Cyber exposures have significantly increased as employees migrate to working remotely. As we attempt to mitigate one risk, we have inherently increased another as we encourage our employees to practice social distancing and frequently wash their hands, we should also be encouraging them to think before clicking.
Many cyber criminals are preying upon the curious population of people actively following news updates and information on the COVID-19 pandemic. They are distributing emails, even purporting to be the World Health Organization (WHO) or Center for Disease Control and Prevention (CDC), with information armed as clickbait in order to infect the user’s system with malware. Or, they are sending phishing emails purporting to be the IT team of the organization and requesting login credentials to an unsuspecting user who is new to the work at home protocols.
Furthermore, our workforce at home is suddenly reliant upon their own telecommunication/internet services and sometimes their own devices to connect to the corporate network rather than the network access & equipment provided at the office. Personal internet services & devices tend to be far less secure, because they do not have commercial grade firewall protection, Intrusion Prevention Systems, and they may be equipped with easily hacked passwords.
Curious how easily your password can be hacked? Test it out by typing it into this site which will identify exactly how long it would take to systematically crack your password: https://howsecureismypassword.net/
How can you manage these new risks in a reasonable matter? We realize that many businesses are still scrambling to resume or maintain as much of their operations as possible. When we are in a reactionary state, safety & security can lapse. As much as we are encouraging the physical safety of our employees, we must also encourage the cyber safety as well.
This is critically important because as much as the pandemic has caused an interruption to company operations globally, so too can a cyber incident. Ransomware is running rampant, using the COVID-19 topic to bait a user to click, locking up entire corporate networks and releasing in exchange for cryptocurrency. And although the world is in a state of turmoil, the privacy laws governing various jurisdictions are still in effect and organizations are still beholden to comply.
In the effort to remain reasonable, these are the items we would recommend for our clients to deploy at this time:
- Remind employees to click with caution. We are all working at a fast pace, multi-tasking and curious about the breaking COVID-19 news. All of us should be reminded to slow down, pause & think before clicking. Employees should validate any links or attachments are from an authentic and trustworthy source before proceeding.
- Clarify how & through what means your IT department can and will communicate. This can prevent someone from falling prey to an email purporting to be your IT team.
- Require all employees connect to your corporate network through a VPN (Virtual Private Network). If you have this technology in place, use it!
- Require Multi-factor Authentication (MFA) and Strong Passwords. If possible, require MFA before allowing connection to the corporate network or email. Encourage strong passwords!
- Develop a Cyber Incident Response Plan. There are templates available for free, possibly through your Cyber Insurance carrier. But at minimum you should identify who is going to be contacted when an incident is suspected, and how (phone #s) you are going to contact them. This should include your insurance broker so they can loop in the insurance carrier, who will have a panel of attorneys and IT forensics firms to support you. Print this out somewhere in case you cannot access it on the corporate drive!
- Updates & Patches. Encourage users to execute available system updates as they may include patches that address system vulnerabilities making their device more susceptible to hackers. IT should be pushing these out regularly and should not make an exception in these circumstances of telecommuting.
- Continue to Back Up Data. One of the greatest defenses against ransomware attacks is to have solid and recent back-ups in a segregated environment that would not fall victim to the same hack on your corporate system.
If you have any questions related to this topic, please feel free to reach out to JKJ’s Cyber Practice Leader – Alexandra Bretschneider at abretschneider@jkj.com.
Written by: Alexandra Bretschneider, Account Executive | Johnson, Kendall & Johnson
We understand that this is an evolving situation and further updates will be provided as information becomes available. If you have any questions, please complete the form below:
