During these unprecedented times of “social distancing,” “shelter-in-place,” and “stay-at-home” orders, everyone is having to learn or experiment with new technology and work habits. For many people, this will mark their first exposure to remote work and virtual settings. With these new realities comes a need to not only remember a few fundamental security tips, but also a need to learn a few new security tricks as well. This post should help you understand a little bit of what has changed and how you can utilize technology safely from home or wherever you are. The principles outlined below will serve you well, both now and after things return to a “new normal.”
Why Security And Privacy May Look a Little Different During the “Stay-at-Home” Time:
- People are using lots of new technology platforms and tools. An important part of learning these new tools is understanding and utilizing the security features of each tool. This is not always easy, and does not always come quickly.
- People are working from home, outside of the normal security safeguards built painstakingly into their workplace networks. As such, some of the normal protection built into the “corporate firewall” is not present and companies have less ability to control security risks that exist in their employees’ home environments.
- The “bad guys” are looking to take advantage of the situation. They know you are using new tools, and that you may not be as familiar with good security practices related to those tools.
- Physical security on your office building is also different now. Did you remember to change the schedule on your physical access control systems to default to “locked”during your normal, (now unoccupied) business hours?
Some New Twists on Threats, And How to Respond:
- Watch for phishing attacks that emulate government relief programs, e.g., links to sign up for unemployment, aid, stimulus checks, etc. The government does not make a habit of emailing you to “login” to their sites with personal information or accounts.
- Instead of following a link, make sure you go to their published site by entering it directly into your browser, for example, www.irs.gov. Be careful of copycat sites, especially if those sites ask you to make a payment to receive your check.
- Watch for fraudulent requests for help (asks for gift cards, money transfers, etc). Even during normal times, we frequently see a sneaky ploy in which someone asks you to send emergency Walmart, Apple, or Visa gift cards to needy people or organizations. With the current virus situation and the resulting unemployment, you can expect to see even more of this now.
- Be especially careful of look-alike accounts ([email protected]) asking for aid. Key giveaways are requests that ask you to bypass normal procedures due to an “emergency.”
- Be aware of Username/password “grabs.” Phishers know that many organizations are implementing all sorts of new work-from-home tools, like Teams, Zoom, remote access software, VPNs, etc. They will try to trick you to use your Office365/Google/Apple/Facebook account credentials to log into a dangerous site that looks interesting, attractive, or helpful.
- Be wary of a message asking you to log in to a new tool for the first time. Verify that it really is coming from your organization or staff. Key giveaways are look-alike accounts and links that don’t match the public login page that you would expect to see.
- When in doubt, verify using a known good contact.
- If you receive a suspicious email/Facebook/Twitter/text message, don’t respond to it via the same method. If your contact was a victim, an attacker could be monitoring the account and respond. OR you may be responding to the “look-alike” account.
- Confirm by calling them via a known good phone number, not the one the suspicious email included. If the message came from a company, such as a bank or store, call them at their published number or the number on the back of your credit card.
- Take advantage of multi-factor authentication wherever possible. We recommend this strongly for ALL accounts, including email, social media, banking, etc.
Learn to Use Your New Tools Safely:
- Work-from-anywhere tools are designed to make sharing easy. This is a huge help but presents dangers as well. It is very important to practice good security habits.
- Zoom has taken some criticism recently for security holes in its product, but many work from home tools share similar “vulnerabilities.” We feel that the media has unfairly focused on Zoom and much of has been written has been unwarranted. The bottom line is that regardless of the tools you use, knowing how to use them safely is vital. And proper use is every user’s responsibility.
- Using tools with your security settings disabled is like having a deadbolt on your door and leaving the door propped open. Sure, it makes coming and going easy – but it does so not only for you, but also for an untold number of unwanted visitors.
1. Be Safe When Using Collaboration Tools:
- Make sure that you don’t share direct links to an open meeting or room with the public, via social media for example.
- If you are presenting a “public” meeting, such as a webinar, make sure to require registering for the event and use a platform that supports such events. Tools such as MS Teams Live Events and many others allow you to control the content and participants.
- Make sure if your platform uses an easy-to-guess meeting identifier like a number, that you also use passwords and require logins to access the meeting.
- Make sure that you use waiting rooms/lobbies to allow only the desired participants to enter.
- When presenting, consider whether you want to allow external users or guests to share their camera, screen, or audio at all. If your platform supports it, would an event mode be more appropriate?
- Use long, hard-to-guess meeting room names. Platforms like Jitsi allow you to choose your own meeting name. Choose a name that would be very random or incomprehensible to outside people, but which would make sense to your invited attendees.
2. Be Safe When Using File Sharing Tools:
- Verify whether your shared folders should ever be set to allow external and/or anonymous sharing. Most can be limited administratively.
- Certain folders, such as accounting, HR, and counseling should be set to prevent external and anonymous sharing, even by owners of the folder.
- Take advantage of features to restrict downloading files. For example, files saved in Microsoft Teams/Sharepoint/OneDrive can be shared, and you can disallow downloading the file.
- Be careful when sharing entire folders – the people you are sharing with will have access to everything in the folder.
- Be intentional about when you want people to have rights to “view only” vs. edit.
- Periodically review your sharing settings to make sure you still want to share files with everyone with whom you’ve shared them in the past.
Organizational Security Considerations For Now (and Later)
- Most organizations have a firewall that provides an important layer of protection. However, with so many people working from home and elsewhere, that layer of protection is no longer necessarily present. So, you need to keep providing firewalled security wherever people work.
- Enable recommends Bitdefender Endpoint Protection for every computer owned or managed by the organization. It provides excellent protection against malware, web exploits, etc. It is also a great solution for your personal computer!
- We recommend enabling the Windows or MacOS firewall on all computers.
- Help your users stay “security aware” and serve as “human firewalls.” Regular security awareness training is essential to keep your team abreast of new security threats and keep security awareness in the forefront of their minds. Enable can help you identify effective security awareness training programs.
- Reduce the phishing messages that actually reach your employee’s mailboxes. We love the IronScales anti-phishing product. It is installed on your Office365 or Gmail email server and uses artificial intelligence to identify and remove or warn of likely phishing messages. At this point, it performs this function better than anything we’ve seen. It’s especially effective against those “look-alike” emails.
While intentional security practices are important at all times, during periods of crisis and vulnerability, it is especially important for users to be vigilant and look out for ways “the bad guys” will try to take advantage of current events, panic, and confusion. We hope this guide serves as a reference point for your church staff to stay safe while working remotely!