By now, we all know that the way business is done has changed forever. Unprecedented amounts of people are working from home for the foreseeable future, some never returning to a typical office space. Our homes have become our offices and people are dealing with everything from childcare to simply trying to find a quiet space to work. In the rush to keep things moving, we’re all adhering to security policies in a way that’s spotty at best.
The boundaries we once had between work and private life are now breaking down. Business is now being done over home ISPs, with mostly unmanaged routers and printers, with home automation systems running in the background. All the while, new cybersecurity threats are surfacing every day. Old attacks are being brought back now that we are more vulnerable, while others are brand new scams that prey on our desire for news and our need to buy basic supplies. Traditional security measures that have been used for years can no longer protect a fully remote staff without some kind of adaptation. That means, as business owners, we need to rethink our approach to security.
It’s important to note that the job of security is not to eliminate all risks, as all threats are not equally dangerous let alone likely, nor will they all be exploited at once. Discuss risks early and often. The cybersecurity risks you face today won’t be the ones you face next week or even the week after.
To get ahead in this period of adjustment, these are 4 major risks businesses need to address:
1.VPN’s are no match for hackers
VPN’s (Virtual private networks) have become the new lifeline for businesses across the country, extending encrypted networks to people’s homes. However, it’s common for home networks to already be infected with some type of malware or compromised hardware that can be easily exploited by hackers for staging attacks. A compromised machine can allow hackers to “piggyback” through the VPN, especially when behavioral baselining on the backend is in flux. It’s critical to have endpoint integrity checking as well as strong authentication in place at this stage once the VPN is in place and active.
The truth is, most applications that are becoming the new critical IT infrastructure will see new vulnerabilities, including VPNs that require a real understanding and internalization rather than blindly trusting. This isn’t a cause for panic, it does, however, mean you should start talking to vendors and begin making plans for patching and failover. Keep in mind that vendors are also going through change and doing triage on their support and escalations, but start the discussions now. Contact your hardware or software provider to ensure all configurations and policies are in order, beginning with the VPN, endpoint, and identity solutions.
2.Endpoint, endpoint, endpoint…then mobile
There are many endpoint challenges, but priority number one is to ensure critical business processes recover. Next, make sure your new enterprise footprint is brought into the mix from a policy and control perspective. Then, and only then, focus on mobile, which is the most prevalent platform in our personal lives. Employees who have to learn new devices or applications will often turn to their phones because they feel more familiar. It’s common for companies to establish policies defining what can and can’t be done with mobile phones, but if you haven’t done so already, now is the time. Hackers will almost always start with identity theft and classic machine exploits, but they’ll think of new ways to target them before moving on to other devices. Get ahead of mobile threats before dealing with other devices.
3.Information is a weapon.
Cybercriminals take advantage of human weaknesses. For example, hackers developed a malicious mobile app posing as one developed by the World Health Organization to seem legitimate. The app would then download the Cerberus banking trojan and steal sensitive data. These types of attacks weaponize information because they can easily be done with applications that provide legitimate benefits. Before COVID, attackers had to plan their target attack for diverse interests, but right now the entire world has a shared crisis. But we can defend ourselves, with the right awareness and education.
Where you are, matters.
When your employees take their computers home or use their home computer for work, those now sit in a physical and digital space unlike any within a typical office setting. Between routers, printers, mobile devices, and gaming consoles to name a few, the average home now has a more complex and diverse processing system than some small businesses.
Chances are, your employees are taking phone calls and/or Zoom calls within earshot of family members, digital home assistants such as Alexa, Siri, and Google Home, or even employees of other companies. Simple policies are extremely important. Should employees have cameras on or off for online meetings? Should it be mandatory that they wear earphones? Should not be taken on paper or digital apps? What communications apps are considered acceptable? While these questions may seem trivial, they need to be addressed, and when things aren’t working, remember to adapt.
Although this is not a complete list of the cybersecurity concerns you should address, if you’ve got these under control, you can catalog any risks that remain, sort them by order of importance and deal with them strategically.
Cybersecurity is never “finished” because the opponent is never finished. Use this as the chance to start a new, ongoing cybersecurity dialogue within your business. If you’re still concerned with the strength of your security, Custom Cabling has expert consultants that will come in and strengthen your defense. Give us a call.