Employers are encouraged to continue implementing health and safety measures such as physical and social distancing, reducing travel, and implementing work from home (WFH) setup for workers. Working from home or telecommuting is not a new concept. With the current situation causing heightened concern for employee well-being, we are now seeing more people working remotely from their homes.
Of course, WFH does have some drawbacks such as technical challenges, particularly in the area of online security. While large companies have in-house security experts and policies to help ensure security remains top-notch, small-medium enterprises (SME) and their employees may need some help to safeguard their digital assets and information. With more businesses adopting the cloud, users have to be extra vigilant in protecting data and know what to do when faced with suspicious activity meant to steal their data.
Here are some steps to ensure that business-critical information is kept secure even while your employees are working from home:
Use a VPN
Requiring a Virtual Private Network (VPN) to access company resources is usually a good idea. While most enterprises already have a VPN for their employees, most SMEs, even those with cloud applications and resources, need to secure their cloud resources behind a VPN. A VPN eliminates several attack vectors, for example, from a home gateway going rogue. SMEs should look for a VPN gateway that can be configured to enable SSL-VPN access to Virtual Private Cloud (VPC) from Windows, Mac and Unix terminals (computers from home).
Use two-factor authentication (2FA)
To ensure really robust security, every online service log in accessed by staff working from home should be secured with two-factor authentication (2FA). This protection should include email, cloud storage, social media and any other online asset. Most people know 2FA as a passcode sent as a text message. Knowing that SIM cards can be swapped and fall into the hands of a fraudster who could receive the text message authorisation, many services now offer a stronger version of 2FA. This is called one-time password (OTP). OTP-enabled online services typically use a time synchronisation version of OTP where a mobile app continuously generates OTP codes that need to be entered to log in to an online service. Overcoming mobile app-based OTP protection usually requires physical access to the device, which is impossible for fraudsters in most cases.
Run updates frequently
All home electronic devices should be maintained in an updated firmware state and all security patches need to be applied quickly. Many IoT devices such as home cameras, routers and smart appliances present easy targets for hackers. Many inexpensive devices purchased several years ago no longer receive firmware updates from manufacturers that have switched their resources to support newer releases. Such IoT devices should be discarded through a proper and responsible recycling method. Routers, in particular, present a serious potential threat as hackers can control the traffic going through the routers and implement various strategies to attack home users. DNS hijacking, for example, redirects users attempting to go to banking websites to phishing destinations that look exactly like the attacked bank’s log in page. Updated firmware, therefore, can significantly limit the success of such cybersecurity threats.
Be skeptical with every URL you click
Phishing in general has increased since everyone started staying at home. Users need to be extra careful when clicking on links in emails and social media messages. Without the option to approach the sender of the link in person to verify its authenticity, users may fall victim to fraudsters pretending that the email is coming from another employee. The fraudster may then ask for a wire transfer or ask users to open an attached invoice where the attachment is a malware. This type of phishing is called “whaling phishing”. Hackers often trick users into downloading software with embedded malware. Crafty attacks can ask employees to download malware camouflaged or embedded as teleconferencing software or a game. Users then should never execute updates and downloads from links sent through emails or pop-ups, but instead download any updates or new installs from official locations or online app stores.
Protect your video conferences
With most team meetings now happening through video conferences, it is important to employ passwords to limit the conference to only the intended audience. This will protect businesses against fraudsters eavesdropping on corporate meetings. A passcode can be used for connecting from both a computer and a phone. It’s a minor inconvenience but a worthwhile one for ensuring the privacy of the team’s meeting.
When WFH becomes the new normal for many companies – including SMEs – it is important that users always stay cautious in the digital realm by doing the simple things: set up and update passwords on a regular basis, update firmware and always go to an official site for new installs. It is our responsibility to stay alert as we, large enterprises and SMEs, collectively adapt to the new normal in the post-pandemic world.