By David Lam, CISSP, CPP; Kim Pease, CISSP; and Stan Stahl, Ph.D.
With more people working from home, more cybercriminals seeking to take advantage of the new normal, and IT departments stretched thin, the risk of cyberattacks and security incidents has been magnified considerably. Here are some practical tips and best practices for protecting your organization against cyberattacks.
Leadership Team
- Vigilance. Remind staff and IT to be hyper-vigilant.
- Training. Consider online cybersecurity awareness training and phishing defense training for everyone in your organization.
- Controls. Ensure that online banking controls are in place. Remember that email does not provide valid confirmation.
- Insurance. Check with your insurance broker to ensure coverage is in place for incidents resulting from staff working remotely on their personal at-home computers.
- Regulations. Speak to your attorney to make sure your work-from-home realities conform with laws, regulations, and third-party agreements.
IT Department or IT vendor
- VPN. Implement an end-to-end Virtual Private Network (VPN) for staff to use when remotely accessing the corporate network and cloud services.
- Updates. Ensure all systems are kept patched and updated with the latest versions of software.
- Logging. Make sure logging is turned on, both for network devices and cloud services. Logs should be reviewed frequently for signs of suspicious activities.
- Office 365. If your company uses Office 365, strengthen security by running the free O365 Secure Score, regularly review the Risky Activity report, and monitor for suspicious activities.
- Authentication. Enable 2nd factor authentication (also called Multi-Factor Authentication or MFA) for all access into corporate IT resources – including the internal network and cloud services like Office 365, AWS, etc.
- Back-ups. All critical files should be backed-up and stored outside of your regular system (and offsite of your regular location) so ransomware cannot access it.
- Restoration. Test the ability to do a full-file restoration in the event of a ransomware incident.
Employees Working Remotely
- High-Alert. Be on high alert for phishing, COVID-19 scams, and other social engineering attacks. This includes emails and phone calls claiming to come from IT or other authoritative sources.
- Personal Devices. Employees using their own computer for company business – which, while sometimes necessary, is not recommended and considered very risky – should protect it with company-approved anti-virus. These individuals should also be trained to keep their computer fully patched.
- Single User. The computer being used for work (whether a personal or company device) should only be used by the employee and not shared with anyone else in the household.
- Listening Devices. When discussing sensitive information on phone calls or online meetings, always-on listening devices like Amazon’s Alexa or Google Assistant should be disabled or moved to other rooms.
If you have questions about how to implement these practices or are interested in phishing defense training for your organization, don’t hesitate to contact our information security team.