The Cyber Risks of Working Remotely During the Coronavirus Pandemic

This blog post can also be found on our Coronavirus Resource Center.

As the impacts of the coronavirus pandemic spread across the globe, many companies are responsibly embracing the idea of “social distancing” in an effort to slow the spread of the coronavirus.

Across many industries, and including us at Woodruff Sawyer, employees have been asked to work remotely. But for all the benefits remote working provides in reducing the spread of coronavirus, it does not come without its own set of cyber risks.

For a summarized list of all the critical advice and tips included in this article, please click here.

Bandwidth and Unsecured Connectivity

First and foremost, employees working remotely will need access to the internet with enough bandwidth to accomplish their work tasks.

Applications such as video conferencing tools require more internet bandwidth than typical home internet use, and many employees may not currently have an appropriate bandwidth level as part of their internet service.

Companies should require employees to test their ability to work remotely. They should also consider different solutions for granting employees increased internet access in their homes, such as a one-time taxable bonus to upgrade their internet.

Apart from connectivity issues, employees may view the ability to work remotely as license to work from their favorite coffee shop, restaurant, or other social setting. This is ill-advised, as it defeats the purpose of social distancing in the first place.

Furthermore, many public locations offer free-wifi connectivity, which is generally unsecured. These networks are often ripe with attackers on the same network looking to steal data or employee credentials through malware.

Companies should remind employees of the core tenet of social distancing, and discourage them from working in public settings using an unsecured public Wi-Fi connection when possible.

Another connectivity risk is a familiar one for many IT professionals: bring your own device (BYOD). Employees may be using personal laptops, computers, tablets or cell phones to connect to a company network.

While these personal devices make it easier to work remotely, they are often not loaded with the proper endpoint security software that a company-issued device would be. Keylogging malware and other types of hacking tools may already be deployed on these personal devices, allowing attackers the ability to gain access to employee credentials rather easily.

Accessing company networks in an insecure manner is not a new risk, but its profile is raised by the prospect of an entirely remote workforce. Companies combat this risk through a combination of formal policies, such as a remote access policy, security policy, or BYOD policy, as well as security tools.

Access to company networks, shared drives, and sensitive corporate information should be routed through a virtual private network (VPN) if at all possible. A VPN encrypts the internet traffic between a remote device and company networks, allowing for a more secure connection.

However, VPNs alone are not a bulletproof solution. The VPN must be patched, updated, and monitored by the IT department on a consistent basis.

Recently, the U.S. Department of Homeland Security issued an alert on enterprise VPN security, advising that attackers are ramping up attacks on VPN networks as more companies have implemented remote working.

Employee Access Issues

For many employees, this may be their first experience with remote working and the demands that it places on them. With a remote workforce, communication amongst colleagues, teams and clients becomes even more critical. Thankfully, there are apps for that.

Specifically, apps that allow for video conferencing, internet phone capabilities, group chatting, and even shared document storage or editing. But some employees may not have the appropriate knowledge or technical skills to make the applications work correctly.

This can lead to one of the most prominent risks of working remotely: the use of personal accounts to accomplish critical business tasks.

For example:

• A salesperson using their personal email to finish off a project or contact that next prospect.
• A product manager downloading a large file to their personal cloud storage account so they can assure themselves access to it whenever needed.
• An employee printing out a confidential presentation on their home computer and not having the ability to shred it.
• Perhaps the worst,, an executive sharing sensitive personal data on clients or customers through text message to a group chat.

All of these examples of using personal accounts or devices while remote are fraught with cyber risk, and companies should address these risks through formal policies and guidance to employees.

Here are some of the guidelines employers should enforce:

• As noted above, access to company networks and shared drives should be required to utilize an enterprise VPN connection.
• Employees should communicate through their corporate email, or other company-approved communication apps, while working remotely.
• Personal cloud storage apps and personal email accounts should not be considered secure and should not be used for saving, accessing, or distributing company documents or information.
• Employees should be reminded of what constitutes sensitive data within the organization. This may include company intellectual property, customer lists, sensitive consumer or employee information, or other types of information key to running the business. By reminding employees what information is considered sensitive, employers also reinforce the appropriate security measures implemented in order to keep this information secure.

Phishing, Social Engineering, and Human Risks

One of the benefits of working in a corporate office environment is the habits and routines that a familiar setting provides. Often, these habits include extra diligence identifying phishing emails and a healthy skepticism towards links, attachments, and unknown contacts.

With employees now working from home, those habits and routines are thrown off, and the first line of defense for any organization—the employees—are more susceptible than ever.

Already, attackers have used the COVID-19 pandemic to launch very sophisticated phishing scams, even going so far as to pose as the World Health Organization, according to a recently released advisory from the organization.

There are even websites which purport to show the spread of coronavirus in specific regions, only to actually infect any computer that navigates to the website with dangerous malware.

