Many companies are operating in contingency mode because of the coronavirus pandemic with physical offices closed and the majority of employees working from home. For many companies, this is the first time they are enacting their Business Continuity Plan.

Companies are dealing with an uncertain economic outlook and many IT employees who are tasked with cybersecurity and compliance responsibilities are overwhelmed. They are challenged with keeping networks and servers up and running, as these alternative work arrangements have placed a strain on the IT infrastructure in unpredictable ways. And let’s not forget about managing personal matters like having children home from daycare or school.

This crisis has another group working extra hours: Hackers and fraudsters. COVID-related phishing is noticeably on the rise. Knowing that almost everyone is working from home has encouraged them. Many corporate networks are designed with a philosophy called “defense-in-depth,” whereby layers of protective technologies are put in place like firewalls, antivirus software, strong passwords, and other protective measures.

Depending on your network design, some protective mechanisms might only apply when employees are physically in the office. For example, some companies might be configured to use a domain name service (DNS) that blocks employees from inadvertently accessing known-malicious websites. But this service would only be adequate protection for an employee who was plugged into the network or connected to that network via VPN and using its DNS service.

Examples of Remote Working Phishing Vulnerabilities

There are many additional examples that demonstrate that when employees are working remotely, they are more vulnerable to phishing, among other attacks.

• A hacker targets remote workers with an email message purportedly from their HR department, warning of a positive COVID-19 test within the company. The email contains a malicious file attachment which executes ransomware on the victim's computer
• Cybercriminals impersonate the World Health Organization with an email attachment that purports to list preventative medicines
• Hackers pretend to be Netflix giving away free memberships to entertain people during the crisis
• Fraudsters appear to be officials from the U.S. government asking victims to provide their financial account information in order to receive a stimulus check

This activity might not surprise you if you have been following cybersecurity for the last decade. Still, the risks are heightened with so many people outside of the bounds of the traditional corporate network.

What can we do to address these risks of working from home?

There are several steps that companies can take to secure their employees as they work from home. The National Institute of Standards and Technology (NIST) distributed a publication (SP 800-117) which outlines these protective steps:

• Ensure a firewall or router is in place between the employee's network and the ISP's network (i.e., do not plug the computer directly into the ISP's cable modem)
• If using a wireless network, ensure modern encryption is being used. Look for WPA2 or WPA3
• Change default passwords. Some home office equipment, like routers, firewalls, and printers, come with passwords that are widely known and easily exploited. They should be changed during setup

Another significant risk presents itself when remote workers are using their computers to connect to corporate resources over a VPN, commonly known as a Bring Your Own Device (BYOD) scenario. BYOD PCs present an additional risk as these devices are not controlled or secured by your IT department. This allows for the possibility that the BYOD PC may not have up-to-date patches, functioning antivirus software, a secure password on its user accounts, as well as numerous other issues. Also, the computer might be shared with other family members who may be downloading potentially unwanted software, which may compromise its security.

The NIST guidelines recommend, at a minimum, the following settings and practices should be adopted for BYOD employees:

• Ensure the BYOD computers are set to automatically apply software updates, including operating systems, web browsers and productivity software, among others
• Antivirus software should be turned on and kept up-to-date
• The computer's firewall should be turned on
• Users should be logged in using non-administrator accounts
• Users should be using a complex, hard-to-guess password that is over 12 characters and includes upper-case and lower-case letters, and numbers
• To the greatest extent possible, limit the number of people using the computer

While no solution is foolproof, taking these protective measures can help to ensure that your organization is protected through this crisis.

For additional information, please contact a member of your DGC client service team or Nick DeLena, CISSP, CISA, CRISC at 781-937-5191 / ndelena@dgccpa.com. You can also visit our coronavirus web page at dgccpa.com/coronavirus which is frequently updated with new articles and checklists to help you deal with the impact of the coronavirus on you and your business.

If you would like to get alerts and insights like this sent directly to your inbox, sign up here.