A work-from-home office; 100 assorted technology cables not shown.Photo by Kate Hayden
As the COVID-19 coronavirus pandemic sweeps the globe, a day at the office for many in Iowa looks a lot different this week.
It’s too early to know how many organizations have shifted their workforce to a work-from-home strategy. But as employers make as many positions remote as they can, cybersecurity experts say the dining room table at home deserves special scrutiny by IT staff.
“Working from home does not provide the same protections as working at the office,” said Aaron Warner, CEO of ProCircular Cybersecurity, based in Coralville. “It’s really kind of undiscovered country. I don’t know that this volume of people has ever in the history of the world worked from home, certainly not with such dependence on the internet.
“The greatest risk is for smaller organizations. … The people I think most about are that real estate company or that accounting firm that has to now figure out how to dial in remotely and don’t have those IT resources,” added Warner, whose staff is working remotely. “Those are the folks that are going to suffer most as the sharks start circling in the water, and we’ve already seen indications of that.”
Clients of security firms seem to be aware of the heightened risk.
A webinar hosted by ProCircular on safely configuring remote work offices attracted 50 participants less than 24 hours after it was announced, Warner said. ProCircular clients are moving up schedules to have technical assessments such as a penetration test done earlier. “They want to know before the hackers do what vulnerabilities they may have,” Warner said.
In Ankeny, Pratum has been assisting clients in building or adjusting remote work policies as they adjust to having part of their workforce working from home.
“You’re opening up additional threats and opportunities for hackers to get into things,” said Megan Howard, director of security service at Pratum. “Hopefully employees are using company-owned devices that the company can make sure you’re staying up to date and have anti-malware running vulnerability scans.”
Employees who are working from personal devices may not have kept security patches up to date, which is a critical safety practice to keep networks secure, Howard said. Residential Wi-Fi networks with internet-of-things (IoT) devices typically aren’t sectioned off, which could put company devices on the same network as a vulnerable IoT baby monitor or coffee machine.
“If [hackers] can find a way in using an IoT device, then they can spread how they want throughout that network to get to other devices,” Howard said, which puts business devices at risk.
Companies should be prepared to offer virtual private networks (VPNs) to employees on company devices, and may have to offer multiple VPNs, depending on the size of the workforce.
Phishing scams have also adapted to isolated employees, sending emails that purportedly link to breaking COVID-19 news or “company” announcements. That worries Howard.
“They know when you’re working from home, you’re just more relaxed, right? You’re not always in that work mindset,” Howard said. “People are more vulnerable and more likely to click on phishing links when they’re working from home. … Luckily, we haven’t seen any incidents with our clients, but I think that we will. We’ll certainly see that there will be more phishing attacks.”
If a phishing attack is successful, that leaves the company to respond to a cyber incident remotely — without immediate access to the employee’s device. Employees need to be educated and supported to report a phishing attack or other cyber incident immediately. Organizations should have named members of an incident response team and a plan of how members would reach each other and take steps as soon as possible to manage an attack, Howard said.
“Some of things we’ve preached quite a bit is not to instill fear into your employees, but let them know they’re helping the organization by reporting any suspicious activity. … Be safe and let the IT department know so they can get an investigation underway,” Howard said.
As the outbreak continues, Warner will keep an eye on his staff for signs of burnout.
“It’s very easy for us to work in cybersecurity pretty much nonstop. … It can be really easy for me to work 18 hour days,” he said. “I’m really trying to encourage people to get up and take a walk and get outside. It’s an intense time, and I think being mindful of your own health is important.”
A Remote Worker Basic Toolkit
- Multifactor authentication, especially for employee email accounts.
- A secure remote access tool — Warner does not recommend using the Remote Desktop Protocol found pre-installed on Windows devices. “There are plenty of other methods. … It should never be open to the internet.” Warner recommends Log Me In.
- A virtual private network (VPN).
- Update security patches on the device as they are released, whether the employee is using a company-owned device or a personal device for work.