Security Tips for Working Remotely During the COVID-19 Pandemic
In less than three months, the COVID-19 pandemic has reached every single corner of the globe and is continuing to spread at an exponential rate. As of April 2, 2020, the virus has infected more than 930,000 people across the globe and killed more than 47,000.
Governments are introducing increasingly strict measures to flatten the curve of the spread. Many are enforcing mandatory quarantine and social distancing orders, as well as putting restrictions on business activities. We have never experienced such a large-scale disruption of social and economical activities since the end of World War II.
Due to these mandatory restrictions, businesses around the world are left with no choice but to send their workers home to work remotely. Telecommuting is definitely helpful in keeping us safe from the virus, but it exposes our vulnerabilities to a wide range of cyberthreats.
The risks and challenges of working from home
Many may wonder, “Organizations have always had workers working remotely, then why is it a problem now?” The problem is that when fewer than 20% of workers work remotely, companies can manage the security risks with relative ease. However, under the current situation, up to 90% of the workforce are suddenly told to work from home with such short notice, making it very difficult for companies to prepare and adapt.
Every time an employee works remotely, the company’s security team has to monitor and secure that user’s endpoint. When you have thousands of employees at different locations, this becomes an impossible task. This is especially true for large organizations in traditional industries, such as governments, schools, hospitals, and banks. These organizations tend to run some of the oldest operating systems with low application security measures.
Another challenge is that when employees work from remote locations, they tend to be less alerted and easily distracted. Especially at this chaotic time, many would mix work with other activities such as web browsing, online shopping, and checking the news, while others may as well use their personal computer for work. This increases their chance of exposure to phishing emails and fake websites. Adding to the problem is that compared to corporate networks, home networks are less secure and more vulnerable to phishing attacks.
Lastly, we have seen a significant surge in malware and ransomware attacks since COVID-19 started to spread. Criminals around the world have been leveraging people’s fear and societal chaos to launch intensive phishing campaigns. In fact, according to research done by Barracuda Networks and Cloudflare respectively, phishing emails have increased 667% since the end of February, while general cybercrime activities increased by 37% (Infosecurity).
What organizations can do to minimize risks
Despite all the challenges, this may be the best chance for organizations to upgrade their security infrastructure for remote workers. For those that are lagging behind in this area, we list a few easy starting points. These measures are not invincible, but will significantly reduce the risks of remote work.
1. Choose a reliable virtual private network (VPN)
A virtual private network (VPN) allows one to connect their PC or smartphone virtually to a remote server and gain access to that server’s network as if they are directly connected to the network. In other words, it creates a virtual connection between the user’s device and the destination network, shared only between the user and other members of the destination network, hence getting its name “virtual private network”.
Many people use VPNs to access region-restricted content by connecting to a network from the available region. However, this is not the intention they were originally created for. VPNs were originally invented for organizations to establish secure virtual connections between different office branches and remote workers, so that everyone in a company can access their corporate network no matter where they are.
By providing a VPN service to all employees working remotely, all their internet activities would be carried out as if they are working directly in the office. All the traffic would be encrypted and protected by your organization’s local security measures.
Not all VPN services are created the same. Some cheap VPNs may only encrypt the data in transfer, but not the data run by applications. Others may even collect your data for sale, which would create greater security risks than just not using one at all. Therefore, choosing a reliable VPN service is crucial in keeping your network safe.
2. Start to adopt software-as-a-service (SaaS)
Another move that complements the use of VPNs is to use cloud applications. In fact, organizations have already been slowly moving away from local storage to cloud databases, and away from on-premises software to software-as-a-service (SaaS).
SaaS programs are sometimes referred to as public clouds because their service providers entirely manage and secure these programs, including their application and database layers. Examples of SaaS applications include Office 365, Dropbox, Salesforce, etc. These applications are generally safe to use regardless of the employees’ locations.
Of course, these applications can still be compromised by an attack on the service provider. However, these service providers tend to have the most reliable and robust security measures that many smaller businesses cannot afford.
3. Enhance security measures for the cloud
However, not everything in the cloud is safe. Different from SaaS, infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS), also referred to as private clouds, require the companies to invest in their own security measures to protect their data and applications run in the cloud. Examples include Amazon Web Services and Microsoft Azure.
When using these services, be sure to complement them with a virtual web application firewall to protect applications in the cloud from web attacks, apply an encryption system to keep data stored in the cloud safe from theft, and equip them with multi-factor authentication to protect the operating system from illegal access.
[Penta Security’s WAPPLES SA is a web application firewall designed to protect applications running in the cloud. MyDiamo is an encryption framework for open source databases. ISign+ offers multi-level authentication to safeguard user accounts. Learn more about them at: WAPPLES SA, MyDiamo, and ISign+.]
4. Educate your employees
No matter how robust the security measures of a company are, the biggest challenge is whether the employees are educated enough to understand the risks and strictly follow the security rules. Having a workforce that is both aware and has knowledge of cybersecurity threats would make life much easier for the security team.
What employees can do to protect themselves
Remember that following corporate security policies is a responsibility for every employee. You are putting yourself at risk by not following these rules because you could be liable for all the corporate damages resulting from policy violations. Apart from understanding the above-mentioned risks and strictly following security policies, there are a few more simple tips that every employee can do to reduce their risks of being attacked.
1. Never connect to public wi-fi for work
When you connect to public wi-fi, anyone would be able to access the same wi-fi and get onto your network, making your computer vulnerable. Moreover, those on your network can monitor your internet traffic as it travels between your device and your company. If you really need to check that email while in a cafe, use your mobile hotspot.
2. Never use personal computers for work
How many times have you clicked the postpone button for a Windows Update? Personal computers tend to run on outdated applications and free antivirus programs.
3. Watch for your device
Do not leave your device unattended in a cafe. Your data could be stolen in a few seconds when an attacker inserts a pre-programmed USB stick.
4. Watch out for all connections
Do not connect your device to random USB charging ports. If you need to charge your phone at a public location, use a USB data blocker.
5. Watch out for phishing texts and emails
Attackers are continuously exploiting people’s fear of COVID-19. Most of these virus-themed attacks start out by text and email phishing. Therefore, be extra cautious and do not open any email links. To learn more about how to deal with phishing texts and emails, read here.
Check out Penta Security’s product lines:
Web Application Firewall: WAPPLES
Web Application Firewall for Cloud: WAPPLES SA
Database Encryption: D’Amo
Smart Car Security: AutoCrypt