Free Resources And Advice For Keeping Remote Workers Secure

Right now, business nirvana means achieving on-premise security levels while workforces are increasingly remote. Regardless of the size of your business, the security perimeter has significantly shifted, requiring IT and security teams to rethink how they are protecting their organizations.

Since the COVID-19 pandemic started, there has been a palpable uptick in business email and with it, Office 365 or Gmail accounts getting hacked through phishing scams, observed Sara H. Jodka, a cyber security and employment attorney at Dickinson Wright, a law firm based in Detroit.

“One particularly effective scam has been when the hacker sends a fraudulent invoice purporting to be from a legitimate worker with changed wiring instructions where the money transferred goes to the hacker’s account,’’ Jodka said. “By the time a company reconciles its accounts receivables and realizes what has happened, the money is gone and there is usually no way to recover it.”

So the company has paid for goods/services they did not receive, and the account is still due because the money was paid to a criminal element, she added.

“For this reason, it is good cyber security hygiene to enable multi-factor authentication on accounts the business controls, train employees on these types of schemes, and require they speak directly to a person before they change any ACH/direct deposit or other information,’’ Jodka advised.

Alexa, Siri -- And Others – Are Listening

Use of teleconferencing apps like Zoom and WebEx have skyrocketed in recent weeks, and so has the “Zoom bombing” phenomenon.

Another issue for remote workers, and their employers, is that employees can unknowingly expose sensitive corporate information via voice assistance systems, smart speakers, and home surveillance systems such as Siri, Google Assistant, Amazon Alexa, Echo, and Ring. All of these consumer systems have grown in popularity in the past few years and they remain vulnerable to many forms of hacking.

“In fact, these systems have a history of security vulnerabilities that have led to eavesdropping and spying,” Jodka said. “Namely, hackers have targeted Ring—a home security company owned by Amazon—by hacking user accounts and gaining access to cameras and microphone hardware embedded within the home security system,” she noted. Recently, hackers were able to access Ring cameras within the home, spy on the homeowners and their family members, and even communicate with them using the microphone feature, Jodka said.

Smart speakers, virtual assistants, and smartphones also pose a significant risk to the unaware teleworker, she said. Researchers and white hackers have exposed vulnerabilities in smart devices such as Alexa Echo, Siri, and Google Assistant, Jodka added.

“Cybercriminals can use nearly silent ultrasound waves to trigger these smart devices to prompt users for their user credentials and passwords as well as force the devices to [execute] malicious commands,’’ Jodka said. “Given the increased number of employees working from home amid the COVID-19 outbreak, hackers will likely continue their attempt to thwart these technologies and systems founds within and throughout the home.”

Practical Tips For Keeping Users Safe

Dickinson Wright offers some tips to keep remote users and their organizations safe:

• Specify in writing what employees can and can’t do in the handling of sensitive information.
• Ask employees to specify which devices they will use for work and provide encryption services with a company certified security software.
• Include warning labels on incoming messages and emails that originate from outside of the corporate infrastructure.
• Advise teleworkers to refrain from using a speakerphone or conducting work-related conversations in the presence of smart speakers or home surveillance (e.g. Alexa Echo, Google Home, Siri, Ring).
• Opt-out of cookies each time when using video-conference apps/functions.

Some other advice from around the web:

-Resend and refresh work from home policies. Maintain awareness of appropriate workforce-approved tools, company policy and any other company-specific considerations.

-Provide updated employee training on phishing scams. This includes contractors and anyone with remote access to the company network and stress the fact that targeted attacks are often tailored around world events.

-As always, don’t click on links from sources you don’t know. Doing so could download a virus onto your computer or device. The best practice is to type in URLs manually or search yourself, rather than to click on a link in an email.

-Watch for emails claiming to be from the Centers for Disease Control and Prevention (CDC) or experts saying they have information about the virus. For the most up-to-date information about COVID-19, visit the CDC and the World Health Organization (WHO) websites.

-Ignore online offers for vaccinations. If you see ads touting prevention, treatment or cure claims for COVID-19, ask yourself: If there’s been a medical breakthrough, would you be hearing about it for the first time through an ad or sales pitch?

-Do your homework when it comes to donations, whether through charities or crowdfunding sites. Don’t let anyone rush you into making a donation. If someone asks for donations in cash, by gift card or by wiring money, don’t do it.

-Be alert to “investment opportunities.” The U.S. Securities and Exchange Commission (SEC) and Federal Trade Commission (FTC) are warning people about online promotions, including on social media, claiming that the products or services of publicly traded companies can prevent, detect or cure COVID-19, and that the stock of these companies will dramatically increase in value as a result of the current pandemic.

-Turn on logging controls; enact role-based access; and consider additional admin controls to reduce the total exposure of internal apps to ends users.

Free Security Resources

The SANS Institute has put out a list of free resources and programs to help your workforce be secure during the COVID-19 pandemic.

Some of a business’ most critical assets are websites, applications and online services, but they are also among the most vulnerable to attack. Successful cybersecurity attacks can cost your company customers, revenue, and reputation. This free ebook from O’Reilly provides an overview of today’s major threat patterns and the strategies and techniques you need to prevent and protect against a host of attacks.