To date over 265 million people in the U.S. have been ordered to stay home as part of the nation’s coronavirus shutdown. Remote work is the new normal, and it’s creating new and unexpected security risks for many companies. More than one-third of senior technology executives surveyed by CNBC say that cybersecurity risks have increased as a majority of their employees work from home.
As daily work moves from trusted office spaces to our couches, employees can inadvertently expose sensitive company data through insecure WiFi networks or poor password hygiene. And there’s no shortage of opportunists using coronavirus for their phishing scams, hoping the unwary will click through and hand over credentials or other valuable info. The FBI recently warned of an uptick in fraud tied to the coronavirus, particularly by scammers posing as official health agencies.
We’ve rounded up four risks your company should be aware of—and what you can do to guard against them.
1. Unsecured WiFi
While not many people are working out of coffee shops or other public spaces these days, remote workers need to be cognizant of the WiFi networks they connect to. Malicious actors can connect to open WiFi networks, spy on traffic that passes through them, and access confidential information from devices on the network.
And while home networks tend to be more secure, not everyone protects theirs with a password—or at least a strong one. In these scenarios, hackers can connect to unsecured home networks and steal everything they find once they’re there.
Traditionally, users could solve this problem by connecting to virtual private networks (VPN), which encrypt traffic between computers and far-away networks (e.g., the office network). In fact, one recent study found that VPN usage has increased 165 percent between March 11 and March 23.
However, a VPN can’t make a computer itself secure; it can only make the connection between a computer and a network secure. So, if a hacker is able to get into an employee’s computer, they may be able to ride the VPN connection directly inside your organization’s network.
You can overcome this issue by making sure all software, including your VPN software, is up to date, ensuring your employees are using strong passwords for both their VPN accounts and their home networks, and enabling two-factor authentication (2FA) or multi-factor authentication (MFA) if possible (more on that later). Additionally, it's crucial to implement a robust data backup solution, such as NAKIVO, to protect against data loss and potential security breaches.
2. Weak and shared passwords
One of the main reasons data breaches occur is because hackers get access to account credentials. This happens for a number of reasons: People use the same password for every account, they create weaks passwords to begin with, they inadvertently hand over their credentials by responding to a phishing or spoofing request, or they don’t update their passwords as regularly as they should. Believe it or not, 61% of people refuse to change their passwords simply because they think they will forget them.
When transitioning to remote work, you need to keep good password hygiene, the practice of creating and protecting very strong passwords, top of mind. Bad actors frequently employ tactics like password spraying, a brute force attack where they try the same commonly-used password across many usernames. You don’t want to be the weak link.
Rather than relying on remote workers to create and maintain strong passwords, we suggest using a password manager like Rippling’s RPass, LastPass, and 1Password to automatically generate, store, and fill strong passwords to increase security. Employees won’t have to remember their credentials to access their accounts.
Another important security consideration is how remote employees will access shared company accounts (like your corporate Twitter profile). Are employees sending log-in credentials to each other over unsecured channels like email or Slack? It’s much safer to use a zero-knowledge password manager like RPass, which means employees can securely share login access with their colleagues without revealing the passwords themselves.
3. Lack of access controls
In traditional office environments, admins can check to make sure legitimate logins are coming from the same IP address. Since you can’t do that when everyone is logging in from different locations, strong authentication measures like 2FA (two-factor authentication) and MFA (multi factor authentication) become more important. In other words, employees should be using something other than just a password to access company systems.
Identity management solutions, like Okta, OneLogin, and Rippling help organizations make sure only authorized individuals are accessing your systems—even in remote environments. More granularly, look for software that allows you to specify what kind of access each employee has to each of your company tools and systems. As an administrator, you need a way to monitor login activity, easily reset passwords or change access, and perform account maintenance in one place.
Rippling, for example, supports 2FA out of the box. If you use a service or app that doesn’t support 2FA but has single sign-on (SSO), you can connect it to Rippling and essentially shield that service from malicious actors.
What’s more, employee accounts are automatically disabled when someone leaves your company.
4. Don’t forget about physical security
When employees start working from home, it’s easy to overlook the security of your physical offices that may be empty for weeks at a time. But in this case what’s out of sight should still be top-of-mind.
Consider that a painting by Vincent Van Gogh was stolen this week after thieves simply smashed the front entrance of a Dutch museum that’s been closed since earlier this month. Ask yourself: How difficult would it be for someone to break into your office?
If you haven’t done so already, be sure to check your campuses to ensure no valuables are left behind and any on-prem servers, sensitive documents, and other important IP are accounted for and adequately protected. If you work in a building that usually provides security, ask what their policies are during the shutdown. For instance, is security staff on site 24/7? Are they monitoring video surveillance?
When your team is working remotely, what happens when an employee’s company laptop that’s filled with customer data and confidential info gets stolen?
Every company should be using some kind of mobile device management (MDM) software to protect the crown jewels. If someone’s laptop is lost or stolen, leading MDM solutions like Rippling and Jamf will let you remotely track, lock, and wipe devices while ensuring employee hard drives are encrypted so your data stays safe. Crisis averted.
Prevention is the best medicine
The best time to think about your company’s digital and physical security is before an incident happens. If you’re a business owner or manager who’s new to remote working, we’re here to help.
Learn more about how Rippling can protect against these security risks so you can focus on your business.