Businesses urged to take security precautions for those working from home

Ryan Robinson, the chief service officer at Mainstay Technologies in Belmont, stressed during a webinar for members of the Lakes Region Chamber of Commerce that businesses transitioning to work-at-home operations need to take security measures seriously.

Robinson and other experts who help businesses meet their technology needs warned that adaptations made in response to the coronavirus pandemic are opening companies up to cyber attacks that, in worst-case scenarios, can bring those businesses down.

The use of laptops that are not part of a company’s managed infrastructure could easily wipe out a year’s worth of work, warned Todd Horton, senior network engineer at Telworx Communications of Rye Brook, New York.

Robinson said that working from home requires a business-class laptop or desktop computer, not the consumer models one might pick up at Best Buy or similar outlets.

“If an employer is going to issue employees laptops, they should be part of the company’s managed infrastructure,” agreed Horton, “with the same content protection.” Computers that have the ability to take advantage of encryption through Remote Desktop from Microsoft add an important level of security.

Both Robinson and Horton prefer Microsoft computers over McIntoshes or Chromebooks, mainly because Microsoft computers are more manageable at the corporate level.

“One client who never allowed remote access now has to,” Horton said. The client chose a Chromebook for home use. “We couldn’t get our typical VPN software to work on the Chromebook.”

VPN, or Virtual Private Network, provides a secure connection to a network over the Internet.

“Macs work fine,” Horton noted, “our VPN works fine, but when you get to a Mac or a Chromebook, it has to be more independently managed. But I can’t say they’re any less secure, and Macs have a reputation of not getting viruses.”

Layers of security

More critical than the type of computer is the use of two-factor or multi-factor authentication. Access to the company’s network should have not only a password but also an access code that will be sent to a user’s smartphone or email address, Robinson said.

Horton agreed: “Anywhere you can turn that on, you should turn it on, so if your password gets compromised, they still won’t be able to get in without the two-factor authentication.”

People who use online banking are already familiar with two-factor authentication or the use of security questions. “Even when you're in with your computer, to access different applications and websites, you still have to use two-factor authentication,” Horton said. “It adds another layer of frustration, but that’s the world we’re living in now. When working from home and your computer gets compromised, that person can have access to all the programs at the office. If that person gets something on that laptop that looks for anything on the network, that could be very dangerous.”

Horton said that, when his company sets up a system for a client, it works in several layers of isolation so, if a computer picks up a virus or ransomware, it can’t get to the company’s server.

“With all that’s going on, people are in a  hurry to be able to work from home, so they might not be in a position to set it up the way we do for most people,” he said.

Horton emphasizes that, if possible, there should be separate computers for work and personal use to avoid giving malware a chance to infect the system through a game, link, or other phishing scheme that targets consumer internet use.

If it is necessary to share a computer between personal and company use, Horton recommends setting up separate user logins. That helps to prevent malware that entered the computer by way of a game from getting into the business applications.

He also recommends not having employees log directly into the company servers but, instead, into a business computer at the office. Additionally, there should be only one “admin” account that is used only when necessary to do things at the server level. Normal business should be conducted on regular user accounts, Horton said.

Awareness

Robinson said regular employee training should emphasize cyber security, and it should take place at least yearly. Users should be aware of security threats that enter through attachments from unknown senders, through videos shared on Messenger, and from spoofed emails — emails that purport to be from someone known to the user, but in reality are from someone sending an attack virus. By clicking on the “from” address, one can see the full address of the sender which may be very similar to a known acquaintance but have a slightly altered address.

“Always be looking for phishing scams,” agreed Horton, noting that it is as important for the casual user as the employee working from home. “They will find ways to trick you into putting your password into your computer and they will take advantage of your email account to ask someone to send you money, or contact vendors or customers. Be careful of links, even from your boss. Make a call to ask if they sent you the link before opening it. Or you might get a link that requires you to log into your account before it will open, but it’ll be something else.

Robinson said companies should have an Information Security Program for ongoing risk assessment, including monitoring of the “dark web” — a network of untraceable online websites that do not show up using search engines. Those wishing to keep their web activity hidden use the dark web for nefarious purposes.

“It goes back to two-factor authentication,” Horton said. “Even if you get caught up in a phishing scam and pick up a keyboard logger, if you have two-factor authentication turned on, they can’t use it. That’s a lot of what is the threat these days.”

The entire video is available for viewing on the Lakes Region Chamber of Commerce website.