With the COVID pandemic, many businesses were forced to allow employees to work from home in an effort to keep productivity active. While this has worked well for many companies, hackers are also aware of the lowered cybersecurity with an at-home workforce. Employees who work from home do not have the enterprise-level cybersecurity knowledge or standards compared to those implemented on a business network. Phishing is one of the biggest tools for an attacker, and the number of phishing attacks has greatly increased since the coronavirus breakout as more employees are working from home. As a business, you can still take steps to protect email accounts and business data as users send and retrieve messages on their home devices.
Only Use Business Email for Business Messages
Users who work from home usually have both their business email address and personal email address available on a local device. It can be tempting for a user to simply use a personal email address to send and receive business messages, but this leaves your company open to eavesdropping should the user’s email address get hacked. IT staff also have no control of filters and the messages that reach the user’s inbox on a personal email account.
Employees should be encouraged to only use business email accounts for business-related messages. This standard helps with cybersecurity in several ways. The first one is that business emails use the organization’s corporate email server, which should have cybersecurity filters installed. Malicious attachments sent to a business email server can be scanned and quarantined if they contain suspicious macros. Finally, business email messages can be archived and backed up in case of data loss.
Enable Multi-Factor Authentication
For any email account, users should have multi-factor authentication (MFA) turned on. Most users are familiar with MFA. The user first enters a password to access an email account, and then the system sends a secondary personal identification (PIN) number via text messaging. The user then enters the PIN into the system and can access the email account. This extra step might seem inconvenient to users, but it stops attackers from authenticating into an email account after a successful phishing attack on their credentials.
In addition to email, MFA should be implemented on any system users can access remotely. Any business web applications that contain critical information should also have MFA enabled. By implementing MFA on critical systems, you can stop attackers who are able to successfully trick users into disclosing critical network and application credentials. Attackers might have the user’s password, but they cannot fully authenticate into the system. However, if a successful phishing attack happens to your organization, you should still force mandatory password changes.
Use DMARC on Work Email Services
Domain-based Message Authentication, Reporting & Conformance (DMARC) is a way to secure your domain from phishing. One common way attackers trick employees into disclosing private data is to use a spoofed “from” address in an email message. The email protocol allows any value in the “from” address, which means an attacker can make an email look like it comes from a legitimate user. Employees simply look at the “from” address, recognize the user, and then immediately trust the sender. DMARC stops this from happening.
DMARC uses the DNS (domain name system) protocol to whitelist the IP addresses that can be used to send email on the organization’s behalf. When a message is received by an email server, the system performs a lookup on the sender’s IP on domain name servers. If the IP is not in the allowed sender list, then the email server drops the message. Some email servers quarantine the message for further review. Both methods stop the email from reaching the user’s inbox.
In addition to using DNS to stop fraudulent emails, messages also contain a signature within the content that the recipient email server can use to verify messages. Combined with DNS whitelisting, DMARC eliminates most phishing attempts. Attackers can still use alternative email addresses and social engineering, but they cannot use spoofed sender addresses.
Use Email Filters that Scan Attachments
Malicious attachments are another exploit vector for attackers. These malicious attachments have scripts that download malware to the local device. Usually, these attachments are Microsoft Office documents. These documents allow programs (macros) to run when the user opens the file. Current versions of Microsoft Office warn the user by default, but many users give permission to macros without considering the consequences.
Macros can perform numerous changes to a system besides simply downloading malicious files. Changes to the user’s local device could give an attacker remote control. An attacker can then view content on the desktop, use the computer to attack other users, or use the device to transfer sensitive data to an attacker-controlled server.
By scanning and quarantining emails with suspicious attachments, malicious files can be reviewed by an administrator. If the attachment is malicious, the administrator can delete the email message. If it is not malicious, the message can be forwarded to the user’s inbox. By using a quarantine email system, false positives can be preserved, and malicious messages can be purged from the system and never reach the user’s inbox.
Offer User Training
Social engineering and a good phishing campaign can overcome even the best email cybersecurity. Without user training, most users are unable to identify a good phishing campaign and will often fall for social engineering attacks. Every financial and health institute gives user training to protect customers’ private data, because a data breach is a costly mistake for these organizations. Small and large businesses should do the same.
User training for cybersecurity should be a part of the onboarding process, but it should also be a part of the employee manual. Users should know that insider threats are a common reason for data breaches, but they can take steps to ensure that phishing campaigns are not successful. Users should know how to spot a phishing or social engineering attack and the right person to report suspicious activity for further review.
Keeping Cybersecurity with Work-at-Home Employees
Although an organization can’t control local user devices as they work from home, users can be trained and specific remote cybersecurity procedures put in place. By implementing the right training and technology, you can stop phishing and social engineering attacks in email and protect sensitive business data with an at-home workforce during the pandemic.
