Eight million emails. That’s how many malicious messages Box’s email blocker filtered out during the company’s first week of mandatory work from home.
Not all of those emails used COVID-19 to phish for data, but the global pandemic did play a major role in the spike, said Paul Chapman, CIO for the secure content management software company.
Fortunately for Box, the company was prepared for this. While they didn’t anticipate a global pandemic that would shut down all of its offices from San Francisco to New York to London, company leaders did devise a technological business continuity plan in case of emergencies, Chapman said. The company’s cloud platform and infrastructure were also designed to support employees securely working from anywhere and on any device.
“It feels like we’re part of the world’s largest work-from-home experiment because it all happened so fast,” Chapman said.
Not all companies were as prepared.
While crises and disasters often bring out the best in humanity, they also create a feasting ground for bad actors looking to prey on people’s vulnerabilities, said Cynthia Larose, cybersecurity and privacy practice expert at Mintz Levin, a law firm.
It’s an issue exacerbated by the fact that many companies are transitioning to remote work for the first time. For the unprepared, the transition to remote work can mean overwhelmed VPNs, an influx of personal devices accessing data and a scrambled business strategy — all access points for a cybercriminal.
“When employees who are not accustomed to working remotely start using either their home networks or personal computer equipment to access the corporate network and the company hasn’t prepared for this, there’s always a risk to corporate information,” Larose said.
Still, it’s never too late to take steps to build a more secure remote workforce. We spoke with cybersecurity experts at Box, Austin-based financial payment firm AffiniPay, cybersecurity company TruKno and Larose about how to tighten up remote security measures.
Remote Cybersecurity Tips
- Set up multi-factor authentication to deter hackers from accessing company data. While it may be inconvenient in the beginning, adding a second form of authentication can protect the company even if someone’s password is stolen.
- Communicate to employees about the cybersecurity threats they face. Without office firewalls and encryption, preparing employees to spot security threats is even more crucial.
- Train staff on how to identify phishing attacks and run internal tests to provide feedback. Box often tests its employees with internal phishing to scan for weaknesses and reinforce its training.
- Develop a business continuity plan with remote security as a focus. Take time to examine how your systems work, how users are accessing data and where that data is to establish an outline of what cybersecurity resources the company needs to sustain business remotely.
- Practice and reinforce basic cyber hygiene. Basic steps like encouraging employees to use 16-character passwords and password managers, eliminating the reuse of old passwords and using VPNs can go a long way in preventing a hack.
Understanding the Cybersecurity Risks
The first thing Larose tells any company seeking her services is to set up multi-factor authentication.
It’s the cybersecurity equivalent of locking the front door, and, at this point, there’s no excuse not to do it, Larose said. The simple step has taken on added importance during the transition to remote work. That’s because the usual barriers that a company provides in the office, like a firewall, encrypted devices and a secure network, are no longer there.
I’ve gotten emails from people who were supposedly clients with a PDF attachment, and I take one step and look at it and say, ‘Wait a minute, this person wouldn’t send me this.’”
Without those measures, amid a spike in malicious emails, all it takes for a breach to occur is for an employee to click on a link asking for COVID-19 donations. Once the hacker gains access to a person’s account, they can access customer information, send fraudulent invoices to collect money or commit identity theft, Larose said.
“If somebody is working from home and their computer gets infected, the malware on their computer is logging keystrokes, catching login credentials, doing credential stuffing,” Larose said. “Anything like that is a problem.”
Still, it’s important to understand what the hackers are doing. Emails are skyrocketing as companies communicate updates and send information, creating a helpful camouflage for phishing exploits. Most hackers are using that cover to play on people’s fears with scams, Larose said. In fact, a recent Federal Bureau of Investigation report warned of a rise in scams revolving around fake Centers for Disease Control and Prevention emails, airline refunds, testing kits and counterfeit treatments, among others.
Before clicking on any links, Larose said employees should ask themselves:
- Does the message look right?
- Is the email address spelled correctly?
- Does the request seem unusual?
“I’ve gotten emails from people who were supposedly clients with a PDF attachment, and I take one step and look at it and say, ‘Wait a minute, this person wouldn’t send me this,’” Larose said.
Another way companies are being attacked is through their VPNs, according to Manish Kapoor, founder and CEO of the cybersecurity search platform TruKno. Those attacks usually rely on a software vulnerability or hijacking an admin’s account, he said.
IT staffs are being pushed to the edge during this because people are working remotely, people have problems and call IT, and IT is trying to extend resources.”
Larose encourages employers to check activity logs for anomalies, but therein lies another challenge: Companies may not have the manpower to do that as they scramble to adjust to a new work experience.
“IT staffs are being pushed to the edge during this because people are working remotely, people have problems and call IT, and IT is trying to extend resources,” Larose said. “They may not have the personnel to watch and look for anomalies and check logs. That’s the least of their issues at the moment, they’re just trying to maintain business continuity.”
