As organizations encourage their employees to work remotely to prevent the spread of COVID-19, they may be taking on additional or unknown cyber risks as well. The most experienced hackers know how to take advantage of national incidents to conduct very effective phishing and social engineering campaigns. Allowing employees to access sensitive corporate data from personal devices and unsecured internet connections can put an organization with even the best internal cyber practices at risk.
TriCorps suggests four basic principles are at the forefront of any strategic planning regarding IT policy and telecommunicating procedure changes due to COVID-19 prevention.
- Encourage employees to take extra caution to any emails or calls that involve the transfer of any funds or that ask for any personal or company information such as account numbers, user credentials, or passwords. There has been a surge of social engineering and phishing attacks with more users working from home, and attackers are taking advantage of the public’s heightened health concerns.
- Instruct employees not to click on any unknown link, including advertisements. Malicious coronavirus websites are popping up, which could lure victims into clicking on dangerous links and introducing malware into networks. Users need to be aware of anything that seems suspicious and should be cautious about clicking on various COVID-19 based websites. Stick to mainstream websites.
- When possible, require employees to use company-owned and maintained devices. Personal devices do not have the same controls installed as company-owned devices, so the potential for compromised data increases when employees access company networks and data from unprotected own devices. Also, when company devices are brought into the home, make sure they are not shared with anyone within the house.
- Instruct employees not to leave company portals, browsers, or databases open or unsecured. Employees need to be extra vigilant about physical security around their devices, such as not leaving laptops unattended or even in a locked vehicle. If necessary, devices may be stored in a trunk for short periods.