Posted on April 2, 2020 - by Justin Gratto - in Trends in InfoSec
I write this as I sit in self-isolation, as our company has issued a strict policy of work from home. Many other people now find themselves in the same position, stuck working from the couch, kitchen tables, or rarely used desks at home.
But while staying home can help keep us safe from the coronavirus, we need to be increasingly aware of attempts to weaponize COVID-19 panic to attack companies and individuals. There are tons of scam texts, emails, or phone calls claiming to offer relief funds or government assistance. Or apps that claim to track coronavirus in your area. This makes our families, friends, employees, customers, and companies all more vulnerable to fraud, ransomware, and malicious attacks.
I want to share some of our insights about how we were able to quickly shift our company to remote work, as well as talk about a growing trend that is certain to put you and your business at risk during this time.
What devices do you have going home with employees? Where is your data stored and can you securely access it remotely? What assets do you need to protect to keep your business functional or restart it once operations open back up?
Knowing exactly what you have at all times, and who has possession of it, will make this work-from-home process so much easier for you from the get-go. When it comes time to issue a notice to send people home, you know what they have already, so they only need to sign for additional items such as monitors, keyboards and other peripherals.
We had employees who needed to take desks, chairs, or monitors home from the office so they could work efficiently. Being able to give out supplies to make our team comfortable while working from home makes a huge difference as we settle into a new routine. Especially since so many people are feeling additional tension and stress about the coronavirus.
Not all companies are cloud-based. Some are still operating and maintaining their own, on-premise infrastructure or contracting space in a data center to manage their own servers.
This poses some risks, like remote management of this infrastructure using weak credentials, deprecated or plain-text protocols, and encryption can occur. What we suggest is ensuring that an approved VPN is used for any employees accessing internal resources when implementing a work from home strategy. When planning a work from home strategy, consider the following questions:
If you currently do not have a remote work policy, we are offering a customizable remote work policy as a bonus to our free account offering available here. A remote work policy and procedures at a minimum should address the following:
Additionally, you may need to address the following:
Watch the recorded webinars now.
In late 2019, I released a blog titled Top 5 Security Trends in 2020… before the “black swan” event we’ll all remember later on as the COVID-19 Pandemic. This emerged in the first 3 months of 2020, with the outbreak of COVID-19 and the responses from WHO and national governments.
Scammers, malicious hackers, price gougers, and nation-state threat agents immediately started taking advantage of the attention to COVID-19 to profit from other people’s stress and anxiety about the virus.
We’re seeing increases in phishing campaigns and attacks as these malicious actors are increasingly using the COVID-19 virus as a hook in their text, email, and fraudulent phone call campaigns. The Internet is already drowning in COVID-19 related malware and phishing scams.
There’s a rise in malware that is introduced by applications claiming to track coronavirus or some similar functionality, which introduces some sort of malware or ransomware such as CovidLock. Zscaler recently released a CovidLock walkthrough to unlock an android device that has been affected by this ransomware. This ransomware is introduced by installing and granting permissions to an app called “Coronavirus Tracker.”
To address this trend and avoid being the victim of these tactics used by criminal profiteers, we’re advising friends, family, and customers of the following:
By now many companies have all or most of their employees working from home. We had an easier transition to remote work and I hope some of this information will help others who have a more challenging transition and will take longer to adjust to remote work.
Even before COVID-19 was in the picture, our company took appropriate steps to ensure security when we offered a flexible work from home policy for our employees. We initially implemented it because many people in our company have families. Kids get sick, dentist appointments happen, oil changes can’t be put off any longer, life happens. This openness with a flexible work-from-home policy and remote work readiness paid off tenfold for when we really needed it.
We were prepared to react and act accordingly because we had conversations about the possibility of worst-case scenarios, part of planning for our business continuity and disaster recovery. We knew what we would need for everyone to work from home successfully or what would happen if our CTO was suddenly unavailable.
In mid-March, we mobilized quickly, issuing workstation monitors, laptops, and peripherals. Each employee signed their equipment out from an asset signout sheet our CTO manifested from our asset inventory. We had the infrastructure for all our employees to work from home for months now. Our company is successfully into week three with all our employees working safely from home.
We’re now offering free webinars on business continuity and disaster recovery, remote work, and other information security topics. This is in addition to the free tools inside the Securicy platform that help with risk assessment, security awareness training, and creating plans for security and business continuity.
Join our free webinars and live Q&A sessions on disaster recovery, business continuity, information security, and remote work. Get answers to the top problems that you need to solve for your business now.