This is a continuation of the COVID-19 expert insights series (part 1 here). Companies need to be vigilant during this time and now, more than ever, implement strict security measures across their organization. Below, we've curated some of our favorite COVID-19 security best practices and warnings from top cybersecurity experts.
Jason Bevis, VP at Awake Security Labs
"Basic password hygiene is critical in remote working situations. Organizations need to ensure that all remote workers are changing default passwords to avoid compromise. This includes IoT devices, such as smart lightbulbs, TVs, thermostats, toasters and anything that’s connected to the home network. In enterprise engagements, Awake has seen devices such as connected exercise bikes leaking information. Most remote workers don’t view these devices as a security risk, but attackers view them as a convenient backdoor into the network.
Additionally, remote workers need to ensure that they’re using services like password wallets to protect home and work passwords. They also need to make sure they’re not reusing passwords across systems, especially if passwords for home systems are the same as the passwords they use to access work resources.
From a more advanced perspective, enforcing basic cyber hygiene is critical to securing remote workforces. Ensuring systems are updated to the latest patch levels and OS versions, removing unused or unwanted programs, and installing the latest security software on home systems can prevent attackers form exploiting insecure home networks as a backdoor into corporate resources. Advanced users may also want to consider segregating their networks to ensure home and work devices are on different logical subnets and looking up vulnerabilities on their specific home equipment online."
Tim Woods, Vice President of Technology Alliances at FireMon
“I am encouraged by how quickly companies and their employees have adapted to a remote work force as we weather the impact of the COVID-19 virus. It’s no doubt that the advances in virtualization, mobile, BYOD, and cloud technologies have helped fuel the ability for employees to seamlessly work remotely. And as we witness the perseverance of a global workforce rallying together, there are others that want to take advantage of a challenging situation. An unfortunate aspect of many societies is the inevitable fact that unscrupulous behavior often ensues with calamity. We’ve seen threat actors create bogus Coronavirus help sites to target victims with scams and or malware campaigns. We have also seen attempted hacks against WHO and hijacked routers that redirect computer users to malicious content in the form of helpful COVID 19 resources. It is definitely not a time to drop our security guard even though we may be preoccupied with other pressing matters.
The transition to a remote workforce has been smoother for some and more challenging for others depending on geographical dispersion, employee size, and the infrastructure complexity of the organization. Threat actors know this, and I have predicted that we will see a rise in social engineering efforts and exploits that will target distracted IT teams or remote workers that are still adjusting to a new work-from-home life. These threat actors will look for ways to take advantage of confusion and uncertainty related to connecting remote employees to the needed resources for their job. Support personnel may be distracted as they scramble to secure connectivity and could potentially be duped by someone posing as a remote employee. In times like these, I have always stressed the importance of additional education to increase employee awareness. Do not visit any site that has not been vetted by IT security as trusted. The wave of scam and malware sites will only rise and will no doubt offer “to-good-to-be-true” bait tactics. Be incredible vigilant of anything that doesn’t look, smell, or taste right.”
Gary E. Barnett, CEO of Semafone
"Organizations with call and contact centers are experiencing a huge surge in activity during this time, as the population completely shifts away from conducting transactions in-person due to concerns around COVID-19. At the same time, as more states issue mandatory shelter-in-place orders, organizations are having to quickly shift their contact center workforce to being fully remote, with agents working from home. This drastic workforce shift during a time of increased transactions can leave critical security holes open for hackers looking to capitalize on employees that may not be familiar with security best practices while remote working.
Businesses need to take the time to educate their newly-remote workers and implement standardized data security best practices in a home environment that is always going to be challenging to completely secure. At the same time, they must also ensure that the technologies they’re using to accept payments and purchases – whether conducted over the phone or through digital channels – adhere to stringent data security and privacy regulations including the Payment Card Industry Data Security Standard (PCI DSS). Using secure and compliant payment solutions, businesses can ensure that they are maintaining both strong security and compliance, even while their contact center agents work from home during this unprecedented time."
Guru Pai, CEO of Privafy
"With thousands of individuals moving to remote work in recent weeks, companies need to prioritize security to the applications, devices, and sensitive data employees are accessing to stay productive while at home. However, this shift in work is completely changing traditional approaches to network security.
VPNs are not secure or dynamic enough to protect the large remote workforce. Legacy VPNs have typically been installed for remote access to tie a few employees to a single location. As they become the primary security application for remote workers, VPNs are increasingly being breached and targeted due to vulnerable protocols, heavy manual deployments and lack of patch management. Beyond security, the increased level of workers relying on the technology puts scalability to the test, leaving employees battling decreased quality of service.
Modern security solutions need to support remote workers better and act as an extension of the network, delivering secure point-to-point connections that can scale with a company as they need it. And with the growing propensity and variety of attacks against remote workers, solutions need to solve more than just one problem and offer full-stack security functionality that protects against threats such as phishing, malware and DDoS."