The United States Office of Personnel Management last week urged agencies to prepare to allow federal employees to telework — that is, work remotely.This came on the heels of the Department of Homeland Security closing its facilities in Washington state, after learning an employee had visited the Life Care facility in the city of Kirkland, which is ground zero for the state’s COVID-19 outbreak.
Federal employees were told to self-quarantine for two weeks, and the DHS building is being disinfected.
It isn’t just the federal government that is allowing employees to telework or telecommute. Seattle companies including Amazon, Google, Facebook and others are trying to keep workers safe by letting them do their jobs from home.
Coronavirus fears have shut down schools and businesses in the Evergreen State, and public health officials in King County last week recommended allowing employees in the region to stay home.
Across the country firms already have started allowing employees to work remotely or are considering doing so. Similar measures to those in Washington are being considered in New York and other states. The question is whether these steps are really necessary and whether they could present other serious problems.
“Move your operations out to home offices on the fly. What could go wrong, besides everything?” quipped Jim Purtilo, associate professor in the computer science department at the University of Maryland.
“Shops that might be careful about security practices at the office will find their assurances go out the window once some sudden decision flips activity out into the wild,” he told TechNewsWorld.
“The risks — including insecure WiFi connections; open printer ports; browsers with all manner of unvetted plug-ins, trackers or social media feeds; document shares on unprotected cloud folders; and more — will give us fits,” Purtilo added.
This week TechNewsWorld spoke with numerous cybersecurity experts to get tips on how to stay safe while staying healthy.
Understanding the Most Basic Risks
Before a company sends its workers home, it needs to weigh the risks. This isn’t to say that coronavirus and the COVID-19 disease shouldn’t be taken seriously, but just as health concerns must be addressed, so too should cybersecurity risks.
“First, there will be a lot of scams being run under cover of health and medical issues. Hackers never let a good crisis go to waste, and this is a biggie,” warned Colin Bastable, CEO of security awareness training company Lucy Security.
The danger is that those who are out of the office might feel more comfortable than in the office in every way. This isn’t just about wardrobe choices — it’s about the focus that is necessary to work remotely.
“People working from home get easily distracted, especially if they are normally used to working in the office, and they will mix work with personal email and Web browsing,” Bastable told TechNewsWorld.
“This increases the risks that they can introduce to their employers and colleagues by clicking on malware links — and over 90 percent of attacks are delivered by email,” he added. “With disrupted management communications and fewer opportunities to check with the CEO and CFO, expect remote workers to fall victim to these attacks too.”
More Than the Coronavirus
One of the great dangers is that the focus is so heavily on the coronavirus that computer viruses and other malware are being overlooked by employers, IT staff and remote workers. However, one group that surely isn’t forgetting about computer viruses is comprised of the bad actors who are taking advantage of this time of chaos.
They are spreading misinformation online through spoofed emails and social media. If pandemic-related news or advice isn’t coming from the World Health Organization (WHO), Centers for Disease Control and Prevention (CDC) or other reputable medical sources don’t believe it. More importantly, don’t click on questionable links on social media, email, forums or elsewhere. Go directly to WHO and CDC sites for the facts.
“Antivirus and antimalware — endpoint security protocols — should be updated at least daily. Most can be configured to check for updates hourly, and this can help mitigate risks,” Lou Morentin, VP of compliance and risk management for Cerberus Sentinel, told TechNewsWorld.
If working from home is a break from the norm, IT staffs should prepare workers, educating them about the risks.
“The initial thing is to ensure that workforces have the equipment required for working at home, such as laptops, voice and video conferencing, as well as secure networking and access,” noted Marc Gaffan, CEO of cybersecurity firm Hysolate.
“Secure workstations and access are the primary element of such a program,” he told TechNewsWorld.
Don’t Be the Low-Hanging Fruit
It is unfortunately during the worst of times that the worst types of cyberattacks can occur. Hackers, cybercriminals and even rogue states are more likely to strike a confused, worried and concerned populace.
“In general, attackers are looking for a vulnerability to deliver their attack,” explained Chris Rothe, chief product officer of cyber research firm Red Canary.
“In this case, people’s fear over the virus is the vulnerability attackers will look to capitalize on,” he told TechNewsWorld.
“If an individual is concerned or stressed about the virus they are less likely to remember their security training and will be more likely to, for example, click a link in a phishing email or give their credentials to a malicious website,” Rothe added.
Working from home or remotely therefore should require a greater level of security.
“Single sign on and multi-factor authentication are critical technologies for the remote workforce, as well as minimizing risk for the business,” noted Stealthbits Vice President Ralph Martino.
“These together allow the remote workforce to connect to business applications in the cloud using one password. This provides greater security and compliance for the enabling the remote workforce,” he told TechNewsWorld.
Users are typically the weakest link in every security program.
“That weakness gets amplified by a situation like the coronavirus. Business leaders should make a point to remind their employees of their security training and call out the fact that attackers will use coronavirus as an opportunity,” warned Red Canary’s Rothe.
The New Normal
Many individuals already work from home on a regular, or at least semi-regular basis. The present security issues concern the surge in the number of employees who usually don’t.
However, remote working could become the new normal — not just because of COVID-19, but for a plethora of other reasons, including improved productivity, smaller offices, and companies’ efforts to lessen their carbon footprint by reducing employee commutes.
However, during times of crisis it’s possible that too many people may be working away from the office at once. That can tax IT departments in unexpected ways. Workers will need to learn how to function as their own IT staff to solve many cyber-related issues.
“We’re definitely seeing this ramp up with the current COVID-19 situation,” said Gil Kirkpatrick, chief architect at Semperis.
“People working from home can expect time outs, network outages, and hitting license caps — which can slow productivity and impact job performance,” said Josh Bohls, CEO of Inkscreen.
“Many employees won’t be working from corporate networks and known, managed applications, and instead will be moving to ‘Shadow IT’ applications,” he told TechNewsWorld. “They may be using their mobile phones to scan and capture documents and mixed media content with little or no organizational governance.
Mobile phones aren’t exactly built for security, cautioned Bohls.
“Also, more employees are going to be tempted to download non-secured and potentially malware-laden apps,” he pointed out.
“Fortunately, tech has evolved over the last 20 years to specifically support remote workers, and recent breaches are driving IT and security teams to mandate that employees use apps that enable the organization to protect, manage, and control business content collected on mobile,” said Bohls.
“While employers are encouraging staff to stay healthy, they must also encourage them to stay safe online,” Semperis’ Kirkpatrick told TechNewsWorld.
“Home routers are notoriously insecure, and they usually have security bugs that need to be patched by flashing the ROM, which most people don’t do,” he noted.
“Remote workers should use their work computer, not their home computer, along with corporate authorized and managed devices whenever possible,” said Kirkpatrick.
“If you have to use your home computer, update A/V software and make sure its actually running. Don’t save files on your home machine. Save them in the corporate Dropbox/OneDrive/etc. — and use your work email, never personal,” he advised. “Those are some best practices to keep a remote workforce humming along securely.”