Securing the remote workforce during COVID-19 and beyond [Q&A]
The COVID-19 global pandemic has created a cybercrime playground. From phishing scams to ransomware to social media attacks, COVID-19-focused malware campaigns are on the rise. In fact, according to research from Zscaler, there's been a 30,000 percent increase in coronavirus-related attacks.
We talked with Mike Kelley, CSO at Navisite, to discuss why the current crisis is causing such a dramatic spike in cybersecurity activity, as well as ways organizations can secure their remote workforce and protect their organization from cyberthreats both now and after the COVID-19 pandemic comes to an end.
BN: Why is COVID-19 creating such an opportunity for cybercriminals?
MK: The reason is two-fold. First, cybercriminals have a long history of exploiting tragedies, natural disasters and other global and national crises, and we’re seeing history repeat itself now. They're preying on people's emotions at a time when cybersecurity is taking a back seat to fear, uncertainty and panic. As a result, we’re seeing an unprecedented volume and variety of coronavirus-themed malware campaigns.
Secondly, COVID-19-prompted shelter-in-place orders across the nation forced all 'non-essential' businesses to transition to a remote workforce practically overnight, which has saddled IT teams with a new set of security challenges. Many companies were not ready to provide secure remote access to all of their employees, but needed to get them online to keep the business running. And cybercriminals are taking advantage of weak security practices by targeting these new remote employees.
Even as restrictions begin to lift, many businesses may only be bringing a subset of employees back to the office, with the rest continuing to work remotely. Additionally, many organizations that implemented work-from-home policies due to shelter-in-place mandates have seen incredible business benefits, so they may decide to make their work-from-home programs permanent. The bottom line is that the remote workforce isn't going away -- it's only going to grow -- and organizations need to take the right steps now to properly secure their remote work programs.
BN: What do you think is the most common type of attack that employees need to watch out for?
MK: Phishing attacks. Users are the weakest link in every security program, which is why employee awareness, education and training on phishing campaigns is one of the most effective things an organization can do to secure its remote workforce.
One initiative that business owners and IT teams can implement right away is issuing a series of COVID-19-focused communications that focus on three distinct areas:
- Letting employees know where they can find the latest corporate updates related to the changing COVID-19 situation, such as an intranet site, so they aren't fooled by an attacker pretending to be from their organization.
- Informing employees of the best national and local sites covering the COVID-19 pandemic, which will reduce the likelihood of a remote employee going to a malicious site that appeared in a Google search.
- Providing workers with examples of phishing attacks, so they know what to look for, what to avoid, and how to react if they are the victim of an attack.
Longer-term, we recommend implementing formal cybersecurity training programs that incorporate phishing tests and simulations. Even if the training sessions take place virtually, employees will get a combination of knowledge and first-hand experience, which will help them remain confident in the face of a real attack.
BN: Many remote workers aren't security savvy. What are some basic security tips that you can share to help them enhance their security practices?
MK: Home networks often lack enterprise-grade security features. So, another effective way to reduce risk is to provide employees with strategies for securing their home networks. For example, ensuring wireless routers are password protected, configured for automatic software updates and, at a minimum, using WPA2 encryption. This is a great topic to incorporate into COVID-19 communications campaigns and security training sessions.
BN: Is the influx of employees' personal devices causing organizations' attack surfaces to explode?
MK: Absolutely. Because of the expanding attack surface, it's equally important to secure employees’ personal devices as it is to safeguard their home networks. And this is where endpoint protection strategies come in.
There are a few things that IT teams should consider when it comes to securing endpoint devices. First, when possible, IT teams should increase capacity on existing devices with security controls in place rather than adding new (unsecure) devices to the network. It’s also important to ensure end user devices are:
- Equipped with the proper security software, such as antivirus and antimalware solutions. IT teams should also confirm that the software is fully installed and up-to-date.
- Running the latest updates for their operating systems, browsers, applications, etc.
- Actively and aggressively monitored with remote access tools.
BN: Any other tips you can share for securing the remote workforce?
MK: One other critical area in the battle to secure the remote workforce is balancing security requirements with business demands. The COVID-19-prompted work-from-home movement might not have been a big change for companies that already offered telecommuting programs, but many businesses weren't prepared to have their entire staff suddenly at home and demanding access to corporate resources from personal devices.
It's easy to understand why business leaders are pushing to get users up and running quickly -- even a small amount of downtime can disrupt the bottom line. However, IT security teams need to hold their ground when it comes to granting user access. No matter how urgent the request, the appropriate security controls must be in place before users are given access to corporate networks and resources. A data breach from just one user can end up costing a company more money and customers than temporary downtime.
Balancing business and security requirements can be a challenge, but it's an area that must be mastered as work-from-home programs become more commonplace and permanent. And, by combining appropriate user access controls with employee education, network security and endpoint protection strategies, businesses will be well on their way to securing their remote workforce during the COVID-19 pandemic and beyond.