MDM is providing this Premium content for free so that everyone can access important information about the ongoing impact of the coronavirus on distribution. For more, sign up for our MDM Update newsletter. 

Many employees are no longer working under the security of their employers’ protected networks. This reality, coupled with cyberthreats trending upward, makes it a good time for distributors to review IT-related preparedness plans and policies.

One phishing email surfacing in inboxes claims to include an updated list of local coronavirus cases from the Centers for Disease Control (CDC). It looks official — but its domain suffix is cdc-gov.org. The CDC’s domain suffix is cdc.gov. As more distributors quickly pivot to transition their teams to remote work, phishing scams like these are expected to increase in the coming weeks, and could result in numerous data breaches, says Tom Held, founder of risk management and cybersecurity consulting firm Oakland Group Cyber.

“The No. 1 phishing email that we’re seeing that has the potential to do a lot of damage, particularly in these times of chaos and confusion, is the bogus invoice,” he says. “People have a lot to manage. They’re working from home, possibly have kids at home, and they’re somewhat frazzled and off their routine. And then, they receive an overdue invoice. The first thing that they’re probably thinking is, ‘OK, I’m going to open it up and pay it so I can get on with what I have to do.’

“With a growing number of employees now working from home, it may be a good time for employers to ramp up their policies for cyber risk management, phish testing, and so forth,” Held adds.

As of late, much of his business has consisted of assisting companies with their business continuity planning and some are now discovering “theirs may not have been as solid as times such as these require,” he says.

Companies without a remote workplace culture have shifted gears and they’re learning what they don’t know about the IT-related realities of managing a remote workplace.

“What I’m hearing out in the field is that companies are saying they’re going to work from home, and the first day they work from home, they realize their VPN [virtual private network] can’t handle everyone working from home,” Held says. “They thought they were covered because sales had been working remotely but IT had not communicated with the executive level that the system could work with 10 connections but not 25.”

In addition to leadership having a conversation with IT about network limitations and resources that could be used for supporting flexible work, a review of current preparedness planning and policies is a good way to think through some of the potential roadblocks distribution businesses are likely to experience while adapting to change. It also can serve as a starting point for addressing the security vulnerabilities that have emerged as a result of the recent disruption many public and private-sector organizations have had little or no time to prepare for, says Held.

“Even though everyone is busier than ever responding to the crisis, setting aside the time to focus on two areas — preparedness and security — can go a long way toward buffering networks from future security breaches.”

Start with Risk When Setting Policy 

Preparedness is often defined as a continuous cycle of planning, equipping, evaluating, testing and taking corrective action. For Held, being prepared in a crisis starts with policy. If you are now using videoconferencing on a platform such as GoToMeeting or Zoom, for example, do you have a privacy policy that tells employees what they can and can’t discuss on a call? If not, is there information that you consider to be at risk, such as customer lists, or details about a specific project?

“Always start with the risk,” Held says. “Look at the data you have and what’s at risk because that’s what’s going to drive policy and help you prioritize what has to get done.”

Privacy has become a big issue since record numbers of businesses and individuals began using videoconferencing platforms such as Zoom during the pandemic. Zoom, in particular, has faced waves of scrutiny due to issues with security and data privacy. Recently, the platform has been the target of multiple instances of organized harassment, which has led to a rise in what’s now known as Zoombombing, or the practice of hijacking a meeting to post offensive or threatening material.

“Zoom never really sold its platform as being highly secure,” Held says. “It’s a consumer-grade videoconferencing platform, which is why businesses using any consumer-grade product should have a policy that outlines what’s appropriate to discuss on similar platforms.”

Videoconferencing typically does not have security as a feature, Held adds. “All of the issues Zoom is having with Zoombombing should not be contributed to inherent deficiencies,” he says. “Some of the breaches were a result of new users who did not know how to lock a session.”

The second policy Held says that businesses should have during this season of remote work is an acceptable use policy, which covers a list of devices employees are authorized to use during working hours, procedures for proper use and any restrictions. At the very least, employees using a shared device, such as a personal laptop, should have updated virus protection, Held says.

“Also consider where they are storing files,” he adds. “Employees should be discouraged from storing sets of files on personal devices just because it may be more convenient. Instead, it’s safer to store data in cloud spaces from both a security and legal perspective. If a personal device gets hacked by ransomware, all of those documents are gone.”

Another common policy: Employees issued a computer to perform work-related duties can only use authorized encryption-enabled mobile storage devices when transferring data, and are prohibited from using personal mobile storage devices, such as memory sticks, CDs and removable hard drives.

Is Your Network Secure?

Right now, Held is not hearing a lot in the field about security concerns. His clients, none of whom have reported a breach, have been consumed with the resource side of the response to COVID-19, making sure their employees have what they need to be productive in their new environments. But in the coming weeks, he and other cybersecurity experts say this will change because hackers have been relentless in their efforts to profit from the crisis.

In March, the Cybersecurity and Infrastructure Security Agency (CISA) warned businesses to brace for more cyberattacks targeting those working outside of secure office environments and pointed to VPNs as being a potential source for vulnerabilities.  While VPNs offer companies more security when telecommuting, there are several ways that cybercriminals can use them to breach networks, according to CISA, which advised organizations to increase their VPN security.

Since VPNs operate 24/7, “organizations are less likely to keep them updated with the latest security updates and patches,” the agency reported. CISA also said that there may be an increase in phishing emails aimed at stealing remote workers’ usernames and passwords, and organizations “that do not use multifactor authentication (MFA) for remote access were more susceptible to phishing attacks.”

To mitigate the risk, CISA advised updating VPNs, “network infrastructure devices, and devices being used to remote into work environments with the latest software patches and security configurations.”

When Held advises clients about how to shield their systems and their data from the threat, he always starts with a visualization of the three states of data: Data at Rest (on a hard drive), Data in Transit (over the network, internet, or in your pocket), and Data in Use (in an application, in a web browser, on your screen, etc.) “The threats have changed because the place where the data is traveling has changed,” Held says. “Now it is traveling into people’s homes, so what are the risks associated with this?

“We want to eliminate Data at Rest in people’s homes, so your people should keep it in the cloud. Data in Transit is moving back and forth. We want to make sure whatever is at risk is protected. Although Data in Use is in their homes, which is a private setting, your employees should be educated on the latest phishing techniques. Be vigilant about communicating the threats as well as the steps that they should be taking to minimize those threats.”

Lastly, consider some of the advice some cybersecurity companies are giving their employees about working from home: OneLogin’s security team advises, when you receive an unexpected message, apply the S-T-O-P principle: Stop, Take a deep breath, an Opportunity to think, Put the email into perspective and report it. Twilio suggests to protect your home network, change your router’s username and password. Don’t let your kids install anything, according to Satori Cyber. And, Veracode recommends treating your computer like it’s still in the office.