October 2020 - 9 Ways Your Data is at Risk by Remote Workers and How to Protect Your Business

Kingston’s businesses have excelled at adapting to the challenges brought on by the sudden lockdown due to the COVID-19 pandemic. Many responded by transitioning employees to work from home. Some businesses found the model of having remote workers beneficial and plan to continue to utilize this method in the future. Additionally, if a second wave hits Kingston, many businesses may need to continue these measures in the future. Either way, the concept of remote workers is not going away and businesses need to be aware of how to protect their networks. Consider the following case: Mid-September it was reported that a hacker stole $7.5 million from the endowment funds of The Jewish Federation of Greater Washington, a non-profit from Maryland, USA. How did the criminals steal the millions? They compromised the personal computer of an employee who was working remotely. Preliminary information shows the hacker had access to the system long before stealing the money, as early as the first months of summer. The charity is working with experts in hopes of recovering the funds through their cyber insurance. Highlighting the tragedy of this incident, CEO Gil Preuss pointed out “what the hacking has done is steal a month during a pandemic when the federation had to use its energies and work hours to respond to the theft as opposed to doing our work, which is why we’re here.” The federation’s focus is on distributing cash assistance to people struggling to afford rent and working with organizations that have been particularly challenged by the pandemic. This security breach is not rare. Cyber criminals are directly targeting remote workers because it is easier to get into a personal computer than a business network. How can businesses protect themselves? 9 Lines of Defence to Protect Remote Workers

1.  Provide Hardware. If at all possible, do not allow employees to use their personal computers for work. Many companies provide a work computer that has all the same protections as a computer kept at the workplace. If your company has the resources, now is the time to order and set up these computers. Many were disappointed during stage 1 of the lockdown when they were unable to order hardware due to an extreme shortage.

Use of a personal computer for work can also be complicated because it is important not to mix work and leisure activities on the same device because anything that is running on the machine could be an access point for hackers. For example, Steam games are notorious for having security holes. If a hacker uses one of these holes to gain access to a computer, they have access to everything on that computer, including work files and access to your work network if a VPN is active.

2. Security Updates on all Software. Updates help patch security vulnerabilities and protect your data. Note that if a personal computer is used, every program and tool the user has installed on their device will need to be updated. Your IT support must be aware of all programs installed on the device.

3. Next-Gen Antivirus. A good antivirus software can detect and block known malware as well as suspicious activity that may indicate a brand new strain of malware.

4. Install a Firewall. This creates a barrier between computers and the Internet by closing ports to communication and blocking malicious traffic.

5. MFA. Multi-Factor Authentication adds an additional layer of security to your devices by requiring two different factors to unlock it. This makes it very difficult for a hacker to impersonate you or one of your employees.

6. Use Strong Passwords. Passwords should be unique for every account and should include a long string of upper and lower case letters, numbers, and special characters. It’s difficult to remember all these passwords, which is why a password manager is such an important tool to employ.

7. Employee Cyber Security Awareness Training. Helps your employees identify security red flags such as:

• How to spot phishing emails and calls
• Password best practices
• How to detect suspicious links, ads and websites
• Malicious software hidden in links, attachments or online ads
• Acceptable use policies for Internet and social media use

Cyber security training is continuous (semi-annually or quarterly) to keep it top of mind and to keep up with changing threats. Remembering that all it takes is one employee clicking on a bad link to bring your network down, so allocating resources on training is money and time very well spent.

8. Use a VPN. A virtual private network is like a direct and secure tunnel between remote employees’s computers and your network. This allows employees access to all work files and programs just as if they were at the business’s location. Caution is required because if a remote device that has access through a VPN is compromised, your business’s data is also compromised. So all devices allowed to access your network through a VPN must be completely secure. Consider restricting access to sensitive systems where it makes sense. For example, if an employee is in marketing, restrict their access to any accounting data. This way if a breach does occur, the hacker is limited in what data he or she can access.

9. Secure your Router and WiFi Connections. If your network is not secure, it is possible for hackers to intercept your traffic including passwords and remote access to corporate documentation and emails. Ensure your home WiFi and router passwords are not the default passwords. Use a strong and unique password that others cannot guess. Try to avoid working on public WiFi networks such as coffee shops, as these public available networks are easier for cybercriminals to get into. Ensure your router’s software is updated for protection against security vulnerabilities.

With many employees working from home, this introduces multiple devices which widens your organization’s attack surface for cybercriminals. This creates a challenge for your business’s IT support to provide good support and security. To protect your data takes patience, planning and the cooperation of your employees, IT support and management. For additional assistance, please email us at helpdesk@allcareit.com.