iV4's CTO Michael Montagliano shares his cybersecurity predictions and advice for businesses in the wake of the global coronavirus pandemic.
By: Michael Montagliano, iV4 Chief Technology Officer
As organizations address the scourge of the COVID-19 global pandemic and attempt to mitigate the spread of the coronavirus by moving workforces to a completely remote model, another blight has appeared on the cyber-security landscape. Cybercriminals and rogue nation-states are taking advantage of an expanded attack surface to perpetrate new attacks tied to health care and financial efforts.
Cyber attackers are mimicking communications from health organizations (WHO, HHS, CDC), government agencies (SSA, IRS, Medicare) and financial institutions (banks, credit unions). Hackers are using phishing (email) and vishing (phone) campaigns to create fear, uncertainty and doubt (FUD) in an attempt to gain access to systems and sensitive data.
Organizations and their workers will need to devise a carefully considered approach to address security challenges proactively as we enter uncharted territory during this extraordinary event.
Phishing Attacks
Since January, there have been numerous malicious email campaigns tied to COVID-19. Most recently, campaigns associated with stimulus checks from the US government have been on the rise. To be clear: receiving a stimulus check does not require any signup. Any American who qualifies will automatically receive the funds. If you receive a call or email asking for personal data, banking information or money, STOP. It's a scam!
Legitimate organizations will never request sensitive information through email or over the phone.
Watch! Live interview with iV4's Security Team Lead on Fox Rochester, 'Preventing cyber hacks during social distancing'
'The Treasury Department advises on its website: "If you receive calls, emails or other communications claiming to be from the Treasury Department and offering COVID-19 related grants or stimulus payments in exchange for personal financial information, or an advance fee, or charge of any kind, including the purchase of gift cards, please do not respond."
iV4 recommends delivery of supplemental security awareness training specific to protection against phishing campaigns, and general home security best practices are a priority while we are under an extreme remote worker situation.
The suggestions below are some considerations for companies and remote workers alike:
Businesses Beware
As organizations recommend employees work remotely, there is increased use of mobile devices and remote access to core business systems. Proactive measures may enhance user experiences and security for remote access. Unprotected devices could lead to the loss of data, privacy breaches and systems held for ransom.
That said, here’s a checklist for businesses to consider:
- Enable a consistent layer of multi-factor authentication (MFA) or deploy a step-up authentication procedure depending on the severity of access requests.
- Make sure your VPN configurations, policies and software/hardware are correctly configured and patched.
- Create a clear BYOD policy for access to corporate assets, which includes antivirus, patching, handling of sensitive information, etc.
- Ensure identity and access management fully processes secure third-party access to company networks.
- Have a comprehensive view of privileged identities within their IT environments, including a procedure to detect, prevent or remove compromised accounts.
- Remind employees of the types of information they need to safeguard.
- Sensitive information, such as certain types of personal data that is stored on or sent to or from remote devices, should be encrypted in transit and at rest on the device and removable media used by the device (e.g., personnel records, medical records, financial records).
- Limit employee access to protected information to the minimum scope and duration needed to perform their duties.
All Employees Have a Role
Not everyone is an “essential” employee, but it is essential that each and every employee plays a part in protecting their organization’s data, privacy and infrastructure. These tips can provide guidance and recommendations, beginning immediately, for all remote workers.
- Do not share work computers and other devices. When employees bring work devices home, those devices should not be shared with or used by anyone else in the home to reduce the risk of unauthorized or inadvertent access to protected company information.
- Maintain security software on home devices and ensure all versions are up to date with all necessary patches.
- Turn off "remember password" functions when employees are logging into company information systems and applications from their devices.
- Limit browsing activity on the workstation you use to access company resources to reduce the risk of drive-by attacks and malware downloads.
- Hackers are breaching unsecured internet-connected home devices and inserting monitoring tools to capture credentials and information. Log into your Wi-Fi router's management software to ensure it's running the latest firmware, which can update security flaws. A change the administrative password from the default setting to a strong password.
Like each of you reading this, iV4 is working around the clock for our teams, customers and community. We don’t have a “typical work week” these days. If you have concerns about your company’s data and infrastructure, you’re not alone. As business owners and leaders, we also have to worry about the risks to — and health of — our operations during unprecedented times, in addition to the health and safety of our families, loved ones, employees and neighbors. What’s important is that you protect today by taking these important steps and consideration, and plan ahead and pivot when needed. Because ready or not, this isn’t close to being over.
As Chief Technology Officer at iV4, Michael leads the technology strategy and execution for the firm he joined nearly 10 years ago. He is also a “Certified Ethical Hacker.” Michael’s love for music inspires him to bring creativity to the world of IT every day.
iV4 is a Rochester Best Workplace and Rochester cyber security company that defends our clients against vulnerabilities, attacks, and threats.
We are committed to our customers and any organization who may need our assistance at this time.
