How To Protect Your Cyber Health While Working From Home During The COVID-19 Crisis
Americans have pivoted quickly to working from home during the Covid-19 crisis, but the shift has been so abrupt that little time has been allocated to thinking about how best to protect sensitive organization collaboration, exchange, and data.
Whether you are self-employed, a small business, or working within a massive corporation, there are considerations you may want to review right now.
Cybersecurity was already a flashpoint for businesses given the increasing intersection of on-staff employees, contractors, gig workers and more at companies large and small. Given the work-from-home mandate of many states, now that flashpoint is accelerated and many are missing critical elements to stay safe across all devices.
Given this atmosphere, law firm Venable LLC recently arranged a teleconference with tech conglomerate Cisco, software company Citrix, and the National Institute of Standards and Technology (NIST). NIST is a non-regulatory agency of the U.S. Department of Commerce whose mission is to promote innovation and industrial competitiveness.
The goal of the teleconference was to give insights on protecting company information for IT staff, employees and small business owners and how to identify threats as well as plan and implement to maximize digital security.
Naturally, pre-planning is ideal, but given the unprecedented global crisis, everyone has to ramp up quickly. Even IT managers who have had policies in place may do well to update those policies, said Karen Scarfone, senior computer scientist at NIST.
“Now is the time to re-evaluate those prior policies based on current threats that are far different given the large numbers of people on your networks for how you did not plan for all at the same time nor for this extended amount of time,” Scarfone said.
Scarfone suggested that re-evaluation be done under what NIST calls a zero-trust model so that everything from encryption and storage to communications and two-to-three step authentication are considered. She suggested two important steps:
- Create a tiered approach. Start with evaluating access only from laptops that the organization controls (i.e. what resources should be accessed and from what devices). Then move to outside devices and access to more sensitive information so that you can easily develop all your tiers.
- Then begin implementation. The main work is to monitor security to minimize threats to servers and security telework devices themselves, especially phones. This is challenging but critical if one’s organization has a BYOD (bring your own device) policy. At the very least, the organization’s own devices should be secure.
Other considerations include how to then scale such solutions and how such solutions may perform for employees who may be in low bandwidth areas.
Naturally, data protection is key in order to drive an organization’s mission, but communication should be equally scrutinized. Even on normal workdays, the level of security around virtual meetings and conference calls should be considered. NIST says that far too many organizations use the same conference call and pin numbers over and over again, making them susceptible to threats. Calls should be evaluated in the following manner:
- Low sensitivity: Do a roll call and keep track of who leaves and enters the call
- Medium sensitivity: Make sure you don’t record the call by accident. If you record intentionally, determine if the call will be encrypted or not, where it will be stored, and how to protect that storage area. And limit such calls to only be made from company-secured devices. Remember to reserve any side conversations to offline.
- High sensitivity: Use a service that has a “green-room” so that you can control who enters it. Such services should also provide the capability to lock the call once all the invited members are on it. There should be one-time-only pin and meeting numbers. The meeting number should only be given out shortly before the call in order to maximize security.
In general, simply trust your instincts and to use common sense, said Jeff Greene, director of the National Cybersecurity Center of Excellence at NIST. For people working from home during this time, he suggests making sure that your home Wi-Fi is secure and that the router is updated and patched regularly by your provider. VPN is a great addition to include right now on all your devices if you do not have it. Ensure that you have passwords on your phones and tablets. Take care that if you have alerts, they are not readily available on the screen of your phone.
Listen to GHOGH with Jamarlin Martin | Episode 69: Jamarlin Martin Jamarlin goes solo to unpack the question: Was Barack Obama the first political anti-Christ to rise in Black America?
“Also, I like to just suggest everyone use the cyber equivalent of, ‘If you see something, say something,'” Greene said. “Watch for any unusual activity on your devices. This could be something like increased pop-ups, windows that don’t close and more.”
Citrix or Cisco have a multitude of offerings for security that range from the entire network to application-specific. They provide security analytics but also performance analytics from the end-user perspective so that an IT manager, for instance, could monitor if the experience is a smooth one for employees or not. Some can even be tied to biometrics or wearables.
Attackers are still very much present, and we all, whether small businesses or individuals who are self-employed, need to be vigilant. “Even if you are unsure of what to do, try to at least start somewhere,” Green said. “Doing something even small like starting with getting a good VPN or electing to tether to your phone instead of using outside Wi-Fi is a great start. Don’t let inertia or fear stop you. Be proactive.”