It is no secret that one of the many effects of the COVID-19 pandemic has been an increase in employees working from home (WFH). While companies have seen some unintended benefits of switching to remote work, such as an increase in productivity and a decrease in operating costs, it also has introduced a new challenge in cybersecurity.
Cybersecurity is especially crucial for credit unions, banks, and other members of the industry handling sensitive information outside of their normal places of business.
Paul Ducklin is the principal research scientist at Sophos, an international cybersecurity company. His first tip on increasing cybersecurity starts when an employee begins WFH.
“The three key things you want to be able to set up easily and correctly are: encryption, protect, and patching,” Ducklin said.
Encryption is to protect data on the physical device if it is stolen, protection would be a good security software, and patching is continuous updates, as many automatic as possible, to maintain maximum security.
Mike Wilson, founder and chief technology officer for Enzoic, a cybersecurity based in Boulder, Colo., said in a recent expert opinion piece that while employees may be well educated on the best security practices in an office, their home practices tend to be more lax. Things like smart TVs, children’s tablets, and other consumer devices can all cause potential security issues when employees are accessing company files from home.
“As such, credit unions should encourage employees to set up a separate Wi-Fi account that can be used solely for business,” Wilson suggested. “In addition, it’s important that they use their VPN to access any file or system when they are not physically working out of a branch.”
Ducklin also recommended having some way employees can easily report security problems, which can hopefully lead to quick solutions.
“Remember that a lot of cyberattacks succeed because cybercriminals try over and over again until one user makes an innocent mistake – so if the first person to see a new threat has somewhere to report it where they know they won’t be judged or criticized (or, worse still, ignored), they’ll end up helping everyone else,” Ducklin said.
Another risk posed during the pandemic is an uptick in phishing attacks.
“Recent research from Next Caller on pandemic-related security concerns found that 44 percent of respondents have noticed an increase in emails from unknown sources, and calls and texts from unknown numbers,” Wilson said.
“This is a common marker of phishing attacks – scams in which hackers pose as companies or trusted individuals offering a legitimate service in an attempt to trick recipients into disclosing sensitive information. Credit unions should encourage employees to check for grammar, punctuation and formatting errors in all communications, as these are often signs that something is amiss.”
Wilson also said it is a good idea to avoid clicking on links in emails and instead to manually type known addresses into a new browser window. If clicking a link is unavoidable, Wilson suggested hovering over it to see the full URL and check for any odd changes to known domain names. This could be something as small as a dash or an extra character. For example, if the official website is xyz.com, but the link shows xy-z.com, it could be a scammer attempting to redirect your employee and could put confidential information or your security in jeopardy.
Another threat is credentials with easy-to-guess passwords or ones that have been compromised previously. This has been a common way for hackers to gain access to corporate networks and is tricky to protect against.
“[O]ne must-have capability is single sign-on, or SSO, for all corporate services,” Wilson suggested. “This allows a single set of credentials from the corporate directory to be used for access to any service a user may need to legitimately access – for example, a third-party cloud-based accounting system. Among other advantages, SSO allows for the ability to monitor and audit user credentials for compromise in one single location, rather than each user having multiple credentials scattered across a number of different services, each of which could be compromised independently.”
Both Ducklin and Wilson addressed a threat from an unexpected source: within the company itself.
When employees are WFH, they may be tempted to make workarounds that can cause security risks, such as emailing confidential files to their personal account, or storing them on a USB storage device. These types of workarounds are usually generated out of convenience. Ducklin said the best way to avoid this is to create flexibility for your employees, meaning installing a system that and can be easily yet securely accessed.
Wilson also made a similar suggestion.
“It might make sense to collaborate with IT to add new resources or files to the intranet or launch other digital services that will make it easier for employees to do their jobs remotely,” he said. “Of course, regardless of what an organization introduces to discourage workarounds, it’s important that credit unions still monitor for this activity wherever possible and continually educate employees on the importance of following security best practices.”
Videoconferencing and web cams can also cause potential security breaches. Hackers getting access to employee’s web cams can eavesdrop into potentially sensitive information shared in meetings, or even see confidential documents sitting on an employee’s desk.
Kaspersky Cybersecurity based out of Woburn, Mass. suggested a simple sliding webcam cover to protect employees’ privacy and to prevent potential spying on nearby documents.
As for Zoom meetings, the Federal Bureau of Investigation (FBI) issued advice on safely using videoconferencing software. The FBI recommended only engaging in private meetings, either through a password or using a “waiting room” so that guests need to be approved before joining; ensuring the videoconferencing software is up to date; and ensuring the vendor has the correct level of security for your needs.