With so many employees now working remotely, businesses must move quickly to stave off cyber threats.
Written by Jackie Snow, for https://garage.hp.com/ originally published on April 3, 2020
During this global pandemic, companies are rightly considering the health and safety of their employees first by sending them home to work. But these measures could amplify another threat businesses need to be wary of: Cybersecurity.
According to a recent HP survey, 74% of employees are currently working from home, many without a dedicated office space or the cybersecurity defences that protect them while they’re in the office. Since it’s unclear how long mandatory work-from-home measures will be required, employers need to put best practices in place now to keep employees and their work safe.
“It’s easier to secure everyone when they’re all sitting in the same office,” says Michael Howard, HP’s chief security consultant for print. “But when you start looking at everyone working from home — the complexity of keeping everybody secure becomes much more difficult.”
Even before the coronavirus, more than a third of CIOs said they felt the biggest security threat to their business was employees who don’t take the proper security measures. And security is not just an issue for large enterprises — according to a 2019 report from Verizon, 43% of data breaches target small- and medium-sized businesses. Working from home without an IT department, with the added stresses of trying to wrangle kids also off from school and stay healthy during a pandemic, is only making it harder to maintain the best digital security practices.
“We know workers that work from home tend to be more lax about security,” says Howard, who’s heading up HP’s companywide security outreach to support customers working from home. “That’s an even bigger concern in this environment.”
Here are some of the best ways to mitigate the most significant threats that come with remote work.
Reinforce digital and behavioral defences
Working from home means using personal Wi-Fi, which is not as secure as being on the network in an office. Gagan Singh, VP of strategy and innovation for HP’s commercial PCs, says that companies need to invest in virtual machines that can be segmented to ensure the whole network isn’t infected if something does happen to one remote computer. Next-generation antivirus software also provides protection, especially since an administrator can manage it remotely and keep it up-to-date, since employees might be tempted to disable the software when it causes their workflow to slow down.
There are also basic best practices that employees can follow to protect business data. This includes never saving and never downloading the organisation’s information to personal devices and being proactive about their passwords. A few suggestions: Not using work passwords for personal devices (and vice versa), changing passwords immediately if there is even a hint it was compromised, and adjusting settings so that the “remember password” functions are turned off when logging on from personal devices. While it would be ideal for technology to help automate some of this, many software makers are scrambling to update their systems for remote workers.
Most enterprise businesses already have a cybersecurity governance code in place, which includes an information security policy and other policies that outline security guidelines for remote work and remote access to a company’s information systems. This document needs to be checked to see if it’s up to date and adequately detailed to guide employees to best practices.
“Managers should be very familiar with what the guidelines are, and be talking with their teams about it regularly,” Howard says.
Be hypervigilant about external threats
According to research from security software firm Trend Micro, 91% of cyberattacks begin with a phishing email, in which an intriguing subject line or familiar-seeming sender lures someone into providing sensitive data or downloading malware. Without the layers of protection put in by an IT department to catch many of these attempts, employees are more exposed to these threats than usual. Companies need to reinforce the need to be wary, including the ways scammers try to manipulate people, and keep remote workers up to date with the type of attacks to be on the lookout for.
“Employers should make their remote employees aware of a sophisticated, planned strategy of hacking known as social engineering,” says Laura Spawn, the CEO of Virtual Vocation, a company that connects people wanting to work from home to remote jobs. “These attackers may send phishing emails to employees to gather confidential information and often do extensive research about a company before attempting to penetrate their system.”
To make matters worse, criminals are using our fear of coronavirus against us: Cyberthreat researchers at Barracuda Networks saw a 667% increase in malicious phishing emails that claimed to be about ways to protect yourself from coronavirus as a way to trick people into opening emails.
“It’s a good idea to ensure sensitive data is encrypted during transmission, processing, and while it’s sitting on your home network,” Howard says. “At the very least, you have to remind and train employees that scammers are perpetually on the prowl, and they’re taking advantage of what’s happening now.”
It’s not just phishing attempts in people’s inboxes. According to Singh, there has been at least a doubling in ransomware attacks in the last few weeks. These attacks, in which criminals lock up important data and demand payment for its release, were projected to cost $8 billion in 2019. Those emails and texts also prey on fear, offering attachments with titles like, “How to protect yourself from coronavirus.”
“It’s very likely you will click on it,” Singh says. “We are doing 100% of work and 100% of life simultaneously, and that just exposes us to a lot more threats.”
Harden up home hardware
In the rush to social distance, many people went remote without work computers and had to rely on whatever setup they had at home. This creates potentially serious security risks, since consumer products aren’t always up to the level of enterprise hardware used in the workplace.
“The organization has no control over those computers,” says Michael Hamilton, founder and CISO of digital security firm CI Security. “You have to constantly message your employees that you are a target and have to be extra careful.”
If possible, Hamilton says employees shouldn’t use the same computer for remote work as any leisure or home computer time. For businesses that are able to — and those with employees working on highly sensitive information — Singh suggests companies consider buying a work-only computer for employees to break up these two different use cases as a way to minimize risks.
“I recommend that every business challenge their suppliers and vendors to ensure all their software and hardware can be implemented in a secure way,” Howard says. “It’s more critical than ever that every endpoint purchase decision should be a security decision.”
Besides computers, remote workers need to take a careful look at the rest of the home hardware they are using. For example, employees should lock down their routers with unique passwords since hackers attack routers constantly.
“It’s very easy to get into your PC through your router,” Singh says. “When you get infected at work, the IT department takes your PC off the grid so you can’t infect others, but when you get infected at home, the chance for you to be the host that takes the entire company down is very high.”
Remote workers should also consider putting any connected devices like smart thermostats or voice assistants on a separate wireless network and creating a dedicated one for their work computer if their home router supports it. Printers, which are connected to the internet but often overlooked, should also go on the separate network since they are regularly targeted in hacks. If employees need to keep a printer online at home, they need to make sure the device has up-to-date firmware and any patches the manufacturer has released to keep it secure.
Deflect attacks with software solutions
The next best thing to a secure office is a virtual private network, or a VPN. Hamilton suggests companies provide VPN access so users can connect to work networks to send and receive files, data, and applications from anywhere, securely.
Another way to protect data on a computer is with virtual “containers” that can isolate any potential malware and keep it off of a computer. HP is offering its version of the technology called HP Sure Click Pro, a tool that helps protect from web, email, and document-based security threats, free of charge through September 30 for HP and non-HP Windows 10 PC users. Even for HP Sure Click users, the pro version will enhance the experience with additional features, such as editing Word and Excel documents within an isolated container.
Another software service that many companies need to consider will be remote monitoring, in which a security team keeps track of threats and shuts them down. In a time when many companies are seeing a drop in business, it might seem like a steep expense, but not spending the money now could lead to an even costlier mistake.
“You can do everything to protect yourself, but [attacks] are going to happen, and you have to be able to detect and respond,” Hamilton says. “If you get a bad piece of malware right now, you’re done.”
IT workers might need extra check-ins to confirm they aren’t overwhelmed as they work to protect a suddenly dispersed workforce while potentially working from home themselves.
“Pushing everyone remote essentially overnight and then having to maintain security is a huge challenge, and companies need to continue to praise them and give them the tools that they need,” Howard says. “They are all heroes.”