Amid COVID-19, your organization has likely moved, or increased, communication and file sharing onto virtual collaboration platforms. While the pivot is invaluable and essential during these times, security threats will increase dramatically.
With unprecedented digital working, organizations need new methods of securing their virtual environments.
The following 4 steps are designed for you to review with your IT support and leadership teams to ensure your company is protected while your team is working from home. This guide was compiled based on an interview with Charles Henson, managing partner of Nashville Computer.
Petra is hosting an IT security panel Friday March 27th. It’s free to attend.
STEP 1: THE BASICS
Here are the three things you need to implement right away to ensure you’ve taken the most basic steps in ensuring your company’s data and information is protected now that more of your work force is operating outside your office:
- Protect Every Device – Ensure the following are installed on every computer:
- Antivirus Software
- DNS Filtering
- Anti-malware Software
- Protect Your Network – Never allow a computer to be connected to your network without having a full security solution implemented on the device. This applies to working remotely via VPN, just like it would if we were working in the office.
- Windows 10 Firewall – Having Windows 10 Firewall enabled prevents other devices on your home Wi-Fi from cross-infecting your computer. If you want to check this yourself, simply right click the Start Menu and choose Control Panel -> Windows Firewall; it will show On or Off, make sure it’s On
STEP 2: TRAINING
In this time of high emotion due to unprecedented uncertainty it is critical that your team is well trained in what not to do. Here are 4 simple things to train your team members on to ensure they prevent potential security issues:
- Educate Employees To Spot Phishing Attempts – During the 2019 CIA and FBI Security Roadshow they stated 90% of cases could have been prevented if the individual had been trained. Phishing emails are hard to spot and scammers love to pray on emotion. Ensure all team members are trained to verify the accuracy of the sending email address, never to click on links in emails from questionable sources, and to call the sender before completing any critical actions, such as performing a wire transfer.
- Use Caution When Clicking On Links – Never click on a link in an email or attachment where you are not 100% confident in both the sender and security of the link. Contact your IT Department / Provider immediately if you click on a link and nothing happens or if the destination of the link prompts you to enter a username and/or password.
- Don’t Let Your Family/Friends Use Your Work Computer – With so many of us working from home, it’s more tempting than ever to allow other people to quickly hop on our work laptop to watch a quick YouTube video or perform a quick Google search. Make sure your work computer is only used for work.
- Don’t Save Documents On Non-Company Computers – It is tempting to use personal computers to complete a quick task now that we’re working from home. Make sure that team members resist this urge as you can’t afford to have critical company data left on a non work computer.
STEP 3: SYSTEMS
Now that you’ve got the basics covered and your team is trained, it’s time to ensure you have the right systems in place to both support your team and keep your information secure. Work with your IT support team to ensure you’ve got these critical systems in place:
- Use A VPN – When working remotely, devices are not protected by security devices like firewalls that are within your office, unless they are connected through a VPN. Team members need to understand the dangers of using public Wi-Fi without VPN – hackers can steal any information that is shared while using public Wi-Fi, including usernames and passwords
- Use A Password Manager – Using a password manager, such as LastPass, can allow you to ensure every password for every login is unique. Also, a paid version of a password manager allows you to share passwords securely with others that are working remotely. NEVER send passwords via email or text.
- Monitor Passwords On The Dark Web – With the current threat landscape, it is imperative to engage a 3rd party service to monitor the Dark Web for compromised passwords. In the event one of your passwords is listed, immediately change the password anywhere that a variation of that password is used.
- Use Existing Shared Storage – If you use Office 365 or G Suite for your company email, make sure you are using OneDrive or Google Drive to store and share company data if they are included in your current subscriptions. Look at resources you already have instead of other services like Dropbox or Box.
- Don’t Use Free/Personal Cloud Sharing Applications Like Dropbox, Box, etc – Common file sharing applications like Dropbox, Box, and others allow you and your team members to store company data on any device you login to. While convenient in the short term, this creates a significant security risk as critical company data can find it’s way on to devices that your IT Team can’t protect or keep confidential.
- Two Factor Authentication – Two Factor Authentication (2FA) requires a second piece of information, in addition to a password, to gain access to a service, website, or application. Wherever available, configure the use of 2FA on services such as email, websites such as banking, and applications like CRM.
STEP 4: TRACKING
The final step to take in protecting your business is one that involves documentation. Here are two steps that will save you a tremendous amount of time over the next few weeks as you work through this crisis:
- Ensure HR Documents All Company Equipment People Take Home – Make sure that your HR Department is tracking all of the physical assets that team members are taking home (Laptops, Monitors, Phones, etc).
- Track Who Has Access To Critical Web Sites – Make a list of who has logins for payroll, bank accounts, travel sites, social media and others. In the event that team members are laid off, it’s important to revoke access to critical sites before they’re let go.
- List Approved Systems – Publish and maintain a list of approved software and services for team members working out of the office. In addition to what is approved, include steps on how to install and use new systems like Zoom for Video Conferencing, OneDrive for shared storage, or Google Authenticator for 2FA.
We will cover this information and more on Friday’s IT Expert Town Hall.