BLOG POST
9 Tips to Protect Your Company from Cyber Threats Amid the Coronavirus COVID-19 Pandemic
By The Layr Team | 03/25/2020
We continue to follow updates about the coronavirus COVID-19 pandemic and remain committed to sharing resources and support for small businesses navigating our collective new normal.
Moment by moment, the circumstances surrounding this global health crisis are changing the way we work. There are entirely new sets of challenges we face as distributed workforces. We must simultaneously band together while at the same time physically practice social distancing. As a result, a significant portion of the world’s workforce is participating in the largest work-from-home experiment ever seen.
There are myriad implications of so many people simultaneously working from home. The volume of digital communication between coworkers has skyrocketed, employees are now using their home WiFi networks to conduct business, and VPN usage is at an all time high. This sudden switch in the way many of us conduct our day-to-day business introduces a new wave of cybersecurity threats. Relying on home WiFi networks, which may be less secure than company networks, presents opportunities for cyber threats. Companies and employees should exercise extra precaution and remain vigilant about cybersecurity.
Below are nine tips for shoring up security practices and keeping your company, employees, and data protected.
1. Trust Your Gut
It may seem elementary, but our human intuition is powerful. Trusting your gut is an important part of cybersecurity. If something feels suspicious or out of the ordinary, it likely is. When in doubt, communication is key. If you receive an odd email from someone claiming to be your CEO, follow up over a different medium like Slack or a phone call. Be cautious of messages specifically crafted to invoke feelings of urgency or fear of not complying with a request. Phishing attacks often prey upon a victim’s emotions in hopes that the victim will act quickly, without thinking, or bypass established security protocols.
2. Educate Yourself and Your Team About Phishing Attacks
Phishing attacks are attacks where a malicious party pretends to be legitimate in order to extract sensitive information like passwords, social security numbers, or billing information. Some of the most common phishing techniques include:
- Sending fraudulent emails or text messages to potential victims.
- Including fake attachments in fraudulent emails.
- Creating fake websites that mimic legitimate sites in order to steal information.
- Creating fake “faster sign in” options in apps and commonly used services.
Be extra cautious when you encounter emails from anyone outside of your company’s domain, emails that contain links or attachments, and websites that ask you to log in or confirm a password.
You can learn more about common phishing scams from Phishing.org, a project of KnowB4, the world’s largest security awareness training and simulated phishing platform. Help your team learn more about phishing with a Free Coronavirus Phishing Test for Employees from Curricula, one of our customers and cyber security awareness training company.
3. Update Your WiFi Encryption
Legacy methods of WiFi encryption such as WEP (Wired Equivalency Protection, a security algorithm adopted in 1997) and WPA (WiFi Protected Access, a security program that became available in 2003) can make it easier for an attacker to compromise your network, sniff your traffic, and deploy other nefarious attacks.
- What is a network-compromising attack?
An attack focused on penetrating your network often with malicious intent like spreading malware, a virus, or exploiting a security vulnerability. - What is a sniffing attack?
Interception or theft of data via unauthorized monitoring by a bad actor. - What is a man-in-the-middle attack?
An attack where communication between two parties is altered such that both parties believe they are communicating with one another; in reality, the attacker, who is in the middle, is collecting sensitive information from both involved parties.
Your WiFi connection should be encrypted with WPA2, security programs certified by the WiFi Alliance that use modern encryption. The administrator password for your router should not be the default password assigned by the manufacturer as those are publicly accessible via the internet. Instead, choose a strong password with upper and lower case letters, numbers, and special characters. Or, generate a random password with a password manager.
4. Use a Password Manager
A password manager is an incredibly useful tool for managing security. Rather than committing your password to memory, implement a tool company-wide to generate, store, and grant access to passwords for employees. A password manager prevents everyone from having a collection of password sticky notes, using a standard one-size-fits-all password, and sharing passwords insecurely. Moreover, a password manager can help prevent opportunities for security breaches before they begin.