Companies should err on the side of over-communicating to employees the risks of phishing scams related to COVID-19, as well as the standard social engineering scams. Increased reminders will keep employees alert to scams as they settle into new routines and develop new habits in a home environment.

Here are some tips on avoiding scams:

• Reminders on when or if an application will require login credentials should be sent to all employees to discourage sharing their credentials unnecessarily.
• Updates on company policies or procedures should come from a consistent source, typically a trusted executive such as the CEO, COO, CHRO, or Head of IT.
• Beyond email phishing attempts, attackers are also attempting to steal user information via phone calls or text messages. With employees working from home and using cell phones as opposed to office phones, extra vigilance is required.
• Calls from unknown numbers should be left to voicemail. Anyone who really needs to speak with someone will leave a message, scammers often won’t.
• Texts with links embedded in them should be scrutinized carefully. Make sure you know and trust the sender before clicking on the link.
• Working remotely requires strong password management procedures. Longer, more complex passwords are better than shorter passwords with a known fact included, such as a birthday or address. Using a password manager is advised, whether available through the organization or personally.

Employees who believe they’ve clicked on a phishing email or who have accidentally given away their login credentials should alert IT immediately.

Incident Response and Cyber Insurance

Fortunately, for those that have invested in cyber insurance, remote working does not change how the insurance policy responds to an event. Cyber policies will respond to a phishing attempt, malware infection, or data breach regardless of whether an employee is remote or in an office environment.

That said, here are some things to keep in mind:

• Companies should review their internal incident response plans to make sure they contemplate the new remote working environment.
• Executives should review the plan, and know their roles for if and when an incident occurs, including the specific events or circumstances that require escalation. Contact information should be updated to include appropriate information for all key individuals required to enact the incident response plans.
• Employees should be reminded of the incident response plan and be advised what events or circumstances trigger the policy. If they don’t know when to let superiors know about an incident, the company may miss out on crucial response time.
• Companies should review their current cyber insurance policy to assess limits and make sure the program is optimized for the increased risks of remote working.

For more on what cyber insurance covers, please see this Cyber 101 article on the basics of cyber insurance coverage.

Summary of Tips in This Article

• Companies should require employees to test their ability to work remotely, as well as consider different solutions for granting employees increased internet access from their homes, such as a one-time taxable bonus to upgrade their internet.
• Companies should remind employees of the core tenet of social distancing, and discourage them from working in public settings using an unsecured public wifi connection when possible.
• Access to company networks, shared drives, and sensitive corporate information should be routed through a virtual private network (VPN) if at all possible. A VPN encrypts the internet traffic between a remote device and company networks, allowing for a more secure connection.
• The VPN must be patched, updated and monitored by the IT department on a consistent basis.
• Employees should communicate through their corporate email, or other company-approved communication apps, while working remotely.
• Personal cloud storage apps and personal email accounts should not be considered secure and should not be used for saving, accessing, or distributing company documents or information.
• Employees should be reminded of what constitutes sensitive data within the organization. This may include company intellectual property, customer lists, sensitive consumer, or employee information, or other types of information key to running the business.
• Companies should err on the side of over-communicating to employees the risks of phishing scams related to COVID-19, as well as the standard social engineering scams.
• Reminders on when or if an application will require login credentials should be sent to all employees to discourage sharing their credentials unnecessarily.
• Updates on company policies or procedures should come from a consistent source, typically a trusted executive such as the CEO, COO, CHRO, or Head of IT.
• Calls from unknown numbers should be left to voicemail. Anyone who really needs to speak with someone will leave a message, scammers often won’t.
• Texts with links embedded in them should be scrutinized carefully. Make sure remote workers know and trust the sender before clicking on the link.
• Longer, more complex passwords are better than shorter passwords with a known fact included, such as a birthday or address.
• Using a password manager is advised, whether available through the organization or personally.
• Employees who believe they’ve clicked on a phishing email or who have accidentally given away their login credentials should alert IT immediately.
• Companies should review their internal incident response plans to make sure they contemplate the new remote working environment. Contact information should be updated to include appropriate information for all key individuals required to enact the incident response plans.
• Executives should review the plan, and know their roles for if and when an incident occurs, including the specific events or circumstances that require escalation.
• Employees should be reminded of the incident response plan and be advised what events or circumstances trigger the policy. If they don’t know when to let superiors know about an incident, the company may miss out on crucial response time.
• Companies should review their current cyber insurance policy to assess limits and make sure the program is optimized for the increased risks of working remotely.

The COVID-19 pandemic has changed how the world interacts, and the new reality for many companies involves a remote workforce and increased cyber risks.

Now is a great time for companies to reinforce some basic cyber hygiene tools and practices to meet these increased cyber risks head-on and use a remote working environment to their advantage.