The United States Office of Personnel Managementlast week urged agencies to prepare to allow federal employees totelework — that is, work remotely.This came on the heels of the Department of Homeland Security closing its facilities in Washington state, after learning an employee had visited the Life Care facility in the city of Kirkland, which is ground zero forthe state’s COVID-19 outbreak.
Federal employees were told to self-quarantine for two weeks, and theDHS building is being disinfected.
It isn’t just the federal government that is allowing employees totelework or telecommute. Seattle companies including Amazon,Google, Facebook and others are trying to keep workers safe by lettingthem do their jobs from home.
Coronavirus fears have shut down schools and businesses in theEvergreen State, and public health officials in King Countylast week recommended allowing employees in the region to stay home.
Across the country firms already have started allowing employees to work remotely or are considering doing so. Similar measures to those in Washington are beingconsidered in New York and other states. The question is whether these steps are really necessary and whether they could present other serious problems.
“Move your operations out to home offices on the fly. What could gowrong, besides everything?” quipped Jim Purtilo, associate professor inthe computer science department at the University of Maryland.
“Shops that might be careful about security practices at the officewill find their assurances go out the window once some sudden decisionflips activity out into the wild,” he told TechNewsWorld.
“The risks — including insecure WiFi connections; open printer ports;browsers with all manner of unvetted plug-ins, trackers or socialmedia feeds; document shares on unprotected cloud folders; and more –will give us fits,” Purtilo added.
This week TechNewsWorld spoke with numerous cybersecurity experts toget tips on how to stay safe while staying healthy.
Understanding the Most Basic Risks
Before a company sends its workers home, it needs to weigh the risks.This isn’t to say that coronavirus and the COVID-19 disease shouldn’tbe taken seriously, but just as health concerns must be addressed,so too should cybersecurity risks.
“First, there will be a lot of scams being run under cover of healthand medical issues. Hackers never let a good crisis go to waste, andthis is a biggie,” warned Colin Bastable, CEO of security awarenesstraining company Lucy Security.
The danger is that those who are out of the office might feel morecomfortable than in the office in every way. This isn’t just about wardrobe choices — it’s about the focus that is necessary to work remotely.
“People working from home get easily distracted, especially if theyare normally used to working in the office, and they will mix workwith personal email and Web browsing,” Bastable told TechNewsWorld.
“This increases the risks that they can introduce to their employersand colleagues by clicking on malware links — and over 90 percent ofattacks are delivered by email,” he added. “With disrupted managementcommunications and fewer opportunities to check with the CEO and CFO,expect remote workers to fall victim to these attacks too.”
More Than the Coronavirus
One of the great dangers is that the focus is so heavily on thecoronavirus that computer viruses and other malware are beingoverlooked by employers, IT staff and remote workers.However, one group that surely isn’t forgetting about computer virusesis comprised of the bad actors who are taking advantage of this time of chaos.
They are spreading misinformation online through spoofed emails and social media.If pandemic-related news or advice isn’t coming from the World Health Organization (WHO), Centers for Disease Control and Prevention (CDC) or other reputable medicalsources don’t believe it. More importantly, don’t click on questionable links onsocial media, email, forums or elsewhere. Go directly to WHO and CDC sites for the facts.
“Antivirus and antimalware — endpoint security protocols — should beupdated at least daily. Most can be configured to check for updateshourly, and this can help mitigate risks,” Lou Morentin, VP ofcompliance and risk management for Cerberus Sentinel, told TechNewsWorld.
If working from home is a break from the norm, IT staffs should prepare workers, educating them about the risks.
“The initial thing is to ensure that workforces have the equipmentrequired for working at home, such as laptops, voice and videoconferencing, as well as secure networking and access,” noted MarcGaffan, CEO of cybersecurity firm Hysolate.
“Secure workstations and access are the primary element of such aprogram,” he told TechNewsWorld.
Don’t Be the Low-Hanging Fruit
It is unfortunately during the worst of times that the worst types ofcyberattacks can occur. Hackers, cybercriminals and even roguestates are more likely to strike a confused, worried and concerned populace.
“In general, attackers are looking for a vulnerability to delivertheir attack,” explained Chris Rothe, chief product officer of cyber research firm Red Canary.
“In this case, people’s fear over the virus is the vulnerabilityattackers will look to capitalize on,” he told TechNewsWorld.
“If an individual is concerned or stressed about the virus they areless likely to remember their security training and will be morelikely to, for example, click a link in a phishing email or give theircredentials to a malicious website,” Rothe added.
Working from home or remotely therefore should require a greater levelof security.
“Single sign on and multi-factor authentication are criticaltechnologies for the remote workforce, as well as minimizing risk forthe business,” noted Stealthbits Vice President Ralph Martino.
“These together allow the remote workforce to connect to businessapplications in the cloud using one password. This provides greatersecurity and compliance for the enabling the remote workforce,”he told TechNewsWorld.
Users are typically the weakest link in every security program.
“That weakness gets amplified by a situation like the coronavirus.Business leaders should make a point to remind their employees oftheir security training and call out the fact that attackers will usecoronavirus as an opportunity,” warned Red Canary’s Rothe.
The New Normal
Many individuals already work from home on a regular, or at leastsemi-regular basis. The present security issues concern the surge in the number of employees who usually don’t.
However, remote working could become the new normal — not justbecause of COVID-19, but for a plethora of other reasons, includingimproved productivity, smaller offices, and companies’ efforts tolessen their carbon footprint by reducing employee commutes.
However, during times of crisis it’s possible that too many people may be working away from the office at once. That can tax IT departments in unexpected ways. Workers will need to learn how to function as their own IT staff to solve many cyber-related issues.
“We’re definitely seeing this ramp up with the current COVID-19situation,” said Gil Kirkpatrick, chief architect at Semperis.
“People working from home can expect time outs, network outages, andhitting license caps — which can slow productivity and impact jobperformance,” said Josh Bohls, CEO of Inkscreen.
“Many employees won’t be working from corporate networks and known,managed applications, and instead will be moving to ‘Shadow IT’applications,” he told TechNewsWorld. “They may be using their mobile phones to scan and capture documents and mixed media content with little or noorganizational governance.
Mobile phones aren’t exactly built for security, cautioned Bohls.
“Also, more employees are going to be tempted to download non-securedand potentially malware-laden apps,” he pointed out.
“Fortunately, tech has evolved over the last 20 years to specificallysupport remote workers, and recent breaches are driving IT andsecurity teams to mandate that employees use apps that enable theorganization to protect, manage, and control business contentcollected on mobile,” said Bohls.
“While employers are encouraging staff to stayhealthy, they must also encourage them to stay safe online,” Semperis’ Kirkpatrick told TechNewsWorld.
“Home routers are notoriously insecure, and they usually have securitybugs that need to be patched by flashing the ROM, which most peopledon’t do,” he noted.
“Remote workers should use their work computer, not their homecomputer, along with corporate authorized and managed devices wheneverpossible,” said Kirkpatrick.
“If you have to use your home computer,update A/V software and make sure its actually running. Don’t savefiles on your home machine. Save them in the corporateDropbox/OneDrive/etc. — and use your work email, never personal,” he advised. “Thoseare some best practices to keep a remote workforce humming alongsecurely.”