In light of the global pandemic caused by COVID-19, many companies are adapting to a new reality. For many organizations, that means that most, if not all, of their employees are working remote. This allows employees to adhere to social distancing guidelines while still being productive. While there are many distractions and challenges to overcome while working from home, there is also an increased level of risk when it comes to information security. In this blog, we will go over a few remote workforce considerations.
Virtual Private Networks (VPNs) are your friend in a time like this. VPNs essentially create a virtual tunnel from employee computers to the organization’s network, making it seem as if they were plugged into your network from their desk. With that being said, VPNs have been used by organizations for years, but not quite to the degree we are seeing lately. With close to 100% of your employees working from home, you need to ensure your VPN can support the increased bandwidth. Additionally, VPNs by default weaken your organization’s network boundary by allowing additional devices to connect to the internal network. Check out our blog on VPNs for two key security considerations to make sure you are configuring yours securely.
Increase in Social Engineering Attacks During COVID-19
In the last few weeks, we have seen an uptick in social engineering attacks for many organizations. In a time like this, employees are putting the mission first and doing whatever it takes to get the mission accomplished. While this is a wonderful aspect of humanity, it also plays right into a social engineers hands. They know your employees are working remotely and a little more stressed than usual. They also know your employees are not in their normal routine and have been asked to do many different things lately. This makes them more likely to comply to an “urgent request” used as part of a phishing attack. There are a few things you can do to lessen the impact of social engineering during COVID-19. First and foremost, put a banner on all emails that originate from outside of the organization. Below is one good example we’ve seen recently.
This banner goes a long way to help users protect themselves. In addition to that, make sure your employees know there is an increase in attacks right now and they need to be vigilant. Whenever an employee reports a phishing attempt, consider sending out a “Be on the Lookout” email to everyone, as an attacker rarely targets just one individual.
While employees are working from home, to the maximum extent possible, you should try and avoid them using their personal devices for company business. Now is not a good time for a Bring Your Own Device (BYOD) policy and to allow all these new devices to connect to your network using VPN. Simply put, you do not have control over the security of their personal devices. They are likely missing patches, have never been hardened, and may even have malware on them already. Additionally, this can lead to sensitive information being copied to these other devices, causing the organization to lose control over that information. This needs to be clearly communicated to your employees, as they may think they are helping out by not bothering the IT department for fixes to their company-issued laptop when something is not working. One additional technical control here would be to limit the devices that are allowed to log in to the VPN to only corporate-owned devices, using client certificates, for example.
COVID-19 has had an impact on all of us. While we are all doing everything we can to continue working and be there for our customers, we have to make sure we are keeping security in mind. Sadly, the number of attacks your organization will face is only going to increase in times of crisis. If you need help with anything security-related during this time, please give us a call if we can help in any way.