Are Your Employees Telecommuting Now? COVID-19 and Cybersecurity Concerns for Businesses

Written by Jeremy Mittman and Susan Kohn Ross

A topic of immediate concern to businesses that has not received a great deal of attention (but should) is cybersecurity. There are unscrupulous people out there who will try to take advantage of the situation! This is especially worrisome with the increased usage of telecommuting to facilitate business continuity.

Within the Dept. of Homeland Security sits the Cybersecurity and Infrastructure Security Agency or CISA which is “responsible for protecting the Nation’s critical infrastructure from physical and cyber threats.” CISA, through its National Cyber Awareness System, released Defending Against COVID-19 Cyber Scams, see here for the full text.  In short, beware of emails with malicious attachments and hyperlinks. Also be careful about social media pleas, texts and calls having to do with COVID-19.

The NCAS recommends:

• Avoid clicking on links in unsolicited emails and be wary of email attachments. See Using Caution with Email Attachments and Avoiding Social Engineering and Phishing Scams for more information.
• Use trusted sources—such as legitimate, government websites—for up-to-date, fact-based information about COVID-19.
• Do not reveal personal or financial information in email, and do not respond to email solicitations for this information.
• Verify a charity’s authenticity before making donations. Review the Federal Trade Commission’s page on Charity Scams for more information.
• Review CISA Insights on Risk Management for COVID-19 for more information.

More than anything, this publication serves as a reminder to companies that if you have not recently provided cybersecurity training to your staff, now is a good time to do so. Most employees have never worked from home and are being exposed to a whole new experience. Reminding them about the critical points facing them in order to be successful in performing their jobs in a very different environment is a basic element of a successful telecommuting program. A refresher on confidentiality may also be in order, and often gets lost in discussions about telecommuting.

Be Wary of Scam Emails:

According to a myriad of articles about latest trends in hacking, one focus of the more recent scams is seeking to divert payroll funds by sending emails posing as what appear to be authorized individuals. For example, the HR manager emails an HR employee seeking the W-2 forms for all employees from 2019.  Something else to look out for are spoofed emails, this is where the sender’s address is very similar to that of the real company. For example, the URL for MSK is msk.com.  If the email was instead sent from ms1k.com, how many recipients would notice the difference?  The way to deal with this issue is to carefully check the email address, and also go to the real website rather than answer questions by way of links provided in emails.

 

Cybersecurity Preventive Measures:

With the expansion of telecommuting, companies would also be wise to make sure their bandwidth and that of their employees Internet service providers can handle the increased traffic, but that alone is obviously not enough.  First, make sure that whatever equipment is used to connect to your network, its credentials are not those that came with the equipment, such as admin/admin. Each piece of equipment and software should have its own unique user name and password for each user. Then, are your anti-virus, anti-spam, firewall and other software up to date? Also, do you have an intrusion prevention system? The firewall will block traffic which is not trusted, but that is not enough. The intrusion prevent system is designed to recognize malicious network activity, such as expanded usage by message size or frequency of messages, but also increases in bandwidth usage or odd access IP addresses.

What is your policy about bring your own device to work? Does it include cleaning all USB and external hard drives before they can be connected to the network? How often do you require employees to change passwords? User names? What physical security measures protect your network and equipment?  To repeat a point made earlier – when was the last time you provided cybersecurity training to your staff? Even if connectivity to the office is done by way of a VPN, if the employee connects at a public hotspot, the benefits of the VPN are all too easily defeated!  What are your file-sharing practices? This is also a good time to remind employees if they share their lives on social media, they are setting themselves up for the spread of on-line scams through socially engineered emails intended to hack their accounts and steal their money.  Finally on this topic, when was the last time you had your system’s security checked by a third party?

With the host of other challenges facing the business community right now, cybersecurity policies are at least one area where the company can set and implement its own policies and maintain control over crucial business assets and operations.