Developing a Business Continuity Plan to Handle Abrupt Changes
In talking with other company CEOs and CIOs, Chapman said many businesses were only prepared for a portion of their staff to work remotely — not the entire workforce.
As a result, they often face overburdened VPNs, a scramble to establish communication strategies and a shortage of encrypted laptops and devices. That’s a lot of issues to tackle at once, while staying vigilant for security threats.
“There’s a lot of stressors going on in personal lives right now, and people are more vulnerable to attack than they ever were,” Chapman said. “As companies recognize that they might have some weaknesses in their architecture or server enablers to work from remote, they have to be conscientious of the security and risk aspects if you don’t architecturally think this through.”
To circumvent those challenges, Box had been proactive in establishing a business continuity plan. The “break-in-case-of-emergency” plan details the steps the company will take to maintain secure practices in case an office closes down.
For starters, Box had built its security infrastructure to support a work-from-anywhere ethos, which has made the transition easier, Chapman said. That included encrypted devices and a consolidation of all its content from Zoom meetings to Slack messages to project communication into its own, secure cloud platform.
“As you think about working from home, do people have those same levels of technology?” Chapman said. “We don’t want people to connect with any laptop or device; it needs to meet the same level of trust posture. So we’re making sure people have the right equipment.”
As part of the plan, the company turned on services like the email blocker Proofpoint and the email security tool mxHero to protect against phishing exploits. It also tested its security incident response center for the best strategy to handle incidents remotely.
Meanwhile, the company is sending out official emails to employees at least once a week with important updates regarding work, COVID-19 and phishing attempts. When they heard news that Zoom meetings were being hacked, they encouraged employees to make sure to put a nine-digit passcode to secure the channels.
We don’t want people to connect with any laptop or device; it needs to meet the same level of trust posture.”
AffiniPay has also developed a similar cybersecurity strategy. As a financial tech company, it already has a stringent security policy in place to meet industry regulations, said VP of Technology James Sparrow. Part of that preparation has required them to ensure every laptop or device an employee uses for work at home is encrypted and includes firewalls, anti-virus and anti-malware programs.
The company also drills in the use of password managers, making sure employees have adequate Wi-Fi bandwidth at home and the company’s VPN bandwidth has been expanded.
“We were anticipating that it was likely we were going to shut down the office at some point,” Sparrow said. “So we were asking, ‘Is everyone prepared to deal with that?’ Since we have a lot of sales and support operations, it’s critical for us to be able to continue having that connection with our customers.”
Establishing a continuity plan that takes into account how people are accessing data, what tech they’re using and protecting the services are at most risk, is critical for all companies, Chapman said.
“You can operate a remote or distributed workforce, but, fundamentally, you have to still make sure you’re secure,” Chapman said.
Train Your Team on How to Handle Cybersecurity Attacks
As a financial tech company, AffiniPay is used to being a target for social engineering attacks.
While some of those may be blocked with firewalls, sometimes it’s in the form of a fake customer calling the support center attempting to pressure the employee into giving them money or information they shouldn’t be given. To prepare employees for those threats, AffiniPay trains its employees on how to identify and handle those attacks.
With the move to remote, that training has become even more important as there aren’t colleagues around to warn others of an attack or consult over a questionable call, Sparrow said.
The more you do it internally and give feedback to people who click on what they shouldn’t ... people do respond and the improvement is marked.”
The training teaches employees to be wary of any emails that require a PDF download, because that isn’t the typical way attachments are sent. They also learn to identify spelling mistakes in domain names and uncharacteristic demands. Those exercises give employees the skills and protocol to de-escalate scam phone calls and handle email threats, Sparrow said.
In addition to training, sending internal phishing emails as an exercise is another effective method to spot vulnerabilities and teach employees on how to handle those threats, Larose added.
“The more you do it internally and give feedback to people who click on what they shouldn’t ... people do respond and the improvement is marked,” Larose said.
Step Back, Analyze Your Services, Then Get to Work
One of the biggest challenges with cybersecurity is not knowing where to start. It can be overwhelming to research security threats and figure out what to do to prevent them from happening during a crisis.
Sparrow recommends company leaders to take a step back and survey what issues are most critical. In taking a moment to understand how their systems work, where assets are stored and how employees are accessing them, it can help them determine what security measures they need.
“You have to start somewhere. It sucks to start that in a crisis, but having those plans and understanding your system so that when things happen, you can react confidently, is huge,” Sparrow said. “Hopefully you’ve already done that, but if you haven’t, start.”
While companies everywhere are practicing social distancing, Larose implores businesses to add cyber hygiene to the list too. Wash your hands of simple passwords and deploy 16-character-long ones, scrub out malicious emails with multi-factor authentication and inspect activity logs for anomalies.
“It’s not too late,” Larose said. “It will be triage at this point, but triage is better than nothing at all.”