Cybersecurity in the age of coronavirus.

We’ve fielded many questions about coronavirus (COVID-19), most with a focus on work-from-home but some related to changes to the threat landscape. We’ve decided to share the guidance we developed for our clients more broadly on our public website – hopefully this will help other organizations who are asking the same questions.

First, if you work from home, occasionally or all the time, your responsibility to protect sensitive data extends to your ‘home office’ as well. Hackers attack both work and home computers and networks, and they’ll use your home network to make a jump into work systems – you need to make sure your home network is secure to help keep the bad guys out. Even if you don’t work from home, the cybersecurity guidance below can help you protect your personal files, photos, documents, and details – your private information is valuable, too.

If you’re on the IT team, we have two guides – one or both may apply to your organization. The first focuses on bring-your-own-device (BYOD) systems… some organizations are opting to allow BYOD for new work-from-home users even if they haven’t allowed BYOD in the past. The second guide shares ideas for organizations that can deploy corporate-owned devices for work-from-home… we list key points for organizations that haven’t already tackled the cybersecurity implications of remote workers.

You should think about threats in the context of coronavirus. The links above provide guidance that can help you defend, detect, and respond to threats for remote workers. The link below discusses cybersecurity threats that may have a different spin because of coronavirus (even though the techniques bad actors use aren’t new).

If you use Virtual Security Center (VSC) – the software-as-a-service platform from Loptr’s sister company Lowkey Software – this guidance is already built in and you’ll have a few more resources, too. Updates to VSC to support your work-from-home team include:

  • A new “work-from-home” role you can assign to remote workers.
  • Extra “work-from-home” policy statements that you can enable for anyone with the “work-from-home” role. As a risk manager, go to Administration > Policies and filter on the Category “Work-from-home”, then enable the policy statements you want to use.
  • Additional coronavirus-specific awareness reminders. They’re in the March rotation but you can also send them on-demand more frequently – and you can send them just to work-from-home users if you choose.
    New “BYOD” containers for Mac and Windows and a new home network container. You can send a security assessment to work-from-home users to verify security settings (from these BYOD and home network short-lists) and track status in your risk analysis and compliance reporting. If you find gaps, you can track remediation tasks directly from VSC.
  • Guidance documents based on some of the resources above…
    • Remote worker guidance assigned to the work-from-home role. You can send the guides via email, view them online in VSC, and track confirmation.
    • IT-specific guidance assigned to the “IT” role. You can automatically send the guides via email to everyone in IT and, if you want, you can track when they confirm that viewing the documents.
    • Coronavirus-specific threat guidance for your workforce. You can email the guide if you choose, or let workers view the guide online.

Include a worker’s home office in your risk analysis with the “home office” container. Add the workspace under Places and assign an assessment (aligned with this home office security checklist) to the employee. Like any VSC assessment, responses feed directly into your risk analysis and compliance reporting and you can request changes using a remediation plan in VSC, too.

Use the “message of the day” feature to share information with VSC users when they login. If you have the information security officer role, make sure that “Message Of The Day” is enabled from Configuration > Features. From your home page, click on the edit icon in the panel above My Security Tasks and add your message. Here’s an example:

Beware COVID-19 Phishes!

If there’s one thing you can always count on, it’s that hackers will try to capitalize on current events. The latest example of this is an increase in phishing emails related to COVID-19. These bogus emails pretend to be from healthcare organizations, human resources departments, and even the CDC and WHO. The emails may claim that they have “critical information” regarding the virus and will try to get you to click on a link or attachment. If you do, the bad guy may steal your password or install malware on your computer. Here are some tips to protect yourself:
1) Always check the sender of emails you receive. Do you know the person? Is it really coming from an internal address? Have you signed up for this mailing list?
2) Think twice before you click on links or attachments. Is the link suspicious? Where does it go? Did you expect an attachment?
3) Don’t enter your password after clicking a link. If a website wants password, check that it’s legit. Don’t enter your password again if you’re already logged in.