verify it in person.
Q: Are businesses adequately protecting themselves (with appropriate security solutions) to thwart these attempts?
Many businesses have not adequately protected themselves because we know they have been past victims of scams and hackers. Every business has to work harder to implement their security because a lot of employees who aren’t tech-savvy are now having to work from home.
Many businesses have already had executives and sales reps that travel set up to work remotely. Their systems were set up for secure access outside of the corporate firewall. But today is different. Support staff, financial staff, administrative workers, marketing assistants, receptionists, and many others used to working in offices are now being sent home with their desktop computers and phones.
IT departments and MSPs are stretched to the breaking point just getting everyone communicating. In the next days and weeks after the initial rush, every business needs to re-evaluate its security and implement whatever systems and processes are required to bridge the gaps.
Q: Are businesses adequately training new remote employees re: security procedures?
People are scared. They are distracted by news reports, kids, and fear for their own safety. This is a good time to go back and do some basic computer security training. Include more emphasis on physical security of corporate information, including verbal information that might be overheard during phone calls, conference calls, and videoconferences. Remind people to log out when they walk away from their system.
Q: What’s your advice to companies that think investing in a new teleworking environment only provides short-term benefits?
Don’t think of this just as a temporary inconvenience, but as a test to see if you can run your business with some or all of your staff continuing to work from home after the emergency. Do you really need a physical office? Does it need to be as big? Are workers able to get as much work done from home? It is harder to evaluate this because so many of your customers, clients, or patients are also disrupted, but you may be able to use this extraordinary situation to make some long-term business decisions.