The Department of Homeland Security, via the National Cyber Awareness System (NACS), recently released a report on the extent that malicious actors are turning concern over the COVID-19 virus into opportunities to steal user data. The report details four classifications of attack that are most commonly seen and should be avoided by a security champion:
- Malware distribution
- Registering COVID-related web sites
- Targeted attacks against newly deployed remote access machines.
Businesses are doing everything they can to keep the walls shored up and the doors shut against digital threats, but so much of what can be done lays in the hands of the employees. Access routes to company systems are what hackers are looking to co-opt, so there must be a security champion for organizations. Below are some tips that will help someone carry the banner of digital security for their company.
1. Verify the integrity of the security software
Windows Defender is not always enough, and unfortunately gone are the days that Apple devices are safe from digital threats. Forbes reported earlier this year that “Mac threats outpace Microsoft Windows by 2 to 1.” Check with the IT department to learn the current security policy, and then own the smooth operation of it by keeping both the computer and this software up to date.
2. Reboot computers often
Most software installs and updates require a reboot, so they can write to system files without messing things up during active use. Downloading a security update for devices or anti-virus software does not afford the user the new protections until this reboot is complete.
3. Lock down the workstation
Email, file shares and communication platforms. Things people can’t do their job without, but also all the avenues that hackers can step in to impersonate someone. A champion of security cannot allow themselves to be used as the in-route for their coworker’s data being phished or compromised.
Protecting a device includes configuring screen saver timers, making sure a work computer requires a password on wake and taking regular stock of the space around the computer when someone is not actively accessing company resources.
A lot of people are working from home for the first time, as roles have not necessitated it up till this year. Even allowing family or friends to view or access information on a work computer could be a breach of contract and NDA depending on the work environment and the nature of work.
In the words of J.R.R. Tolkien, “Keep it Secret. Keep it Safe.”
4. Two-Factor/Multi-Factor Authentication
Passwords are easier to crack than ever before, and with each advance in technology they become harder to obscure. Because of this, people should be aiming for a password with a length of at least 13 characters, peppered with symbols and letters which do not match dictionary words. Change the password of all work accounts on the schedule set by the IT department, and if allowed utilize a password keeper to minimize the number of passwords that need to be memorized.
Other keys can be added to protect accounts, usually: something someone knows, something someone has or something someone is. Multi-factor authentication (MFA), is the integration of these keys, so that the user must provide more than a work email address and password to access company resources.
The most common of these is a text or app-based code that is sent directly to the user, one which expires soon after creation. This way, an actor would need both your account credentials and phone to impersonate an employee. Please speak to the IT department to learn which internal resources are eligible for MFA protection.
5. Eyes up, security champion
If an email looks off, it probably is.
Phishing works best when someone passively follows the instructions in the fraudulent request. Red flags should go up if someone sees broken image links, calls to action regarding financial information or password resets or any generic request to click a link in an email.
Even if the sender claims to represent an account or service that someone uses frequently, people should still express caution. It is safer to google the website or service directly and log in with the account credentials there.