As employers rapidly respond to the need to protect their workforces from potential exposure and spread of the novel coronavirus, also known as COVID-19, many organizations are making the very difficult decision to pivot to a work-from-home model. This means employees will be connecting to corporate networks from whichever device is available: laptops, phones, tablets and even smart watches.

In response to the rapidly developing outbreak, many healthcare organizations are also expanding their use of “telehealth” treatment, which means they are using mobile devices when setting up triage and mobile COVID-19 testing sites. They are also using devices to help manage the larger than normal patient loads and provide treatment in parts of hospital facilities not normally used for patient care.

While technology is enabling this new way of life and helping to prevent things from coming to a screeching halt, it is also critical to consider the relevant security posture — not just of the devices themselves, but also of the highly sensitive data flowing through them.

For business information security officers (BISOs), chief information security officers (CISOs) and IT leaders, when supporting efforts to move into this new model or expanding existing remote work policies, guidance and communication cybersecurity hygiene best practices for all staff and employees working remotely is very important.

As a security professional, one of the things you always have to be thinking about is what’s going to happen in an emergency. There are already numerous comparisons that say cyber security is like being in a knife fight with one arm tied behind your back. Now, you are losing the ability to see what your people are doing as effectively. It’s like adding a blindfold to the fight.

With cancellations and closures, many organizations may already be facing a competitive disadvantage. As changes pile up and disrupt revenue, many employees are faced with urgent pressure to right the business. Leaders should be prepared for employees to use whatever tools necessary to meet the demands of work. Many of them will use these tools and even cover their tracks if they are aware they are acting outside of corporate security policies, and employees may do things security leaders didn’t consider.

Protection of intellectual property, data, equipment and private information should be top-of-mind for IT and security leaders. As you develop tools and applications to support your business needs and continue to meet the needs of staff and employees, many security leaders are facing similar challenges and needs.

Here are nine best practices security leaders should follow to better protect their people, technologies and sensitive data organization-wide.

Application Security

As new programs and policies are launched and new applications are deployed faster than usual, security concerns, new vulnerabilities and a broader attack surface can elevate the risk of an attack.

Penetration testing against the most valuable applications, before and after deployment, can give organizations a valid measure of their security posture and show any gaps that must be filled. Testing and retesting applications can also help reinforce the usage of approved tools and applications.

While free tools and solutions are available, they can also elevate risk, which is why security leaders must understand any vulnerabilities within those tools and the impact they may have on the organization’s overall security.

Using Corporate Tools for Communication and Collaboration

When teams are adjusting to everyone working from home, going down the hall to share information is no longer practical. Employees may try to find ways to have a discreet discussion about sensitive projects, products, services or work deliverables.

Security leaders should remind their teams which tools are approved and how to use them securely. They should also discourage the use of unapproved platforms, instant messaging or text messaging when discussing work matters.

File Sharing and Email

The same communication issues often occur when companies experience a temporary outage of email environments or file sharing and storage. As pressure builds, employees may use anything available to them. Usage of personal email and consumer file sharing outside of approved and official tools can be very dangerous. Security leaders should clearly lay out guidance on which tools should be used and which should not, and reinforce file permissions, sharing and file management inside those approved tools.

Devices: Use Company-Issued Equipment and Follow Security Practices

Security leaders should encourage employees to keep devices in sight and secured at home and provide a review of unified endpoint management programs and applications. The longer employees work from home, however, the easier it may be to fall into a pattern of using all the computers and devices that are available to them. Schools across the country are announcing closures, which means children and employees will be sharing the same space, increasing the demand for access to technology for work and entertainment. To protect data and the security of the corporate network, security leaders should advise employees to keep their work issued devices and personal devices separate and not allow device sharing with family members and children. Employees should also log out of laptops and devices when they are not in use and put them away when signing off for the day. Everyone should be using personal devices and computers, not company-issued devices, for media, social networking and education whenever possible.

Employees should also know how to reach the IT department in case of any issues, so they do not feel forced to work from personal devices or equipment that has not been secured.

Social Media and Social Engineering

Criminals are going to take advantage of opportunities to target employees working from home.

Security leaders should ask employees to be vigilant in identifying and reporting spam and phishing attempts. They should also provide tips on hovering over links before clicking on them, and not opening email attachments from external messages. Employees should also be reminded to be skeptical of links shared from unknown sources in social media posts and offers from companies preying on coronavirus fears or health concerns.

The physical security of facilities is also at increased risk with fewer people on site to identify a person who is not authorized to access office buildings. Security leaders may want to consider professional social engineering engagements performed by hired hackers to help uncover vulnerabilities and reinforce awareness about risky employee behavior.

Issue Reminders about Network Access Via Secure Wi-Fi and Best Practices for Home Networks

Security leaders should encourage employees to practice good network security hygiene at home just like they would in the office. Employees should have stable connectivity, at speeds necessary to do their work, and should not work from a public or shared Wi-Fi. Upgrading outdated equipment or services may be necessary in some cases, but at the very least, security leaders should advise employees to update the firmware and software of access points and routers.

Test and Reinforce Two-factor Authentication Policies

Many companies have put in place identity and access management tools to prepare for remote access. Some require regular configuration, verification, and policies to update the usage of these tools, which may be overdue. Security leaders should make sure those policies are in place, up-to-date and functioning, so you eliminate roadblocks that may prevent remote employees from completing their work, sharing files and data and accessing confidential company communications and updates.

Test VPNs and Reiterate How Important It Is to Use the VPN for All Work Matters

Testing the limits to the number of connections and overall reliability of a company’s virtual private network (VPN) is very important. Many organizations don’t have the infrastructure to support a total remote workforce and plan for 30 percent of their employees to connect at any given time. In today’s world, they should be prepared for 90 to 100 percent.

Security teams should ask, “When VPN credentials are compromised, what data gets exposed?” Phishing and malware attacks can also target virtual networks instead of individuals. With keyloggers and trojans, access to the corporate network from a remote employee’s device or system is possible. Understanding which data and intellectual property can be accessed if a VPN is compromised — before an attack happens — is critical. Security leaders should also follow current threat intelligence to understand what types of malicious network activity they should be watching for.

Overall, however, connections over a VPN are much more secure. Security leaders should encourage consistent usage by all employees.

Stay Aware of Evolving Vulnerabilities and Threats

As the global situation with the coronavirus develops, pressures on remote teams and security leaders may increase. It is important for both parties to stay in touch, ask questions and ask for help when needed.

The cyber security community is a valuable resource for anyone charged with keeping companies safe and secure. Rely on community resources and the open exchange of news, tactics, threats and best practices. If an incident occurs, rely on business partners and professionals in security to supplement your own team’s needs. Read more from our X-Force Iris team about how we can help.

Watch Charles Henderson, X-Force Red’s Global Head, Managing Partner and veteran hacker, present an in-depth recorded event presentation about the COVID-19 threat landscape.

Watch the Red Con session recording here

More from Threat Intelligence

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Hive0137 and AI-supplemented malware distribution

12 min read - IBM X-Force tracks dozens of threat actor groups. One group in particular, tracked by X-Force as Hive0137, has been a highly active malware distributor since at least October 2023. Nominated by X-Force as having the “Most Complex Infection Chain” in a campaign in 2023, Hive0137 campaigns deliver DarkGate, NetSupport, T34-Loader and Pikabot malware payloads, some of which are likely used for initial access in ransomware attacks. The crypters used in the infection chains also suggest a close relationship with former…

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today