Using a single password manager helps you manage secure and complex passwords. Not only can it suggest secure passwords, but it can also keep an encrypted version of your (different) passwords for each system. Additionally, a password manager includes user-level permissions, making it easy to share passwords with team members as needed. Credentials and other sensitive information should never be sent over chat applications like Slack, Microsoft Teams, or other company communications platforms.
5. Adopt Multi-Factor Authentication
Having complex passwords prevents simple security breaches. Adopting multi-factor authentication is another incredibly useful measure in mitigating potential security breaches.
What is multi-factor authentication (MFA)?
A security protocol that requires a user to authenticate their access by using more than one device for access. For example, you enter your Gmail password and then receive a text message on a previously-registered device to confirm that you are, in fact, you.
When multi-factor authentication is used, an attacker needs both your credentials and access to your MFA device to successfully complete an attack. Whenever possible, use multi-factor authentication to increase security.
6. Install Up-to-Date Antivirus Software
In the event your device is compromised, antivirus software can be a saving grace. With more employees working from home than ever before, new cybersecurity threats abound. Keep your antivirus software updated so that it is equipped to detect even the most recent malicious activity.
7. Only Trust Secure Sites
Modern web browsers make it a breeze to determine if a site is secure. Direct your attention to the URL bar. A secure site URL is prefixed by “https” or specifies the https protocol. Also, many browsers, like Chrome and Firefox, indicate this with a padlock icon.
Not always, but sometimes an insecure site, one with the “http” prefix, can be a sign of malicious activity or a fake website. More, any information you submit or send through an “http” site can be intercepted by anyone on the same network, regardless if their connection is wired or wireless. Never submit passwords or other sensitive information over an insecure (http) connection. Always check the URL bar of your browser window for two things:
- A secure connection, indicated by a URL prefixed with the “https” protocol.
- The intended domain (https://marketwake.layr.app/) is displayed, rather than another malicious site.
8. Define Security and Emergency Protocols
Having well-defined security and emergency protocols is important all the time, and it is especially important if your company has a completely remote, decentralized, or distributed workforce. Documenting security protocols and ensuring your team follows them will help protect your company against cyber attacks. It is much easier to spot out-of-the-ordinary activity when you know what is typical. Having emergency procedures in place will support an efficient response to a cyber threat, malicious attack, or data breach.
Access should be granted to systems and software following the principle of least privilege (PoLP), where users are only granted the minimum level of access required to carry out their work.
How does the principle of least privilege work in the real, digital world?
Your sales team sends invoices to customers for purchases and accordingly needs access to your payment processing software. Grant only the members of your sales team who can send invoices the lowest level of access in the payment-processing software. In other words, grant them “specialist” role privileges rather than “administrator” role privileges.
A regular backup strategy is also imperative. Not only can a backup strategy save the day during accidental deletion of important files and information, but it can also turn a ransomware attack from a show-stopper to a minor inconvenience.
What is a backup strategy?
An automated or manual process in which all of your data is routinely saved to a separate device as a backup, creating data redundancy.
9. Purchase Legitimate Cyber Liability Insurance
In the unfortunate event your company falls victim to a cybersecurity breach, having a cyber liability policy with sufficient coverage in place is paramount. Cyber Liability Insurance protects your company against first- and third-party cyber-related threats and expenses including data breaches, legal defense costs, notification costs, and system disruption. A good cyber liability policy addresses nearly every aspect of total cyber exposure.
With Layr, you can purchase a cyber liability insurance policy in moments as a stand-alone policy or in addition to your existing business insurance policies. All of the partner carriers at Layr are rated “A” or better, meaning your policies are backed by trusted companies with histories of paying claims.
Layr is a small but mighty team of passionate individuals committed to building #BetterBusinesInsurance. When we decided to move our operation completely remote, I did a pass of our company’s security position using the 9 tips outlined above. You can do the same for your company to shore up your security.