These basic tips are targeted at those who do not already read CybersecAsia.net and need a laymen’s refresher on Remote-Working Security.
As the need for a remote workforce grows, so does the imperative to secure the organization against the growing threat landscape. Where there are security gaps due to the rush to establish a distributed workforce, cybercriminals will be happy to exploit them.
Whether you are a veteran of securing remote-work environments or just getting started, here are five important steps to protect employee and customer data, contributed by Jim Alkove, Chief Trust Officer, Salesforce:
1. Enable Multi-Factor Authentication (MFA)
Passwords alone are not enough to protect against common security attacks. Weak or reused passwords are often the weakest link attackers love to exploit. As the security landscape evolves, multi-factor authentication (MFA) has emerged as one of the best ways to protect business and customer data. By requiring users to enter two or more authentication factors to prove their identity during the login process, MFA can drastically reduce the odds of unauthorized access even if a user’s password is stolen.
As your cloud migration picks up steam, enabling MFA as part of a defense-in-depth strategy can be a key success factor instead of relying on employees to brainstorm unbreakable passwords and keep them safe.
2. Patch your devices
Patching corporate devices is a simple, effective and direct way of ensuring employees inoculate themselves against known vulnerabilities, resulting in much-improved resilience against common attack vectors like ransomware. Through patching, IT personnel may enjoy new features on corporate devices, have outdated ones removed, and even fix performance issues. Encourage your employees to patch their personal devices as well.
3. Beware Of Covid-19 phishing emails
While phishing (and its cousin, vishing) scams are nothing new, the pandemic has emboldened cybercriminals to steal personal information by taking advantage of confusion surrounding the rollout of financial assistance and other government programs. Here, again, is an example of how nailing the basics can go a long way, and it starts at the top. If CISOs and IT leaders simply raise awareness within their companies of these threats and how to spot them, security-aware employees can render phishing emails and vishing calls ineffective by looking for red flags, including:
- Is the subject line off?
- Is the email from a known person or organization?
- Is there anything suspicious about the attachment?
- Is there something ‘phishy’ about the credentials requested?
- Is the email poorly-written?
- Is the message requesting immediate, urgent attention or money?
- Is the call from a familiar phone number?
4. Secure your connection
Laptops, phones and, yes, even your smartwatch connect to the internet with varying (and sometimes random) levels of security controls. By requiring remote employees to use a virtual private network (VPN) on devices with access to business data, companies can dictate the terms of engagement when sending or receiving sensitive information through otherwise public connections.
Put another way: if transporting a briefcase full of cash, would you want a courier driving with the top down and $100 bills flying all over the interstate, or would you prefer a secret, secure tunnel purpose-built to keep intruders out? A VPN can give you just that, at the minimum. Or consider the newer Software-Defined Perimeter (SDP) aka Zero Trust Network Access (ZTNA).
5. Secure your e-meetings
With videoconferencing at an all-time high, it is more important than ever to review the security settings within your web conference platform of choice. For example, using a platform’s built-in security features such as meeting rooms, passwords and screen-sharing permissions—can be basic but critical steps to managing activity and preventing unauthorized access to meetings.
Where possible, use unique passcodes and access links for meetings and disable ‘beta’ features you do not need (such as file-sharing or livestreaming) to minimize human error.