Building cyber citizens in a remote workforce

Collective Defense is more than just a buzzword. Today, organisations seek to strengthen cybersecurity within the enterprise and across industries. It is imperative to promote and enable stringent, yet achievable, cybersecurity practices among employees to add another level of security protection. More than training, cybersecurity hygiene is a mindset and daily practice.

Since most companies have transitioned to a fully remote workforce to endure this COVID-19 world, — plus the fact that human error was the root cause of 23% of data breaches in 2019 even before our new way of working — this mindset is crucial.

4 ways to enable your workforce to become super cyber citizens

At IronNet, we live and breathe cybersecurity, so I would like to share the advice of our experts given that, even many months into the pandemic, the issues listed here are going to be relevant for some time to come.

1) Caution employees against Business Email Compromise 

Even the smartest, most cyber-savvy person on your team can be duped by a technique that is becoming more and more common: Business Email Compromise (BEC). This is a tactic where the cyber criminal will pose as an authoritative source (e.g. a company executive or financial administrator) to infiltrate your network.

Most recently, United Overseas Bank in Singapore and the U.S. Federal Bureau of Investigation alerted the Singapore Police Force of a suspected money laundering case linked to a BEC scam. The crime involved a fraudster impersonating a local corporate entity using a fake corporate email address. With more than USD 4.91 million of fraudulently transferred funds recovered, the case certainly highlights an urgent need to educate employees to be vigilant and wary about BEC scams.

Here are ways to defend against BEC:

  1. Never reuse passwords.
  2. Enable multi-factor authentication for any business-critical system, with priority on any systems or applications that are externally facing.
  3. Ensure that everyone involved with a “critical and urgent” financial transfer (often CEO and CFO) has established a process that does not use email.
  4. Set up a dedicated incident response email for employees to flag or double check anything that is even the least bit suspicious.

2) Be wary of risky browser extensions

While working from home, you may be tempted to download browser extensions that promise improved productivity and worthwhile shortcuts. I caution you: do not be tempted. It is critical to take a close look at how installing unvetted browser extensions is risky. Adding an extension to your web browser could open a gateway to all your online activities and possibly open a window to your company’s computing environment, allowing third parties to gain visibility.

On top of providing direct access to anything that you type into a browser or read in a browser, extensions may also have access to computer information such as the IP address of your system; physical location of the system; and information about installed operating systems, applications, and versions of each.

3) Consider that you are not just Netflixing these days

Before COVID-19, most of us probably thought about our routers only when bingeing on Netflix or managing multiple kids playing Dota at once. It is typical to just plug in the router, connect it to the modem, and give it a unique name. Now is a good time to rethink this approach and go well beyond out-of-the-box settings. 

Here is a snapshot of how to secure your router:

First, access your router settings so you can check and improve the settings if required. To do so, you can access your home router settings through logging in to your internet provider’s website or access the router directly. Typically, there is a set IP address that you would type into your browser. Check out your provider’s FAQ pages if you are still having issues logging in to see the router settings. Once you have accessed the router settings, take the following basic steps:

  1. Change your WiFi password and the administrator password (and make them different from each other);
  2. Change/check your WiFi name, keeping in mind that you do not want to reveal personal information (e.g. your family name or address);
  3. Check “WPA2” as the encryption method, as other methods have been cracked;
  4. Disable WPS, as it is a way for people nearby to easily get inside your WiFi;
  5. Enable the default firewall to protect yourself from both proximity attacks and attacks from anywhere; and
  6. Disable “Shared-WiFi,” because sharing is not always caring.

4) To VPN or not to VPN?

For remote workers, the answer is always yes. Remind employees regularly to log in to their VPN at home. While it can be tempting to ignore the VPN while your child does schoolwork at night, for example, it is crucial to sound the alarm that remote employees should make logging in to the VPN part of their cybersecurity hygiene.

We can do this.

Change is always challenging, but we can do this. Employee by employee, assuring a culture of committed cyber citizens is what every company needs to do to make the sudden leap to a remote work environment a secure one. Now and for the long haul.