Coronavirus Remote Work Cybersecurity Checklist
By Pam Sornson on March 31, 2020
As a business owner, you have much to think about these days, especially with some or all of your staff working from home due to the spread of the coronavirus. That work-from-home reality generates new cybercrime concerns, so it's crucial to make your systems as secure as possible. By following a checklist of steps you can take to ensure your off-site workforce is productive and secure, you can turn your attention to maintaining your company's equilibrium in these challenging times. You can start the process by installing the Apozy Airlock web browser extension, offered for free to companies affected by the COVID-19 virus.
Working From Home - the "New Normal"
For many companies, the 'new normal' created by the spread of the COVID-19 virus means having some or all of their employees working from home. The transition presents several challenges to corporate leadership, the biggest being the cybersecurity threat that arises when all those personal computers connect into the company's data stores and digital systems. Removing the worker from the office also removes them from the safety and security processes that keep company data and systems secure.
The home computer adds another complexity to the BYOD trend - Bring Your Own Device. The rise of mobility and hand-held computing devices allows many workers to conduct work projects on their personal devices. However, statistics indicate that as many as 85% of all mobile devices have no security protections at all, so they act as open portals to cyber thieves. Like those mobile devices, many home computers also lack the security procedures and protocols that are ubiquitous in today's business community, which also makes them easy targets.
Compounding the work-from-home challenge is the fact that over 40% of all cybersecurity incidents come from intentional or inadvertent employee activities. That percentage may rise in companies where workers are now working from home, unsupervised and alone.
So how do you protect your company, its contracts, and its consumers from the challenges posed by your newly established at-home workforce? A good start is to protect the web browsers through which that workforce connects to the Internet and your corporate computing systems.
Protect the Browser, Not the Device
Web browsers are arguably the most used portal for Internet access; they are accessible from any device, they facilitate quick and easy web cruising, and they contain vast quantities of information for future user reference. There are several browser options - Chrome, Safari, and Internet Explorer are the most popular - and each comes with a myriad of options, services, and features to enhance that computing experience. It is because of their popularity that Web browsers are also the most common portal through which cyber thieves gain access to company information: so many people access them to go about their daily lives, both at work and home. Browser data is rich with public, private, personal, and confidential information that makes it enticing to cyber thieves. While the volume and type of data they seek are almost infinite, most cybercriminals will look for information related to these targets:
- A listing of visited websites, including their URL's, page names, and even a date and time stamp declaring when the site was accessed last;
- All saved login information. With login information, the thieves can access all the computer owner's accounts, and perhaps even those of your company.
- HTTP cookies, which are tiny data bits placed on a computer's hard drive by the owners of visited sites. Cookies share user browsing data with their owners. "LocalStorage" is an updated form of cookie that stores more data locally - on the computer's hard drive, making it easier to access and steal.
- Autofill programming fills in all the blanks in commonly used web-based forms, so users don't have to. That data, too, sits on the hard drive, ready to be stolen.
Thieves can use browser data to identify when, when, how often, and what users are searching for, including the businesses they shop at, the products they buy, and in some cases, even the prices they pay. The data can also reveal email addresses, page titles, and downloads, all of which provide even more in-depth insights into the user's intentions and capabilities. When those users are also accessing business files and records through their home browser, the browser is collecting that information, too. Without appropriate filters or other cybersecurity layers, thieves can make off with the confidential information of both the at-home worker and their employer.
Apozy Airlock is Designed to Foil Browser Intrusions
Since 2014, Apozy has been working to ease access to clean, safe information. Using an AI-powered browser defense platform, Apozy Airlock uses a petabyte-scaled database of cyber threat indicators to analyze the websites that users are viewing, looking for common cyber intrusion tactics, including Phishing (emails that, when opened, unleash malware into the user's system), DDOS attacks (a distributed denial of service that freezes the function of entire networks), and malware (including spyware, worms, and viruses).
When an employee seeks access to a compromised website through the browser, Apozy Airlock isolates that threatening website and converts it into 'read-only' web pages. Workers can then get the information they need - or determine it isn't available - without opening an access to the corporation's databanks.
Apozy Airlock offers a variety of digital security supports:
- It analyzes and alerts you to browsing events that may lead to a security incident, including the precise URL and the type of threat that exists there. With that information readily available, your team can address the problem before damage can occur and take steps to avoid the challenge in the future.
- It adds each security incident to your company's 'cybersecurity playbook,' so you can share it with other systems or integrate it with proprietary apps to prevent a problem in the future.
- It's easy to install and use:
- The web browser extension links seamlessly to every browser with just one click.
- It provides a secure gateway behind your corporate firewall, and that covers your entire network.
- Management controls deployment using Google Admin, Group Policies, or User Enrollment to attach the extension to every authorized corporate browser.
- In most cases, full organization-wide implementation takes less than one minute.
Checklist: Basic Security Precautions for Remote Workers
Once the Airlock is in place, you'll still want to set data security standards in place for your at-home workers. These best practices cover three main domains for digital security: technical, human resources, and legal. They will help you address the security challenges posed by your new at-home labor force:
Technical best practices:
- At a minimum, educate your employees about the need for data and computing security:
- Enable double authentication on all their devices.
- Ask them to turn off the 'auto-connect' function on their devices.
- Prohibit the use of any 'free wifi' services they may encounter.
- Ask them to limit their work time to when they are physically in their homes. Even with the stay-at-home standard, some may elect to visit family members or friends while the situation evolves.
- Require them to log out of every device after every use.
- If possible, let your workers take their company tech assets home with them, which will preserve as much as possible your existing security systems.
- If that's not possible, require your workers to apply the highest possible security systems to all of their 'endpoints' - their personal computers, laptops, and mobile devices.
- Mandate that all workers, regardless of their location, use a Virtual Private Network (VPN) for all corporate activities and across all corporate networks.
- If possible, apply Network Access Controls (NAC) across your systems to validate users and devices, and to reject access to unsecured machines.
- Protect your corporate data with Data Loss Prevention (DLP) tools.
- Employ encryption at every point in your systems, including both resting and in-transit data, email services, and application access procedures.
Human resource best practices:
- At every opportunity, review and reinforce with all your workforce the technical best practices listed above.
- Your specific situation may also call for extra layers of protection over your corporate databanks and bases, such as additional authentication and access protocols. These can inhibit workers who may have less than honorable ideas about how to use their time out of the office.
- If your company manages highly sensitive or secretive data, you may have to make even more modifications to your security systems to ensure they can continue to access the data they need.
Legal best practices:
Despite the community chaos, your organization probably still has contracts and agreements it must honor, as well as industrial standards that it must always follow.
- Review all contracts for terms that may be affected by an at-home workforce, such as liability and indemnification clauses. Errors or breaches that occur during this time may nullify the agreement or shift liability to your enterprise.
- Review your corporate insurance policies, too, to determine the extent of cybersecurity coverage and exclusions.
The coronavirus is causing millions of workers to work from home, which is undoubtedly attracting the attention of thousands of global cyber thieves looking to exploit the corporate vulnerabilities that those workers will almost certainly expose. The Apozy Airlock web browser extension will prevent your company from becoming a victim of the impending wave of cybercrime, and it's available for free to companies impacted by COVID-19.
About the Author
Pam Sornson writes about technology, the law, parenting, and the environment, among many other subjects. Her legal background supports her comprehensive analytical skills and her compassion for humanity helps her to connect with people on every level.
Founded in April of 2014 in San Francisco, we are a venture-backed motley crew of passionate hackers building cybersecurity technologies to make the world's information faster, cleaner and safer to access.