Is Your Staff Working from Home? Alas, So Are the Fraudsters

By Karla Jo Helms

As soon as there was a cyberworld, there came the cybercriminals. Their strategies may differ, but the goals are usually to steal information or encrypt devices for ransom. The COVID-19 crisis has done nothing to slow the frequency of these attacks. In fact, they are on a sharp rise—and with a large portion of the workforce’s attention divided between job duties, children, financial management and household needs, these bad actors are trying even harder to exploit the situation. But there’s good news, too. While the attacks may be increasing in number and variety, IT professionals are becoming more diligent than ever in educating themselves as well as their leadership and coworkers on what to look out for and what to do if they suspect they are the victim of a cyberattack. And while cybercriminals may be clever with their attempts to exploit weaknesses in your security, remember they are not doing it for the challenge. They are after data, money and other valuable assets. So, let’s make it as difficult as possible for them to do so.

I’ve outlined five practical steps you can take to help your employees identify and thwart cyberattacks:

  1. KNOW WHERE YOU MAY BE ATTACKED: It’s likely that many—if not all—of your employees are working from home. This has decentralized the workforce and created more points of attack, which poses a challenge for IT departments when it comes to monitoring for malicious activity. With your IT department’s attention divided, this potential vulnerability can present opportunities for cybercriminals attempting to exploit employees. Consult with your IT security staff to identify every new point of attack and start prioritizing protection for sensitive data and applications. To further minimize the chance of a breach happening, restrict access to your data and other high-value assets to only those employees who cannot possibly perform their jobs without such access.
  1. ENSURE BEST PRACTICES ARE STILL IN EFFECT: Treat all your company-owned devices with the same level of security—regardless of their physical location. That means the security software (antivirus, VPN, etc.) should be kept up to date by downloading any software updates or security patches as soon as they become available. Employees must continue to use complex passwords, biometrics, and multi-factor authentication as they would if they were in the office

One important point about passwords: many people typically make their passwords easy to remember using personal information (like a child’s name, birthday, or a simple set of numbers), which means they are conveying what may be relatively discoverable data—just think of what many of us have accessible on our social media accounts! Passwords are most effective when they are meaningless and lengthy. And the best of those are a string of random letters, numbers, and special characters. While this may make passwords harder to remember, it more importantly makes it extremely difficult for any single hacker to crack. But don’t get complacent—make it mandatory for employees to change their password on a regular basis (every 90 days is good practice).

  1. BE LOUD AND CLEAR ON POLICY: Communicate your rules on cybersecurity to your staff and instruct them on what exactly you expect of them while working from home. Especially important—emphasize the need to report any suspicious activity as soon as possible. And by “as soon as possible,” I mean right as it happens so your company’s IT security team can get started on a defense immediately if necessary. Your IT personnel are likely to be spread very thin during COVID-19, meaning they will need extra time to analyze possible threats and mount a defense. Once IT is made aware of the suspicious activity, communicate to your teams by detailing the possible cyberattack attempt and any steps they need to take if they may have been targeted as well.
  1. STAY AWARE OF SCAMS: There’s a virtual plague of COVID-19 related phishing scams, fake domains and other tricks cybercriminals are trying in attempts to exploit the crisis to their advantage. Keep yourself educated on these techniques and pass that information along to your employees. A quick tip—phishing emails are common. They often appear to be from someone you know, like a coworker, but are typically absent of your company’s standard email formatting (such as by using a personal email account or omitting the usual signature line). The sender may ask you to call or open a link they sent you. Obviously, do not call, click that link, or even send a reply. Instead, immediately call or directly message the person the email claims to be coming from for verification. If that person isn’t available, don’t wait for them to get back to you—report it to IT security.
  1. USE COMPANY EQUIPMENT: You have control over company-owned devices, which means you can ensure such materials are as protected as possible by relying on resources like security software, VPNs and more. But as diligent as your staff may be, there is no guarantee that their personal devices will have the necessary level of protection. Now may be the time to purchase laptops and send them to team members who are using their own computers. The bill for the new hardware may put an initial dent in the company’s pocketbook—but consider the potential costs if data is stolen or held hostage by ransomware. Suddenly, those new computers seem to look more like an investment! The same goes for mobile devices, like tablets and cellphones (after all, they are computers as well). If you don’t have that option and employees must use personal devices, consider altering your policies, such as restricting access to sensitive data to only the most essential personnel—at least on a temporary basis during COVID-19.

The challenges we are all facing during COVID-19 are daunting, to say the least. We’re experiencing massive shifts in how we do our jobs—and with these changes come a whole new world of difficulties in just trying to function as close to normal as possible. Transitioning your workforce from their usual office environment into a decentralized work-from-home team is a huge feat unto itself—so if you’re in the midst of tackling this, be sure to give yourself a pat on the back for the achievement! But now, we all have to recognize the increasing amount of both known and new cyberattacks that are only making the situation more difficult. I’ve covered some of the best techniques for defending your organization, but above all, the greatest piece of advice I can give you is to avoid complacency. We must do everything humanly possible to prevent attacks while keeping in mind that no single security software product or person can do it all. Having an array of resources working in tandem is your best protection, and a knowledgeable workforce is your greatest countermeasure.

Preparation, education and diligence will go a long way in securing the safety of your company’s data, money and—most importantly—its people.

 

Karla Jo Helms is the Chief Evangelist and Anti-PR Strategist for JoTo PR Disruptors. Helms speaks globally on public relations, how the PR industry itself has lost its way, and how corporations can harness the power of PR to drive markets and impact market perception—find out more by visiting www.jotopr.com.