Author: Imran Ahmad, LL.B, LL.M
Most organizations have moved their workforces to some form of remote work as a result of the COVID-19 pandemic. Surprisingly, remote work has proven effective for many organizations, and they are now contemplating updating their remote work policies to allow employees more flexibility in a post-COVID-19 world. However, from a cybersecurity standpoint, remote work presents unique challenges and risks.
Employees may be accessing sensitive corporate data from their personal devices, or they may be using company-issued devices for corporate and unauthorized personal use. In both instances, hackers will prey on these distracted employees: sending them phishing emails in hopes of gaining access to the organization’s network, or stealing credentials which they sell to criminals who may then launch cyberattacks.
Use these technical tips for a more secure network
That said, there are some basic steps organizations can take to improve their cybersecurity posture. Here are few technical steps you can use as a good starting point.
- Multi-factor authentication (MFA). Having a strong password is no longer sufficient. Organizations that allow employees to access their work accounts with a simple username and password often fall prey to hackers. If a user’s credentials are stolen by hackers, MFA will offer an extra layer of protection since the hacker will not be able to access the additional unique, randomly-generated code.The extra step in the MFA process could be an email or text message confirmation, a biometric method, such as facial recognition or a fingerprint scan, or something physical like a USB fob.
- Updates and patches. During the pandemic, most IT departments were focused on moving a large portion of the organization’s workforce to remote work. This may have put other IT tasks on hold, such as patching and implementing non-critical updates. Hackers will take advantage of this delay to access networks and potentially steal data. Thus, implementing any updates and patches as quickly as possible should be a priority.
- Securing home routers. Employees working from home are relying on the Internet and Wi-Fi access at their residence. Did they change their router password after it was first installed? If not, their home network may be vulnerable.
It is important to take simple steps to protect home networks and prevent hackers from having access to connected devices. While changing a router password is a good first step, your employees should take additional measures. For example:
- Ensure that firmware updates are installed, so that security vulnerabilities can be patched;
- Make sure the encryption is set to WPA2 or WPA3;
- Restrict inbound and outbound traffic;
- Use the highest level of encryption available;
- Switch off WPS.
Employees needing help with these measures should connect with your IT department.
- Beware of remote desktop tools. Many employers allow staff to access their work networks via remote desktop protocols (“RDPs”). While this access method can be secure, several studies have found security problems with some of the most popular RDP tools for Linux and Windows. Ensuring that these tools are properly configured and tested for security is a critical step to take.
- Strong password protocols. Everyone knows the importance of having strong passwords. Unfortunately, many still use the same password across multiple accounts. This means that all it takes is one compromised password for a criminal to take over all accounts associated with that user. They take leaked usernames and passwords and attempt to log into other online accounts, a tactic commonly known as “credential stuffing.”
Passwords should be unique for every account and should comprise a long string of upper- and lower-case letters, numbers and special characters. Additionally, organizations should consider implementing shorter periods for password resets, for example, going from a 90-day to a 30-day reset cycle.
Help your employees stay “cyber-vigilant”
While implementing strong technical safeguards is essential to having a strong cybersecurity posture, the most important risk to organizations remains its people, when they fall victim to phishing campaigns. Phishing emails are sent by hackers to steal information that can be used in further targeted phishing attacks, credit card and wire fraud, and in installing malicious software on the victim’s device or on the networks they access.
During this pandemic, there has been a marked increase in the number of phishing campaigns that target remote workers in a bid to steal their personal information or gain access to company accounts.
The key to avoiding this vulnerability lies in employee training and reminders to constantly be vigilant. For example:
- If an email appears unusual or requests immediate action (even when it comes from a “known” source), your employees should have the reflex to pause and proceed carefully;
- If the email contains a URL, they should know to hover their cursor over the link to validate the source, and to not open any unexpected attachments;
- If they suspect that they may have inadvertently fallen for a hacker’s ruse, their reflex should be to immediately report the incident to IT, rather than trying to resolve the issue themselves or ignoring it.
The pandemic has shown that remote work is an effective way for organizations to continue operating, so it is likely that some form of remote work will be part of how organizations operate in the future. That said, being aware of the risks and taking some basic steps can significantly reduce your chances of becoming victim of a cyberattack while working remotely.
For more information on this topic, please contact your McCay Duff advisor.Contact Us
The above article is reprinted from the newsletter Business Matters with the permission of CPA Canada.
BUSINESS MATTERS deals with a number of complex issues in a concise manner; it is recommended that accounting, legal or other appropriate professional advice should be sought before acting upon any of the information contained therein.
Although every reasonable effort has been made to ensure the accuracy of the information contained in this letter, no individual or organization involved in either the preparation or distribution of this letter accepts any contractual, tortious, or any other form of liability for its contents or for any consequences arising from its use.
BUSINESS MATTERS is prepared bimonthly by the Chartered Professional Accountants of Canada for the clients of its members.