The speed and scale of the coronavirus outbreak has forced organisations to react quickly. If your business was one of the many to substantially change its operations in March, and homeworking was made the norm for your staff at short notice, you may not have had time to consider the increasing cybersecurity risk.
Cyberattacks, and their financial consequences, are an unwelcome side effect of the COVID-19 pandemic. According to the National Fraud Intelligence Bureau, coronavirus scams cost UK victims over £800,000 in February alone. Cloudflare has observed a six-fold increase in online threats in March, while Barracuda Networks reported the same rise in phishing attempts during the same period. Phishing can include extortion attacks, compromised business email and impersonation scams frequently targeting directors and financial staff.
Amid circumstances so appealing to cybercriminals, how can your business reduce its exposure? Cybersecurity experts Phishing Forensics have put together 11 top tips for securing your business and your homeworking employees against cyberattacks.
- Set strong passwords for user accounts. We recommend this secure password generator.
- Activate multifactor authentication (MFA) whenever possible, to protect against unauthorised access to your accounts. The National Cyber Security Centre regards MFA as a requirement for effective cybersecurity, as per its advice here.
- Change the default password on your home wi-fi router, so that your home network isn’t an easy target for hackers. To learn how to do this on any home router, enter this search term: how to change the default password for [add your router name and model, i.e. Virgin Media Hub 3.0]
- Encrypt all the traffic to and from your devices. A secure VPN (virtual private network) service sends your internet traffic through an encrypted VPN tunnel so your passwords and confidential data stay safe, which is especially important over public or untrusted internet connections. A good example is ProtonVPN: it has a free service subsidised by its paid service, can be used across all your devices and is good enough for most small businesses and individuals.
- Keep all software updated. Cybercriminals make it their business to share and exploit security vulnerabilities in software. To block these, software providers generate updates and patches which you should install as soon as you’re notified about them. Do not update from links in pop-up notifications or emails: these can be faked and lead to malicious copycat websites that expose you to hacking and data theft. Update only from the software provider’s official site, usually from within your account.
- Provide training and advice for staff. For staff who are new to working from home, and finding this a stressful time, company security policies may not be foremost in their minds. Make sure they know how to protect company data and devices in their homes and are clear about how to report problems, including IT issues with devices your staff are using (whether the company’s or their own). Making a complete set of policy documents and guides available on your intranet can provide help and reassurance.
- Limit access to company systems and data, allowing access only on a ‘need to use’ basis. It may not be possible to monitor data on staff’s home-based devices, thus increasing the cybersecurity risk. Ensure wherever possible that data is encrypted on those devices.
- Sticks and cards may break your guards. Sharing of memory sticks and data cards can be hard to track, threatening data security and your business’ GDPR Provide your staff with preferred alternatives for transferring files, such as encrypted cloud storage: they can be given their own logins with MFA. Here’s TechRadar’s April 2020 review of the best cloud storage providers.
- Don’t get caught by phishing. Using COVID-19 as an imperative, cybercriminals are trying to panic people into acting in haste and giving away usernames and passwords. Watch out for these tactics in any unexpected emails, text messages and phone calls.
- Be alert to fraud and other scams. Smart and motivated cybercriminals rely on psychological tricks, ignorance and inattentiveness to defraud people of money and assets. Our best defences are vigilance and knowledge. Phishing Forensics has a selection of short cybersecurity awareness courses available online: you can find details here.
- Be ready for the return to office practices. Where staff have been using their own devices for work, company data and system access could remain on that equipment indefinitely. Ahead of the eventual return to normal office life, have a procedure ready which will ensure all passwords on company systems are changed. Also protect your data by ensuring it is removed from those staff devices.
Cybersecurity is just one of the many challenges facing businesses at the moment. For help meeting these challenges, our coronavirus hub has a range of information and guidance, from tax considerations to HR guidance.
Along with your systems, we hope that you, your staff and their families stay as safe as possible through this challenging period.
With thanks to Garrick Hedges, Managing Director at Phishing Forensics.