The massive shift to work-from-home models over the past weeks has made people and businesses especially vulnerable to cyber threats. The total number of areas that present risk for an organization (also known as its attack surface) just expanded by an unprecedented scale. Devices, networks, passwords and data—they’re all more exposed now than ever before. And the criminals know it.
It’s easy enough to say that companies need to bolster cybersecurity protocols—and they do—but not many have the people to do it. IT and security operations teams have their hands full trying to get systems up and running to support hundreds and sometimes thousands of people who are now working offsite.
Here’s an example: A citywide stay-at-home order led a business services firm to transition the majority of its 300-person workforce to remote work. Internal IT resources are all focused on managing the sudden strain on the network, and there are few security protocols for remote work in place. The company uses VPN software, but it wasn’t set up to accommodate current traffic load and employees can access email and other resources separately. Company devices have encryption software, but it is unclear which devices it is enabled on or even if those devices have passwords.
The risks in this scenario are high. The exposure of employee email leaves the company vulnerable to threats like phishing scams that mimic the tone and voice of those who can authorize funds transfers. Vulnerabilities in the firewall open the company up to ransomware and theft of confidential data and personal information. With so many of us using video conference capabilities these days, what kind of information can criminals get when they hack into an employee’s webcam through their Wi-Fi network?
These are the types of issues companies of all sizes should be worrying about. So what should you do about it?
Get help. Now is the time to augment internal resources with contract cybersecurity professionals to ensure the tools and processes are in place to protect company resources. These aren’t permanent employees. They’re contractors who specialize in ensuring systems and processes are up-to-date, running smoothly and able to identify threats. Here are some of the areas they’re addressing in the near-term:
- Cybersecurity audits that apply security frameworks, evaluate and catalog data access, breach planning and penetration testing, to name a few
- Two-factor authentication implementation and testing
- User training/education, including everything from securing home networks and enabling encryption software to training people to detect malware and phishing scams
- Extending endpoint security to employees’ home Wi-Fi
Even companies that aren’t planning to shift to a work-from-home model may find themselves with no other choice soon enough. We’ve seen multiple states issue shelter-in-place and nonessential business closure orders in just the past 72 hours. In other words, the time to plan is now.