Waiting for a rainy day to do security training? it’s pouring

Now that most of the workforce — the ones who still have jobs — works from home, and hackers continue successfully using COVID-19-themed phishing emails to target companies and individuals, now is the time to invest in security training and awareness.

These security threats are often amplified for small and medium businesses, which may not have enough laptops to send all of their newly remote workers home with a company-issued endpoint.

“I think the biggest question to ask of your remote workforce is what endpoints are they working off of,” said Chris Henderson, director of information security at Datto. “Are they working off of your company endpoints, in which you have your existing security controls? Or are they opting to work with their personal devices because it’s more convenient and familiar. Really it’s the threat of the uninformed shadow IT, of potential remote workers using personal machines.”

Datto sells its cloud-based network and data management software to managed service providers, which then provide these services to more than 1 million global businesses. While it did annual cybersecurity training for its employees before the pandemic, now that all of its employees work remotely, “we’ve kicked up our security awareness program significantly,” said Chris Henderson, director of information security at Datto.

There are several reasons to do security training for your employees and their families. First, family members and roommates are essentially now co-workers, and the shared WiFi network — and devices connecting to that network — “become an extension of your work,” Henderson explained. “There’s concerns I have around the laptops of your teenage kids, and the laptops of our spouses. Are their security practices as good as yours? It’s important to touch on security awareness training as everybody’s working on personal machines. And really focusing in on how to detect phishing emails, voice phishing, and try to lower the overall susceptibility somebody is to social engineering attacks.”

Phishing Attacks, Viruses Surge

In addition the people and devices connecting to the network, Henderson says he’s concerned about the uptick in coronavirus-themed attacks and scams.

The FortiGuard Labs team as recently as April 4 reported seeing an average of about 600 new phishing campaigns per day designed to either use COVID-19 fears to prey on individuals or pretend to provide essential information like help desk support for new teleworkers or hard-to-find medical supplies like facemasks and gloves.

As a specific example, the FortiGuard Lab threat hunters discovered a new coronavirus-themed spear phishing email that uses the World Health Organization (WHO) trademark to convince recipients of its authenticity.

While most of these attacks start with a phishing, their goal is to steal personal or corporate information. And so the majority of these phishing attacks contain malicious payloads — including ransomware, viruses, and remote access trojans — to provide criminals with remote access to endpoint systems and remote desktop protocol exploits, FortiGuard Labs warns. The threat researchers documented a 17% increase in viruses for January, a 52% increase for February, and an 131% increase for March compared to the same months in 2019.

For this reason, Henderson says he’s increased internal phishing exercises and now does text messaging and voice phishing for employees as well. He suggests other companies follow suit.

“We recently just kicked off all new phishing templates to better match what we’re seeing in the wild, so it’s specifically surrounding COVID-19,” Henderson said. “The phishing campaigns are just going crazy right now, and so we are replicating a lot of those in-house to make our employees more aware that these are coming.” And to make sure that they don’t click on them.

Make Security Easy

While the ideal situation for remote employees involves them using business-issued computers, Henderson says he realized that’s not always possible because of budget constraints. So for those that do use personal machines, companies should issue guidance to employees about which antivirus software to use and potentially pay for additional licenses to cover home users’ devices.

Companies will have more success “if you make it easier for your employees to conform with your security requests than it is for them to find their own,” Henderson added. This means choosing a virtual private network [VPN] “that is easy and quick to connect to and secure over something like [remote desktop protocol].”

He also suggests using cloud computing services like Google Apps or Office 365 instead of locally managed files because then employees don’t have to worry about backing up their data. “So while you may need to spend a little bit more money to make sure your remote employees are secure, it’s well worth it given the activity we’re seeing from different threat actors,” Henderson said.

―SDX Central