Working from home? Here are the steps all workers and companies should take to avoid cyberattacks, according to experts

Advertisement
Working from home? Here are the steps all workers and companies should take to avoid cyberattacks, according to experts

cybersecurity and smartphones 4x3

Crystal Cox/Business Insider; Samantha Lee/Business Insider

Advertisement
  • As more offices direct employees to work from home amid the COVID-19 outbreak, companies are increasingly vulnerable to cyberattacks.
  • The increase in web apps used by companies for online work and virtual meetings will inflate hackers' potential targets.
  • Cybersecurity experts told Business Insider about steps that businesses and workers can take to make sure they're working from home securely.
  • Visit Business Insider's homepage for more stories.

For workers being instructed to work from home amid the COVID-19 outbreak, doing jobs remotely can be a major adjustment. For hackers, it can be an opportunity.

Remote work means a rise in the number of devices employees are using for their jobs, and an increase in the use of online conferencing tools like Zoom, Google Hangouts, Microsoft Teams, and Slack. That shift also give hackers a larger number of potential targets.

Cybersecurity research firms are predicting a spike in hacks and breaches targeting businesses as the COVID-19 outbreak continues, Business Insider's Jeff Elder reported last week. The Department of Homeland Security has also advised businesses to prepare for new cybersecurity threats arising from work-from-home arrangements.

Business Insider asked cybersecurity experts about measures workers and companies can take to significantly reduce their vulnerability while working from home. Here's what they recommend.

Advertisement

{{}}

Companies should make sure their workers are up to speed on basic security hygiene, including strong passwords and multifactor authentication.

Companies should make sure their workers are up to speed on basic security hygiene, including strong passwords and multifactor authentication.

"With a remote workforce and everybody working digitally, the threat landscape certainly increases," said Kiersten Todt, managing director of the Cyber Readiness Institute and former cybersecurity adviser to the Obama administration. "Now's a really good time to look at all the capabilities you could be using, like multifactor authentication, and to turn them on."

Workers should be especially wary of suspicious emails and avoid clicking on links that are new or unfamiliar to them.

Workers should be especially wary of suspicious emails and avoid clicking on links that are new or unfamiliar to them.

Hackers are already running phishing scams that capitalize on COVID-19 fears, posing as health authorities to get people to click on malicious links.

"For now, individuals are going to be a lot more targeted because they know there's going to be a path to company assets," said Stephen Breidenbach, co-chair of the cybersecurity practice at the law firm Morick Hock & Hamroff. "I would not be surprised to see an attacker posing as tech support targeting the employee who is outside of the office now."

Advertisement

As a general rule, never share personal or financial information via email or message.

As a general rule, never share personal or financial information via email or message.

Most phishing schemes aim to extract people's personal information or login credentials as quickly as possible. If you think someone at your company is asking for your personal information, call them to confirm, and if necessary, give them the information via phone.

Before circulating or acting on news about COVID-19 and its impact on your business, verify that it's coming from a trusted source.

Before circulating or acting on news about COVID-19 and its impact on your business, verify that it's coming from a trusted source.

While this advice may seem obvious, experts warn that phishing scams surrounding COVID-19 hinge on social engineering, often circulating false information in an attempt to make people act out of fear or panic.

"We can expect an increase in social engineering," Todt said. "Do what you can, whether it's as a consumer, business or otherwise, to validate the source of information."

Advertisement

Businesses should explore rolling out VPN services, and make sure their VPNs are patched and up-to-date.

Businesses should explore rolling out VPN services, and make sure their VPNs are patched and up-to-date.

A virtual private network lets people remotely share data as if they were connected to a shared private network. Several popular VPN services were found to have critical vulnerabilities earlier this year — companies should make sure all workers have downloaded the most patched, up-to-date version.

"I think VPNs are a must," Breidenbach said. "If you do not use an encrypted pathway to get into the company network, you are just waiting for someone to open the door and come in."

Companies should also consider using encrypted messaging services for work communication.

Companies should also consider using encrypted messaging services for work communication.

Todt says companies should encourage workers to use encrypted, enterprise-focused services like Wickr as much as possible, adding that consumer-facing software like WhatsApp has proven to be a more frequent target for hackers.

"What I worry about in this situation is that, in an effort to continue to be efficient, people just default to what they use in their personal world," Todt said. "We saw this with Jeff Bezos — don't use the consumer-based technology for business-centered communication."

Advertisement

Experts say it's crucial that companies formulate a recovery plan in case they're hit with a breach stemming from work-from-home conditions.

Experts say it's crucial that companies formulate a recovery plan in case they're hit with a breach stemming from work-from-home conditions.

"A lot of times companies are simply not prepared for this type of incident," Breidenbach said. "Companies need to prepare to maintain at least bare minimum functionality should something happen."