Guarding Against Cybersecurity Risks
By Kathie Stamps
Padlock and keyhole in a printed circuit. Digital illustration. Just when we think the digital Wild West couldn’t get any wilder, along comes a pandemic to send employees packing up their laptops and working from home. Working remotely isn’t a new concept for certain professions, but in droves? Very new. Once called telecommuting, working from home has its own initialism now, WFH, and cybersecurity experts recommend VPN and 2FA as best practices for the safety of every company’s employees and data against hackers.
VPN is a virtual private network, a system designed to provide a secure connection from physical computer to online sites and apps. Multifactor authentication, or two-factor authentication (2FA), is a layered process for logging in that goes beyond username and password to include answering security questions or being sent a code to enter within a few minutes.
“If we were to make one technical recommendation for your readers, it would be to institute multifactor-authentication for mobile workers if they haven’t already. This is the best thing they can do to defend against credential theft and harden remote access,” said Mark Macumber, security practice manager for Volta. “Assume every email is malicious. Never use the same credentials on two different systems.” Headquartered in Frankfort, Volta (www.voltainc.com) is a technology solutions company with offices in Louisville and in Ashburn, Virginia. “Systems administrators and cybersecurity analysts manage systems remotely from all over the world as part of their daily duties, so they are working virtually even when they are in the office,” Macumber said. “Volta is fortunate in that we moved our systems and back office to cloud services years ago.”
As for cyber bad guys, Volta has seen an increase in hostile scanning activity, advanced phishing lures and software vulnerability exploitation attempts at all of the company’s customers, including in health care. Macumber reminds us that “no one person speaks for the hacking community,” so diligence is paramount. The COVID-19 crisis led to a sharp rise in fake websites and phishing attacks, malware-laden websites and fake GoFundMe schemes.
“The week of March 23 alone saw more than 5,000 new domains with ‘COVID-19’ or ‘corona’ in the name.”
“The week of March 23 alone saw more than 5,000 new domains with ‘COVID-19’ or ‘corona’ in the name,” said Joe Danaher, senior security analyst at the AME Group, noting that some were legitimate website addresses but most were likely being registered for use in cybercrime.
AME Group (www.theamegroup.com), formerly Integrity IT, is a managed security and managed services technology company providing services to multiple industries and businesses across Kentucky, Indiana, Ohio, Louisiana and Texas. “I believe we must remain diligent to emerging threats from a security perspective as the phased-in return to work begins,” Danaher said. “I see companies taking a closer look at making work from home an option and also a critical part of their business continuity plans for the future.”
Danaher recommends putting some thought into selecting professional software for virtual meetings. AME Group uses Microsoft Teams “to help facilitate communication across the company and to allow us to continue to meet virtually with our customers.” What is the best defense against cyberattacks? A well-educated user base, according to Andrew Nuxoll, director of information security at SIS. “Companies should invest in preparing their teams to identify and react to security threats,” he said. As a converge technology solutions company headquartered in Lexington, SIS (www.thinksis.com) serves industries such as state and local government, higher education, health care and manufacturing.
“Employees have a responsibility, as well,” Nuxoll said. “They should make sure they maintain their own systems and devices at home. It is likely that they will be using a combination of their own equipment as well as company-provided devices.” Cybersecurity involves staying on top of security patches and antivirus software, and using multifactor authentication for logins. “Companies should be doing what they can to ensure their employees’ equipment and the infrastructure used to support it is patched regularly,” Nuxoll said. “Most importantly, employers need to educate their user base on security best practices and how to react if they have concerns.”
There are also legal implications to WFH cybersecurity. “First, employers need to emphasize to employees the importance of only using firm-approved and, preferably, vetted devices and software to conduct company business,” said Bruce Paul, a member at the law firm McBrayer (www.mcbrayerfirm.com). If employees are using personal computers and other equipment “to transmit information about the company or its customers or employees, it is possible that those employees are not protecting that information in a manner that the company and law require,” he said.
Paperwork is sometimes on actual paper, so employees who are working from home need to protect that information too. “Data contained in physical files are just as deserving of confidentiality as electronic data, and employees need to protect those files and not leave them out and around for others in the home to view,” Paul said. “Employers should use this opportunity to evaluate cybersecurity preparedness and areas for improvement with the goal of developing a comprehensive work-from-home policy to be used under any circumstance.”