Almost as quickly as the coronavirus/covid-19 pandemic took the world to its knees, cyber criminals begin using it to exploit the millions now forced to work-from-home (WFH). Weak home WiFi networks, a lack of encryption on personal devices and incorrect configuration of remote desk protocol (RDP) all bring massive cyber risks to employers that are now unable to monitor all workstations and employees directly.
A variety of phishing attacks have been discovered already and more are being created each day. Fake websites are being set up with false information, fraudulent stores selling medical equipment and fake charities – all in the effort to harvest credentials to cause harm. Cybercriminals know that company IT systems and resources are more strained than ever before and are using this to their advantage. The Cybersecurity and Infrastructure Security Agency (CISA), a department of US Homeland Security, recently announced key cyber security recommendations for employees working from home.
• Update VPNs, network infrastructure and devices used for remote work – as all devices are variables
• Notify employees of increased phishing attacks and offer training/guidance
• Ensure IT Security teams are proactively monitoring logs/devices and are prepared for incident response/recovery
• Implement Multifactor Authentication (MFA) on all VPN connections and wherever possible
• Routinely test VPN network for limitations of mass usage
• Do not use Public WiFi, even with a VPN
Phishing attempts are quickly increasing due to the work-from-home mandate from many employers. Phishing is the largest source of ransomware, one of the leading cyber threats. According to CFC Underwriting, 80% of all ransomware claims in 2019 were initiated through remote desktop protocol (RDP). Using MFA on all devices employee are using to access their work environment is critically important.
Additionally, alert employees that fraudulent websites and apps are appearing daily claiming to contain covid-19 resources, safety supplies, etc. Alert employees to stay vigilant.
ProTip: TechAssure member Brush Creek Partners’ Emily Short advises employees to simply pick up the phone if something appears suspicious. “We tend to communicate almost exclusively via email and text in today’s business environment but picking up the phone has averted many disasters. The client/vendor will appreciate you taking the extra step to confirm a request.”
Additionally, password management is key. Short says, “Remind employees to use unique passwords for all accounts. Reusing passwords is an extremely common and can put all of your accounts at risk if one gets hacked.” Use a password manager such as Dashlane or LastPass instead.
Additional info from our Industry Partner Chubb
