04 November 2020 | Sally Nursten
Remote working has become an important part of the new normal for most of us. For many businesses, the focus has been on ensuring teams can continue to perform their key tasks, rather than ensuring everyone works securely online.
This despite a single ransomware attack forcing Travelex into administration and other malware attacks crippling businesses, government organisations, colleges, healthcare services and more as they focus on ops.
As further lockdowns loom the possibility of returning to 100% office-based work retreats further into the distance. It's time to see remote working may be a permanent part of work moving forward, and that means taking security as seriously as we take critical operational systems.
Here are some pearls of wisdom to help your teams stay safe online, protecting your brand as they continue to drive your business forward from home.
Scott Nursten, CEO, ITHQ
Identity and Access Management (IAM) that includes MFA and Single Sign-On should be top of your list if your teams are working from home. The latest platforms such as JumpCloud are so easy to implement and use and they cause absolutely no IT friction.
Cloud-based IAM allows you control of all access to your critical systems, apps, files and networks. It means your teams access everything they need to with one login so they only have to remember one password. If you need to on and off board people quickly, securely and flexibly, something like JumpCloud makes it a breeze.
It's probably a good idea to do a full password and credential audit as well, to make sure none of your data has already made it onto the dark web.
Wendy Nather, Head of Advisory CISOs, Duo Security
If you don’t already use a password manager, start using one now. If you can’t bring yourself to work with one, IT’S OKAY TO WRITE DOWN YOUR PASSWORDS. Just keep them on a piece of paper in your wallet, or keep them in a drawer at home. Really. The chances of someone breaking into your house these days to steal your passwords is infinitesimal.
Also, it’s always a good idea to make sure you have a trusted person in your life who knows how to access your passwords in case something happens to you, even temporarily. Who’s going to pay your bills while you’re in the hospital? A password manager can also help you with securely sharing passwords with the trusted person you designate.
Chris Hadnagy, CEO, Social-Engineer, LLC and Innocent Lives Foundation
This year, we have seen an unprecedented level of social engineering attacks involving phishing, vishing and SMiShing. Although there is nothing you can do to be 100% hacker-proof (and don’t believe anyone who tells you that you can) there are two things you can do to make yourself NOT the low-hanging fruit:
These two things can help you avoid many pitfalls. Now might also be a good time to train your employees about phishing attacks by running a simulated phishing campaign targeting them.
Andrea Efstathiou, Head of Services, ITHQ
I would add next generation endpoint protection (NGEP) to this, as a safeguard in case malware does make it onto your systems.
As Chris says, no amount of staff training is going to make your team 100% hacker proof. But with good endpoint protection, you can stop all types of malware in its tracks and rollback to pre-infection status in minutes.
Ultimately, all our critical data is now stored on endpoints and in the cloud. Even the best firewalls can't deflect malware that has been introduced to your networks by one of your team via an email click. And a signature-based antivirus tool is no match for polymorphous code.
Unfortunately, ransomware attacks are on the rise with Ransomare-as-a-Service (RaaS) easier than ever for wanabe cybercriminals to access on the dark web. Any business that doesn't protect themselves well enough is a target.
Jen Ellis, Vice President of Community and Public Affairs, Rapid7
You know those super annoying reminders to update your software on your laptop, PC, tablet, phone, or just about anything else? Yeah, turns out they are not just annoyingly distracting, they are also annoyingly important.
I know the disruption of updating is a frustrating pfaff, but often the whole reason for the update is to address some security bug in the technology you are using. If you don’t suck up the temporary loss of availability, you could end up facing a much longer one, as these bugs provide attackers with the opportunity to potentially compromise your tech.
The longer it takes you to run the update, the greater the chance there is of an attacker exploiting the bug. You don’t necessarily have to drop everything immediately to run it, but it is sensible to do so in the next available window where your device will not be in direct use, say for example while you’re eating or sleeping.
Where possible, it’s also sensible to set your apps and gadgets to “auto update,” meaning they will update themselves as soon as is convenient and necessary, taking the burden off you.
Deral Heiland, Principal Security Researcher IoT, Rapid7
Please take into consideration your privacy and safety when you’re planning to purchase any new IoT automation technology, such as cameras, smart doorbells, home security systems, kitchen appliances or even toys for the children.
You should put in the same effort and thought into the purchase as you would when purchasing a car or even a child safety seat. Throughout your research, ask questions about product security, look at product reviews, engage the vendor, and even take the time to review the product user manual.
This document is typically available online and often reveals a lot about a product. The key is to determine whether product security is a priority to the vendor. If not, you may want to go somewhere else.
Fahmida Rashid, Senior Managing Editor, Decipher
The No. 1 piece of advice I offer is to protect your mobile phone number. We don't realize just how much of our identity is tied up with our phone number.
Make sure your account with your mobile carrier is protected with a strong and long password and two-factor authentication, if offered. More importantly, add a PIN to your SIM card and ask the carrier to put extra security on your account.
Make it very, very hard for someone to call and get your number assigned to a different SIM card. Once the number is swapped to a different SIM card, you will lose control of a significant portion of your life.
You can't make it impossible to be compromised, so a large part of personal security is making it hard to do so.
Tod Beardsley, Director of Research, Rapid7
You can't possibly be good at anything with no practice, which I suspect is why a lot of people feel like they're "not good with computers." So, fix that by figuring out your disaster recovery plan when your main device gets accidentally dropped through a sewer grate.
The easiest way to simulate this is to hide your phone under your pillow and then ask yourself, "How do I recover my vacation photos, my contacts list, and get at my 2FA-protected email to reset my passwords?" If you answer yourself with, "I don't," it's probably time to figure out your backup plan.
"Two is one and one is none" is a hoary bit of military jargon that's useful in pretty much every situation, especially when it comes to backup plans for phones. Having a tested disaster recovery plan can be the difference between calming restoring your personal data to a new device and having to learn how to transfer bitcoin to a Belarusian mobster in the next 48 hours.
*Thanks to our partners, Rapid7, for allowing us to reproduce some of this content, which originally appeared on their blog.
Got different concerns? Get some free advice today.
Created by ITHQ
All Rights Reserved