The Challenges of Securing Your Work-From-Home Staff
You dealt with the pandemic’s initial disorienting whirlwind. You re-invented your company’s ability to work from anywhere. You got devices to everyone, trained them up on the new tools and processes. Somehow you kept the network from falling over.
With the vaccine being rolled out, the light at the end of the tunnel is coming into view and it seems like now might be a good time to take a break. But before you do, make sure your work-from-home staff and their devices are really protected from cyberattack.
The new work-from-home situation is different from normal work-from-home
If your employees are working from home, chances are they are not the only ones working from home in their house. And if they have kids, chances are good they are also at home, attending school virtually at least some of the time as outbreaks cause schools to open and close.
This has led to 5 new unavoidable realities.
People are distracted
There are more people in the home vying for their attention. They might not have space for a dedicated distraction-free office. The familiar distractions of home surround them, and they have to do things they used to rely on others to do for them. In the office they could call IT to fix the printer while they grabbed a sandwich from the food court and got back to work. Now they have to fix their own printer and make their own sandwich. It adds up. All of this leads to a more fractured attention span which can lead your employees to overlook what would have been obvious red flags if their full attention was on their work. A phishing email gets clicked on. A fraudulent wire transfer gets approved.
Your team is physically disconnected
Remote workers can’t pop their heads into your office to confirm something in person and you can’t drop by their office to confirm that things are OK. If I’m in the office and get an email from my co-worker saying she’s stuck somewhere and needs me to transfer $1000 to her, I can glance over at her desk and notice that she’s in fact sitting right there. In a virtual office I don’t have that feedback. I need a more formal process to make sure the payment request is legitimate.
Everyone is dealing with a higher volume of electronic communication
Home systems and devices
Some of your staff are using home systems including their own tablets and routers which might have vulnerabilities. Have you really done a security audit on all devices? You need another approach.
Limiting access to people in the office doesn’t work anymore
Strategies like IP-based permissions no longer work because each household has a different IP address, and more than likely it changes unpredictably. Pre-pandemic we disallowed anyone from outside our office’s IP range from even reaching the log-in page of our website. These days, that’s not feasible. We have to whitelist the IP address of every employee who needs access, and because their home IP addresses change periodically this creates more work for our support team. It would be tempting to turn off this protection or to whitelist blocks of IP addresses to lessen the number of requests. It could also be dangerous.
Here are three simple things you can do to protect yourself
1. Phishing education
Education and continuous security awareness training can improve your team’s ability to identify and avoid attacks. In fact, one of our phishing education partners has found that proper continuous training can reduce the likelihood of staff clicking on a phishing email by over 87%.
If you know what to look for, you can relegate a lot of these emails to the spam folder with one glance. For example, a lot of attacks are filled with typos. Some people think this is deliberate sloppiness that’s meant to filter out anybody who’s paying too much attention and is unlikely to fall for the next step of the scam. But the typos are often the scammer’s way of getting around spam filters. So instead of bitcoin they might type bizcoin or use domain names that look similar to the legitimate ones. Continuous training goes a long way to protecting your workers and your business.
2. Multi-factor Authentication isn’t for machines anymore
Turn multi-factor authentication (MFA) on. This means attackers would have to compromise more than one device or password to get control. If you’ve ever turned on two factor authentication on Google you know how this works. You enter your password into the login screen and instead of logging you into your account, they ask you for a second proof that you’re who you say you are. They will, for example, text a code to your phone. By entering that code into the login screen, you show that you know your password and you have control of your phone. Someone who only has your password, or only has your phone, won’t be able to get in. Also, if someone who has guessed your password tries to get into your account, you’ll get the login code texted to you, which can tip you off that there’s a problem.
You can use the same principle in your own office. If you get an email from a co-worker asking you to wire them some money, call them on the phone to confirm the request. If they leave you a voice message, confirm with a phone call. Basically, just double check with a live phone call where you can hear their voice and confirm their request.
Just like MFA it doesn’t eliminate the risk, but it reduces it.
3. Talk to someone who sees a lot more attacks than you do
You see what happens to your network. We see what happens to the networks of all our clients. We can share ideas about what’s happening, what works, and what doesn’t. Give our president Rob a call and he can tell you what we’ve seen at companies like yours.
Give us a call at 416-483-8332 or email us here firstname.lastname@example.org.
Then take a break – you deserve it.