As employers rapidly respond to the need to protect their workforces from potential exposure and spread of the novel coronavirus, also known as COVID-19, many organizations are making the very difficult decision to pivot to a work-from-home model. This means employees will be connecting to corporate networks from whichever device is available: laptops, phones, tablets and even smart watches.

In response to the rapidly developing outbreak, many healthcare organizations are also expanding their use of “telehealth” treatment, which means they are using mobile devices when setting up triage and mobile COVID-19 testing sites. They are also using devices to help manage the larger than normal patient loads and provide treatment in parts of hospital facilities not normally used for patient care.

While technology is enabling this new way of life and helping to prevent things from coming to a screeching halt, it is also critical to consider the relevant security posture — not just of the devices themselves, but also of the highly sensitive data flowing through them.

For business information security officers (BISOs), chief information security officers (CISOs) and IT leaders, when supporting efforts to move into this new model or expanding existing remote work policies, guidance and communication cybersecurity hygiene best practices for all staff and employees working remotely is very important.

As a security professional, one of the things you always have to be thinking about is what’s going to happen in an emergency. There are already numerous comparisons that say cyber security is like being in a knife fight with one arm tied behind your back. Now, you are losing the ability to see what your people are doing as effectively. It’s like adding a blindfold to the fight.

With cancellations and closures, many organizations may already be facing a competitive disadvantage. As changes pile up and disrupt revenue, many employees are faced with urgent pressure to right the business. Leaders should be prepared for employees to use whatever tools necessary to meet the demands of work. Many of them will use these tools and even cover their tracks if they are aware they are acting outside of corporate security policies, and employees may do things security leaders didn’t consider.

Protection of intellectual property, data, equipment and private information should be top-of-mind for IT and security leaders. As you develop tools and applications to support your business needs and continue to meet the needs of staff and employees, many security leaders are facing similar challenges and needs.

Here are nine best practices security leaders should follow to better protect their people, technologies and sensitive data organization-wide.

Application Security

As new programs and policies are launched and new applications are deployed faster than usual, security concerns, new vulnerabilities and a broader attack surface can elevate the risk of an attack.

Penetration testing against the most valuable applications, before and after deployment, can give organizations a valid measure of their security posture and show any gaps that must be filled. Testing and retesting applications can also help reinforce the usage of approved tools and applications.

While free tools and solutions are available, they can also elevate risk, which is why security leaders must understand any vulnerabilities within those tools and the impact they may have on the organization’s overall security.

Using Corporate Tools for Communication and Collaboration

When teams are adjusting to everyone working from home, going down the hall to share information is no longer practical. Employees may try to find ways to have a discreet discussion about sensitive projects, products, services or work deliverables.

Security leaders should remind their teams which tools are approved and how to use them securely. They should also discourage the use of unapproved platforms, instant messaging or text messaging when discussing work matters.

File Sharing and Email

The same communication issues often occur when companies experience a temporary outage of email environments or file sharing and storage. As pressure builds, employees may use anything available to them. Usage of personal email and consumer file sharing outside of approved and official tools can be very dangerous. Security leaders should clearly lay out guidance on which tools should be used and which should not, and reinforce file permissions, sharing and file management inside those approved tools.

Devices: Use Company-Issued Equipment and Follow Security Practices

Security leaders should encourage employees to keep devices in sight and secured at home and provide a review of unified endpoint management programs and applications. The longer employees work from home, however, the easier it may be to fall into a pattern of using all the computers and devices that are available to them. Schools across the country are announcing closures, which means children and employees will be sharing the same space, increasing the demand for access to technology for work and entertainment. To protect data and the security of the corporate network, security leaders should advise employees to keep their work issued devices and personal devices separate and not allow device sharing with family members and children. Employees should also log out of laptops and devices when they are not in use and put them away when signing off for the day. Everyone should be using personal devices and computers, not company-issued devices, for media, social networking and education whenever possible.

Employees should also know how to reach the IT department in case of any issues, so they do not feel forced to work from personal devices or equipment that has not been secured.

Social Media and Social Engineering

Criminals are going to take advantage of opportunities to target employees working from home.

Security leaders should ask employees to be vigilant in identifying and reporting spam and phishing attempts. They should also provide tips on hovering over links before clicking on them, and not opening email attachments from external messages. Employees should also be reminded to be skeptical of links shared from unknown sources in social media posts and offers from companies preying on coronavirus fears or health concerns.

The physical security of facilities is also at increased risk with fewer people on site to identify a person who is not authorized to access office buildings. Security leaders may want to consider professional social engineering engagements performed by hired hackers to help uncover vulnerabilities and reinforce awareness about risky employee behavior.

Issue Reminders about Network Access Via Secure Wi-Fi and Best Practices for Home Networks

Security leaders should encourage employees to practice good network security hygiene at home just like they would in the office. Employees should have stable connectivity, at speeds necessary to do their work, and should not work from a public or shared Wi-Fi. Upgrading outdated equipment or services may be necessary in some cases, but at the very least, security leaders should advise employees to update the firmware and software of access points and routers.

Test and Reinforce Two-factor Authentication Policies

Many companies have put in place identity and access management tools to prepare for remote access. Some require regular configuration, verification, and policies to update the usage of these tools, which may be overdue. Security leaders should make sure those policies are in place, up-to-date and functioning, so you eliminate roadblocks that may prevent remote employees from completing their work, sharing files and data and accessing confidential company communications and updates.

Test VPNs and Reiterate How Important It Is to Use the VPN for All Work Matters

Testing the limits to the number of connections and overall reliability of a company’s virtual private network (VPN) is very important. Many organizations don’t have the infrastructure to support a total remote workforce and plan for 30 percent of their employees to connect at any given time. In today’s world, they should be prepared for 90 to 100 percent.

Security teams should ask, “When VPN credentials are compromised, what data gets exposed?” Phishing and malware attacks can also target virtual networks instead of individuals. With keyloggers and trojans, access to the corporate network from a remote employee’s device or system is possible. Understanding which data and intellectual property can be accessed if a VPN is compromised — before an attack happens — is critical. Security leaders should also follow current threat intelligence to understand what types of malicious network activity they should be watching for.

Overall, however, connections over a VPN are much more secure. Security leaders should encourage consistent usage by all employees.

Stay Aware of Evolving Vulnerabilities and Threats

As the global situation with the coronavirus develops, pressures on remote teams and security leaders may increase. It is important for both parties to stay in touch, ask questions and ask for help when needed.

The cyber security community is a valuable resource for anyone charged with keeping companies safe and secure. Rely on community resources and the open exchange of news, tactics, threats and best practices. If an incident occurs, rely on business partners and professionals in security to supplement your own team’s needs. Read more from our X-Force Iris team about how we can help.

Watch Charles Henderson, X-Force Red’s Global Head, Managing Partner and veteran hacker, present an in-depth recorded event presentation about the COVID-19 threat landscape.

Watch the Red Con session recording here

More from Application Security

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

Twitter is the New Poster Child for Failing at Compliance

All companies have to comply with privacy and security laws. They must also comply with any settlements or edicts imposed by regulatory agencies of the U.S. government. But Twitter now finds itself in a precarious position and appears to be failing to take its compliance obligations seriously. The case is a “teachable moment” for all organizations, public and private. The Musk Factor Technology visionary and Silicon Valley founder and CEO, Elon Musk, bought social network Twitter in October for $44…