Many companies are operating in contingency mode because of the coronavirus pandemic with physical offices closed and the majority of employees working from home. For many companies, this is the first time they are enacting their Business Continuity Plan.
Companies are dealing with an uncertain economic outlook and many IT employees who are tasked with cybersecurity and compliance responsibilities are overwhelmed. They are challenged with keeping networks and servers up and running, as these alternative work arrangements have placed a strain on the IT infrastructure in unpredictable ways. And let’s not forget about managing personal matters like having children home from daycare or school.
This crisis has another group working extra hours: Hackers and fraudsters. COVID-related phishing is noticeably on the rise. Knowing that almost everyone is working from home has encouraged them. Many corporate networks are designed with a philosophy called “defense-in-depth,” whereby layers of protective technologies are put in place like firewalls, antivirus software, strong passwords, and other protective measures.
Depending on your network design, some protective mechanisms might only apply when employees are physically in the office. For example, some companies might be configured to use a domain name service (DNS) that blocks employees from inadvertently accessing known-malicious websites. But this service would only be adequate protection for an employee who was plugged into the network or connected to that network via VPN and using its DNS service.
Examples of Remote Working Phishing Vulnerabilities
There are many additional examples that demonstrate that when employees are working remotely, they are more vulnerable to phishing, among other attacks.
This activity might not surprise you if you have been following cybersecurity for the last decade. Still, the risks are heightened with so many people outside of the bounds of the traditional corporate network.
What can we do to address these risks of working from home?
There are several steps that companies can take to secure their employees as they work from home. The National Institute of Standards and Technology (NIST) distributed a publication (SP 800-117) which outlines these protective steps:
Another significant risk presents itself when remote workers are using their computers to connect to corporate resources over a VPN, commonly known as a Bring Your Own Device (BYOD) scenario. BYOD PCs present an additional risk as these devices are not controlled or secured by your IT department. This allows for the possibility that the BYOD PC may not have up-to-date patches, functioning antivirus software, a secure password on its user accounts, as well as numerous other issues. Also, the computer might be shared with other family members who may be downloading potentially unwanted software, which may compromise its security.
The NIST guidelines recommend, at a minimum, the following settings and practices should be adopted for BYOD employees:
While no solution is foolproof, taking these protective measures can help to ensure that your organization is protected through this crisis.
For additional information, please contact a member of your DGC client service team or Nick DeLena, CISSP, CISA, CRISC at 781-937-5191 / firstname.lastname@example.org. You can also visit our coronavirus web page at dgccpa.com/coronavirus which is frequently updated with new articles and checklists to help you deal with the impact of the coronavirus on you and your business.
If you would like to get alerts and insights like this sent directly to your inbox, sign up here.