We are coming upon the 6-month mark for working from home (WFH). I thought it would be a good time to discuss the need for continual reinforcement of cybersecurity best practices with your employees.
I’ve found that this continual reinforcement helps to keep security in the forefront. It also builds a culture of security. Namely, that security is critical to enabling your company to achieve its business objectives. More importantly, that all employees have a critical role to play in securing your networks, your sensitive information, and your brand. This is especially important now as employees are getting more comfortable with working from home. It is easy for them to pick up some bad habits and this is exactly what cyber criminals are hoping for.
Below are some best practices I recently shared with my employees at Fidelis Cybersecurity. I provide these to you as a strawman for crafting your own corporate security best practices messaging for your work from home employees.
How are your cyber adversaries taking advantage of work from home employees?
The Fidelis Threat Research Team (TRT) tracks attack trends and emerging threats. Over the past 6 months, they’ve seen a significant shift towards attacks involving Virtual Private Networks (VPNs), laptops and mobile devices, web-browsers, home networking gear, and the cloud-based applications and services being used by work from home employees.
Furthermore, phishing and social engineering attacks continue to be the go-to technique for attackers to gain initial access into corporate systems. Once they have gained access, attackers are taking control of the corporate network. They’re stealing your company’s sensitive data and encrypting systems. They’re also extorting huge sums of money from companies through ransomware campaigns.
What should your work from home employees do to be cyber safe (a reinforcing message to employees)?
Working from home has become our “new normal.” However, it comes with additional security risks to our information systems, our sensitive information and our brand. We all need to remain vigilant against these threats. Here are some cyber safety tips and tricks you can take to keep you, your family and your company from becoming the victim of a cyber-attack.
- Use hard-to-guess passwords for your company accounts. Your corporate account password is used to access multiple company services. This includes your email, cloud storage, and corporate networks via a VPN. This provides access to sensitive information. To make your password hard to guess, it must have a minimum of 8 characters. It also must use 2 or more of the following: uppercase letters, lowercase letters, numbers and special characters.
- Use different passwords for different accounts. Your corporate account password must be different than passwords used for your personal accounts. Personal accounts and their passwords are regularly compromised through data breaches. Attackers will try those personal account passwords against your corporate account.
- Secure your home network. This is especially important now that we are all working from home. We are using our home networks to access our corporate networks.
- Change the default passwords on all your home network devices. This includes routers, Wi-Fi access points, security cameras, game consoles, internet connected appliances and more. Most consumer products are sold with a default password set by the manufacturer. So the default password will be the first one tried by an attacker. Change these default passwords to a hard to guess password.
- Update the firmware on all home network devices. Attacks against home networking devices are constantly evolving. Vendors make updates available on their websites to mitigate those attacks. Visit the vendor’s website for your devices to download and install the latest software and firmware.
- Stay vigilant against phishing attacks and other scams.
- Be wary of phone calls requesting confidential information. As we are all working remotely, it’s easy for an unauthorized person to call and pretend to be your company’s employee or business partner. If an employee calls you and you are unsure if it is legitimate, hang up and contact them using [your company’s internal messaging platform or some other form of authenticated communications].
- Don’t click on links in an e-mail from an unknown or untrusted source. Cyber attackers often use authentic looking links to trick you into visiting malicious sites. This can result in downloading malware that can be used to steal data and damage networks.
- Don’t open e-mail attachments from an unknown or untrusted source. Cyber criminals can embed a malicious executable in an attachment that is launched when you open the attachment.
- If anything about an e-mail looks “phishy”, forward the message to [your company’s security team].
- Do not delete or disable the security software installed on your company laptop – Laptops are provided to you with [xxx cyber security software, your VPN client, and Anti-virus software] pre-installed. This software is critical to protecting your laptop from the latest threats. This also protects the sensitive company information stored on your laptop. Be sure to restart your computer when prompted to allow the latest software updates to be installed on your computer.
- Use your corporate cloud storage service to maintain copies of your work documents and files – This ensures that your critical data is backed up and enables [your company’s security team] to maintain a centralized corporate record of all the critical data.
- Do not install unauthorized software on your work computer – Malicious applications often pose as legitimate software.
CISOs – what should you do next?
At Fidelis Cybersecurity, we are proud to be protecting the sensitive information of Fortune 500 clients, DoD and civilian government agencies and beyond. The COVID-19 pandemic has created an unprecedented time for increased cyberattacks. It is imperative that your security team be well-prepared for these threats and that every employee at your company be cyber safe. If you have any questions or want to learn more about how Fidelis detects, hunts and responds to your most advanced threats, contact us.