We continue to follow updates about the coronavirus COVID-19 pandemic and remain committed to sharing resources and support for small businesses navigating our collective new normal.
Moment by moment, the circumstances surrounding this global health crisis are changing the way we work. There are entirely new sets of challenges we face as distributed workforces. We must simultaneously band together while at the same time physically practice social distancing. As a result, a significant portion of the world’s workforce is participating in the largest work-from-home experiment ever seen.
There are myriad implications of so many people simultaneously working from home. The volume of digital communication between coworkers has skyrocketed, employees are now using their home WiFi networks to conduct business, and VPN usage is at an all time high. This sudden switch in the way many of us conduct our day-to-day business introduces a new wave of cybersecurity threats. Relying on home WiFi networks, which may be less secure than company networks, presents opportunities for cyber threats. Companies and employees should exercise extra precaution and remain vigilant about cybersecurity.
Below are nine tips for shoring up security practices and keeping your company, employees, and data protected.
It may seem elementary, but our human intuition is powerful. Trusting your gut is an important part of cybersecurity. If something feels suspicious or out of the ordinary, it likely is. When in doubt, communication is key. If you receive an odd email from someone claiming to be your CEO, follow up over a different medium like Slack or a phone call. Be cautious of messages specifically crafted to invoke feelings of urgency or fear of not complying with a request. Phishing attacks often prey upon a victim’s emotions in hopes that the victim will act quickly, without thinking, or bypass established security protocols.
Phishing attacks are attacks where a malicious party pretends to be legitimate in order to extract sensitive information like passwords, social security numbers, or billing information. Some of the most common phishing techniques include:
Be extra cautious when you encounter emails from anyone outside of your company’s domain, emails that contain links or attachments, and websites that ask you to log in or confirm a password.
You can learn more about common phishing scams from Phishing.org, a project of KnowB4, the world’s largest security awareness training and simulated phishing platform. Help your team learn more about phishing with a Free Coronavirus Phishing Test for Employees from Curricula, one of our customers and cyber security awareness training company.
Legacy methods of WiFi encryption such as WEP (Wired Equivalency Protection, a security algorithm adopted in 1997) and WPA (WiFi Protected Access, a security program that became available in 2003) can make it easier for an attacker to compromise your network, sniff your traffic, and deploy other nefarious attacks.
Your WiFi connection should be encrypted with WPA2, security programs certified by the WiFi Alliance that use modern encryption. The administrator password for your router should not be the default password assigned by the manufacturer as those are publicly accessible via the internet. Instead, choose a strong password with upper and lower case letters, numbers, and special characters. Or, generate a random password with a password manager.
A password manager is an incredibly useful tool for managing security. Rather than committing your password to memory, implement a tool company-wide to generate, store, and grant access to passwords for employees. A password manager prevents everyone from having a collection of password sticky notes, using a standard one-size-fits-all password, and sharing passwords insecurely. Moreover, a password manager can help prevent opportunities for security breaches before they begin.
Using a single password manager helps you manage secure and complex passwords. Not only can it suggest secure passwords, but it can also keep an encrypted version of your (different) passwords for each system. Additionally, a password manager includes user-level permissions, making it easy to share passwords with team members as needed. Credentials and other sensitive information should never be sent over chat applications like Slack, Microsoft Teams, or other company communications platforms.
Having complex passwords prevents simple security breaches. Adopting multi-factor authentication is another incredibly useful measure in mitigating potential security breaches.
What is multi-factor authentication (MFA)?
A security protocol that requires a user to authenticate their access by using more than one device for access. For example, you enter your Gmail password and then receive a text message on a previously-registered device to confirm that you are, in fact, you.
When multi-factor authentication is used, an attacker needs both your credentials and access to your MFA device to successfully complete an attack. Whenever possible, use multi-factor authentication to increase security.
In the event your device is compromised, antivirus software can be a saving grace. With more employees working from home than ever before, new cybersecurity threats abound. Keep your antivirus software updated so that it is equipped to detect even the most recent malicious activity.
Modern web browsers make it a breeze to determine if a site is secure. Direct your attention to the URL bar. A secure site URL is prefixed by “https” or specifies the https protocol. Also, many browsers, like Chrome and Firefox, indicate this with a padlock icon.
Not always, but sometimes an insecure site, one with the “http” prefix, can be a sign of malicious activity or a fake website. More, any information you submit or send through an “http” site can be intercepted by anyone on the same network, regardless if their connection is wired or wireless. Never submit passwords or other sensitive information over an insecure (http) connection. Always check the URL bar of your browser window for two things:
Having well-defined security and emergency protocols is important all the time, and it is especially important if your company has a completely remote, decentralized, or distributed workforce. Documenting security protocols and ensuring your team follows them will help protect your company against cyber attacks. It is much easier to spot out-of-the-ordinary activity when you know what is typical. Having emergency procedures in place will support an efficient response to a cyber threat, malicious attack, or data breach.
Access should be granted to systems and software following the principle of least privilege (PoLP), where users are only granted the minimum level of access required to carry out their work.
How does the principle of least privilege work in the real, digital world?
Your sales team sends invoices to customers for purchases and accordingly needs access to your payment processing software. Grant only the members of your sales team who can send invoices the lowest level of access in the payment-processing software. In other words, grant them “specialist” role privileges rather than “administrator” role privileges.
A regular backup strategy is also imperative. Not only can a backup strategy save the day during accidental deletion of important files and information, but it can also turn a ransomware attack from a show-stopper to a minor inconvenience.
What is a backup strategy?
An automated or manual process in which all of your data is routinely saved to a separate device as a backup, creating data redundancy.
In the unfortunate event your company falls victim to a cybersecurity breach, having a cyber liability policy with sufficient coverage in place is paramount. Cyber Liability Insurance protects your company against first- and third-party cyber-related threats and expenses including data breaches, legal defense costs, notification costs, and system disruption. A good cyber liability policy addresses nearly every aspect of total cyber exposure.
With Layr, you can purchase a cyber liability insurance policy in moments as a stand-alone policy or in addition to your existing business insurance policies. All of the partner carriers at Layr are rated “A” or better, meaning your policies are backed by trusted companies with histories of paying claims.
Layr is a small but mighty team of passionate individuals committed to building #BetterBusinesInsurance. When we decided to move our operation completely remote, I did a pass of our company’s security position using the 9 tips outlined above. You can do the same for your company to shore up your security.