Image of a person working on a laptop with digital icons superimposedWith the COVID-19 pandemic, federal agencies found that the only way to keep production up was to let employees work from home. While this workforce keeps production and public services flowing, it adds considerable cybersecurity risks to the organization and its private data. With an at-home workforce, users work on their own network and devices and use their own internet service provider (ISP) without enterprise-level cybersecurity defenses. Even though IT loses control of devices when users work from home, organizations can still take steps to protect data from hackers.

Require VPN when Connecting to the Agency Network

Most users know about a virtual private network (VPN), but they might not understand the significance of using one when working with business data. A VPN connection “tunnels” traffic from the user’s computer to the targeted network. In this scenario, the targeted network is the business internal network. This tunneling involves encryption of data in addition to any data passed with an HTTPS (TLS/SSL) connection. Therefore, the data will be first encrypted with HTTPS and then packaged with VPN encryption. The double encryption increases protection from eavesdropping as data moves across the Internet.

Not every VPN provider is created equally, so agencies should offer users a VPN account purchased by the organization to ensure that the VPN used is a reputable source. This will ensure that users are only using a trusted VPN provider. Some unscrupulous VPN providers will log data at their own endpoint, which leaves the data open to eavesdropping from anyone who has access to VPN servers and their logs.

Install Email Cybersecurity to Internal Email Servers

Users should be trained to only use work email accounts for business-related messages. They should never transfer private data in email and chat programs. Email is one of the most insecure forms of communication, so it should never be used to store or send sensitive data, including passwords.

By controlling user email, IT administrators can stop some of the threats on an email server. The goal is to never allow malicious messages, including those with links and malware attachments, to reach the user’s inbox. An administrator can stop many of the threats in the wild with email cybersecurity. This cybersecurity is usually from a third-party email application that detects a malicious message, and then the system quarantines it for further administrator review.

If you use a third-party email system such as Microsoft 356 and Google Suite, then you have threat detection and prevention built into your email platform. Google does a good job of filtering out phishing emails and emails with malicious attachments. Some email is dropped and never reaches the user’s inbox, but others are sent to the user’s spam inbox.

Because some email might reach the user, including messages in the spam inbox, users should be trained to detect phishing and other malicious messages. They should know to never open attachments from untrusted sources and never click links to unknown domains. If a link is sent in an email message, the user should type the domain in the browser and authenticate from there rather than clicking the link and authenticating on the landing page. One of the most common phishing attacks is using links to attacker-controlled servers to send users to an official looking website, where the attacker can steal user credentials.

Integrate Two-Factor Authentication on Major and Minor applications

Even with the best cybersecurity training, users still make mistakes. They could be busy and forget their training, or they could be a target of a very convincing social engineering attack. To help reduce threats from phishing and social engineering, two-factor authentication (2FA) adds a layer of cybersecurity. An attacker might be able to trick a user into divulging credentials, but two-factor would stop the attacker from being able to authenticate using the user’s account name and password.

A two-factor system greatly reduces risk, but it’s not 100% secure. Users should still be trained to stay aware of social engineering. A good targeted social engineering attack will get the user’s 2FA identification number from the user during the authentication process. In addition, attackers have already bypassed 2FA attacks by intercepting PINs sent in text messages.

Require Remote Wiping Apps on Mobile Devices

Administrators sometimes forget about physical threats, which can also put business data at risk. Users that store business data on their smartphones are at risk of having their devices stolen and data extracted from it. With a remote wiping app, a user or IT worker can delete all data on the device after it’s stolen.

A remote wiping app runs in the background and deletes all data, but users must also have a passcode on the device. It could be hours before the user realizes the device was stolen, and a passcode will stop the attacker from having physical access to the data during this time. Most modern, updated smartphone operating systems will not allow a user to access data without first entering the proper passcode.

Ask Employees to Keep Antivirus and Anti-Malware Applications Updated

You can’t control the software on a user’s private computer, but you can request that they keep anti-malware software up to date. Users can disable antivirus software on operating systems such as Windows, and this puts their own device at risk. They should be instructed not to disable cybersecurity applications. Not only should these applications always be enabled, but they should be patched every time the vendor deploys a new update.

To help facilitate better anti-malware defenses, the organization can purchase an enterprise license that would cover home devices as well as on-site machines. By investing in cybersecurity, the organization better protects assets from malware downloaded an executed on the user’s device.

Conclusion

Agencies can’t protect their data from all attacks, especially with work-from-home employees. However, we can take the proper steps to defend against common attacks and avoid a major data breach from human error. Users are unaware of the numerous ways an attacker can gain access to data, and attackers are aware of the disadvantage to organizations. Social engineering and phishing attacks have increased since companies have more work-at-home employees.

Even with a disadvantage, agencies can train employees to identify phishing and social engineering attacks. By requiring specific services activated and offering software for free, an organization can protect their user devices while defending corporate data simultaneously.

About PSL

PSL is a global outsource provider whose mission is to provide solutions that facilitate the movement of business-critical information between and among government agencies, business enterprises, and their partners. For more information, please visit https://www.penielsolutions.com or email info@penielsolutions.com.