Website and technology security is a core mission for us. It’s almost a compulsion where we wake up in the morning asking ourselves, “Is the data safe … is the website secure?” And it is that focus that has helped us put together a solid track record of intrusion prevention and we’ve been brought in on some exciting projects as a result. So, I guess that sometimes obsessions can work for you.
As I write this, virtually the entire industrialized world is in lock-down quarantine in response to the COVID-19. And since we are obsessed with security, it will not surprise you that we have turned out attention to the challenges — some new, some that have been around for years — that are highlighted by the situation.
Website, Network, & Data Security While Working From Home
For a lot of us in technology fields, we have had to adopt a ton of best practices since remote working is a normal part of the job and we travel for on-site deployments, training, and conferences. Companies in other industries have been faced with digital transformation for decades now. For many companies, adapting to the trends of cloud deployments and a mobile workforce have had a lower priority. With the realities of the world we are all facing now, these companies are having a truly digital and distributed workforce thrust upon them.
Here are some important considerations for your remote-working staff and technical teams.
Work From Home Networks & WIFI
At your office, your network admins are king. They have the power to force highly secure password policies across encrypted lines behind updated firewalls.
When your employees are working from home, they are more likely to be connecting to an internet connection provided by the cable company via a combo WIFI router included at no extra charge with the password engraved on the bottom.
Attached to that same network will be your employee’s company laptop, his business cell phone and the cell phones of family members, a few streaming smart TVs, the Amazon Echo, a baby monitor purchased at Walmart, the Ring doorbell camera, a tablet, and the kids’ gaming system in the den.
This is the network that your employee will be using to log in to the HR portal, web conferencing app, and website.
This sounds like a security nightmare. And it is. Short of installing firewalls and secure routers at the home of every staff member, here’s what you can do immediately to mitigate the risks.
Require Private VPN Connections from Home Networks
This is not a 100% solution. But private VPNs have been around for a long time. Most security-conscious technology professionals have been using them for many years because they prevent the vast majority of detection and sniffing-type attempts. This means that it is an established, scaled, proven solution available easily in the open market. There are a lot of business and enterprise-class solutions available and they can be deployed on computers, tablets, and modern smartphones.
Prepare for Browser-Based Attacks
Your newly remote employees will almost certainly be using browsers to access their company networks. Normally, only a small percentage of your inbound network traffic comes across the open internet. So, when there is a spike in-browser access, this is something that can be monitored and identified easily as a potential threat. But now EVERYONE is accessing the company network via non-standard browsers of all kinds and versions. This can hide or mask intrusion attempts.
Have your technical teams set and enforce new triggers and automations to detect the bad actors in the new browser traffic load.
Browser Spoofing Tricking Home Workers
When your team is working in the office, their company computers are likely automatically directed across internal company networks to access company online resources and portals. Now your team is typing domain names in browser windows, doing navigational searches, and clicking email links to access those resources from the outside.
Internet threat watchdogs have already detected spoofing websites for government agencies, international health organizations, and some enterprise organizations. Spoofing websites are designed to mimic real sites and trick users into entering passwords and other access information.
Sometimes these threats manifest themselves in all-too-real looking emails. Recent reports have indicated that employees have been fooled by fake meeting invites and fraudulent Zoom links, among other risks. These fake links lead to spoofing sites and can even install malware.
The best defense against this kind of malicious activity is updated awareness, training, and resources.
Summary of Work From Home Security
There is a lot of talk about “the new normal.” We fully expect that most of the “old normal” will return once again. But certain trends that were already moving in the business culture have undoubtedly been accelerated by the pandemic crisis. Decentralized work environments are almost certainly a part of that change. But you can make the experience a better one while ensuring that you and your staff are operating securely and that the data is protected.
We will be monitoring this topic. If you have any questions about the security of your website, software, or data, just give us a call. We are always happy to help.
Additional References & Links
In preparation to write this article we reviewed known internet security threat information form the US Cybersecurity and Infrastructure Security Agency (CISA) division of the Department of Homeland Security:
https://www.us-cert.gov/
We also reviewed an article posted on the SecurityInfowatch website:
https://www.securityinfowatch.com/covid-19/article/21132855/5-critical-issues-cybersecurity-teams-face-with-covid19
We also reviewed warnings posted to the Google Threat Analysis Group (TAG) blog:
https://blog.google/technology/safety-security/threat-analysis-group/findings-covid-19-and-online-security-threats/
We also reviewed a recent article on Forbes discussing phishing threats:
https://www.forbes.com/sites/thomasbrewster/2020/04/08/government-warning-these-2500-covid-19-websites-pose-a-threat-to-your-online-safety/#51e5f01046e7