Emergencies are what they are. In an emergency, we act with urgency and swiftness with a focus (tunnel vision?) on immediate results. That’s good. In the short term, immediate action saves lives and helps to reduce dire loss. Emergencies are also scenarios where “normal” protocols get overlooked - appropriately so - but in doing so, they create new risks. Unfortunately, bad actors in the world (I don’t mean the Hollywood kind) don’t change their behavior in these situations - in fact, they often pounce on the opportunity to exploit new weaknesses exposed by folks operating under urgency. It’s sad, but it is true.
With a pandemic event, everyone is scrambling (aka acting with urgency) to piecemeal together ways to operate their businesses. Normal protocols are overlooked and management is usually acting in a reactionary way. Aside from business leaders needing to rise to the occasion, it is also time for your process to shine. If you don’t have a cybersecurity program, now is the time to start. If your cybersecurity program has an inch of dust on it, it’s time to revisit it and make some improvements.
There’s No Such Thing As “Secure”
Implementing some simple tips is hardly a security program and you shouldn’t fool yourself into thinking this list will be the be-all, end-all. What is important to keep in mind however, is that there is no such thing as 100% secure. While this may sound scary, take it as a load off your shoulders. No matter what you do, you will not be 100% invulnerable. Security is not about perfect, it’s about managing risk. Once you adjust your expectations, you will find yourself much more likely to get moving and that is the key - get started on something and you will find it feels good to be making improvements toward being more secure.
Risk = Likelihood * Impact
All risk comes down to (2) primary factors: Likelihood and Impact. Keep this in mind as you make your first decisions about what measures to take and what to wait on. Obviously, the focus is usually on the concerns that would impact your business the most - but remember if the likelihood is close to zero, well, there’s not a lot you need to do. Conversely, don’t spend a lot of effort on “fixing” things that wouldn’t have a big negative impact on your business - as they say, don’t put a $2000 fence around a $200 horse.
Security Is About People
One last thing before we look at our list - remember that most security issues are people and/or process-related, not technology issues, per se. So if you think you might need a piece of shiny technology to save the day (“We need to upgrade our firewall”) - think again. Your best risk management strategy is far more likely to focus on people and process than any particular piece of technology.
5 Things To Do Now
1. Educate your team on Phishing Scams and Best Practices
Phishing scams are one of the top methods of compromising machines, networks and ultimately, critical business assets. During emergency situations, scams abound and every piece of communication with your team about the current situation should include a reminder about staying vigilant about scams and bogus emails, text messages, etc… Make sure folks know not to follow links in emails unless they are absolutely certain it's authentic. Also keep in mind, weird links sent to you from recognized senders may mean their email was compromised. So if you weren’t expecting a link or if you don’t know the sender, think twice. When in doubt call the person up to verify. Here are some great tips about Avoiding Phishing Scams from the Center for Internet Security
2. Make sure you have an acceptable use policy
This might sound draconian. “We’re a small company, that sorta stuff is bogus” - nonsense, having an acceptable use policy sets clear expectations with your team. It is absolutely amazing how compliant folks will be once you set clear boundaries and rules. Make sure your policy includes a Bring Your Own Device (BYOD) clause as well as email and social media rules. The SANS Institute is a GREAT resource for Information Security Policy Templates which will get you started very quickly. Don’t overthink it, you can get this rolling in a few hours. If it’s not perfect, you can fix it.
3. Start an approved software list
Like the Acceptable Use Policy, keeping a list of approved software is important with regards to setting parameters for your team and it is SO easy to do. We simply started a Google Doc and gave everyone in the company “Can Comment” permission. When anyone on the team wants to use a piece of software, they make a suggestion in the document and we review it. Once we deem it legit, we approve it. What is really nice about this is that by keeping a list (we maintain the list by categories that describe the purpose or use of the software), we have found that our teammates go to the list and find something already approved and use that.
A good example of how not having such a list gets out of hand is during an emergency event just like the pandemic situation we are in now. As folks are scrambling around to find video conferencing software, your organization will start using a dozen platforms before you know it. It’s a much worse scenario when that occurs with file-sharing software (Dropbox, Google Drive, Box, iCloud) when you wind up with your data on multiple platforms and essentially out of your control. The payoff on standardizing on a smaller number of platforms goes beyond managing security risk - think of how much smoother your operation will be if everyone only needs to learn Zoom or Hangout Meet. It can also save a fortune in licensing fees.
4. Stop logging onto your computer as an administrator
One of the easiest things you can do to reduce the risk of malware is to stop using an administrative account to log onto your computer every day. Yes, sometimes you do need this permission level to install software or make configuration changes to your operating system or such. But 99% of the time in your day-to-day use of your computer you do not need to do this. Being logged on as an administrator exposes you to significant risk because if you do wind up at a malicious website or somehow otherwise get exposed to malware on the network somehow, if you are logged on as a user (and not an administrator) you simply won’t have the permission to install the malware - and often the crisis is averted.
The answer is simple. Create a new account on your computer and give it admin permissions. Then go back to your regular account and change it to a user account. Proceed as you normally would and on the occasion that you need to do something that requires administrator privileges, you will be prompted to provide the credentials for that other account. Do so thoughtfully. Here’s how you do it on windows and here’s how you do it on Mac.
5. Get better wifi at home
There have been very significant improvements in wifi routers over the past few years. Most folks have been using the old one they got 10 years ago. This is a small investment that can have a big payoff, both for network performance and security.
Netgear Orbi & Amazon Eero and Google Nest Wifi are “Mesh” routers that not only provide amazing improvements in bandwidth and coverage, they also have more sophisticated configurations that allow you to setup multiple networks in your house - so you can get the playstation, the apple tv and the kids laptops on one network and keep a dedicated network for your work computer. This isolation drastically reduces the ability of malware to jump from one device to another. As if you didn’t have enough to worry about, a vulnerability in a playstation of one of your remote employees could infect your work environment. As a side benefit, you can usually configure these individual networks to have bandwidth priority so your video conference call doesn’t lag because one of your kids is playing Call of Duty Warzone.
If you don’t want to spend the money on a new wifi, at least check your current router and see if you can set up a guest network - and put all the household devices on the guest network and leave the main one for your work devices.