A Message To Our IT Clients
I’m sure you all love receiving emails from every vendor you’ve ever contacted explaining how they’re dealing with COVID-19. For us, it’s simple. we’re still operating at near 100%, but we are limiting onsite work as much as possible. Everything else is more or less the status quo for us.
The real reason for this email is to help provide some guidance with the transition to working from home and to let you know that we’re always available to discuss your options and to provide a more customized remote work solution. I realize now that I’ve written a novel, which was not my intention when I started, but try to get through it all as I feel the information below will be helpful to those who are concerned about the risks of working from home or it may serve as a wake-up-call for those who think there’s nothing to worry about.
Security during COVID-19
You might have noticed that security is a common theme I mention in these email blasts. I place a special importance on security when sending these because security is usually an afterthought by most people. As long as folks can get their work done, people don’t pay special attention to security, so I like to keep reminding people that security is a constantly moving target and is a threat to your business that needs to be taken seriously even by the smallest of organizations. Consider that ransomware and other malicious organizations are multi-billion dollar “industries” that operate more or less like a normal business. They have to constantly find new targets and are always learning new ways to exploit vulnerabilities. Security systems and best-practices which were effective a few years ago may no longer be adequate.
Since COVID, cyber security experts have noticed an uptick in malicious activity worldwide including email phishing scams and malicious log in attempts. Now, more than ever, you and your staff need to be diligent in identifying and preventing attacks which prey upon our human insecurities. Many of us have applied for loans and other financial assistance which makes us particularly vulnerable to socially engineered email scams pretending to be banks or other entities asking us to provide banking or other sensitive information. Be especially diligent when providing financial information via email or through an online portal. Double check to make sure the email came from a bank or entity you have history with, confirm the sender email address, and be suspicious if they don’t provide a secure web portal that’s directly linked to their website. A particularly effective method of an attacker breaching an online account is by sending an email to someone on your team which appears to be from Microsoft, Google, or Dropbox asking the recipient to click a link which takes the user to a website which looks almost identical to the online service’s login page. When the user enters their login credentials, the malicious party is then able to obtain the credentials and can login to the real account and access data or cause other harm.
Since people’s routines are all mixed up, we’re particularly vulnerable and malicious groups know this and are actively working to exploit our inherent human weaknesses.
Two Factor Authentication (2FA)
Luckily, there are a few ways to protect yourselves and your staff from the majority of email scams trying to steal login credentials. 2 factor authentication (multi-factor authentication or MFA or 2FA) is an extremely effective method of preventing others from accessing online accounts. Many of our clients already have 2FA turned on but there are still plenty of folks we work with who do not have this most basic level of protection enabled. The good news is that it’s becoming easier to enable 2FA for services such as Office 365 and G Suite in a way that doesn’t require too much handholding from us which will help reduce costs. By enabling 2FA on the admin portal of many online services, we can force 2FA to be configured by the user the next time they log in. We always coordinate this with the users and provide documentation for the users to follow when they are presented with the setup process of 2FA. This is a great way to protect company data with little cost. Even though there’s a shelter-in-place causing financial stress all around, consider the impact a breach will have on your organization. This article contains helpful information about 2FA: https://www.microsoft.com/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/
Single Sign On (SSO)
Taking security a step further, and adding in some convenience, is enabling Single Sign-On (SSO). SSO is the future. Currently, many of our clients have multiple online cloud services they subscribe to. This means each user will have unique accounts for Office 365, Dropbox, QuickBooks Online, Autodesk, Adobe, etc. Usually the user will use a single password for all of these accounts and sometimes passwords are quite simple and easy to guess/decrypt. This means that, when a single account is compromised, other accounts can potentially be compromised as well. SSO is part of the solution to this problem. With SSO enabled and configured for the cloud services you use most often, those cloud services will look to a single master account and only allow a login using that one master account which is configured to require a strong password along with 2FA. This is why it’s called Single Sign-on. Only a single username and password is needed to access all those accounts which are protected via 2FA. Usually this single account you’d use to access all other accounts would be either your Microsoft or Google account. Now, this might sound less secure. “What if that one account is compromised?”, you might be thinking. Well, it’s true that if the one master account was compromised, there’d be a huge issue, but for that account to be compromised, the hacker would need the username, credentials, and access to a device the account owner controls to access the 2nd factor. This is pretty unusual and stops about 99.9% of breached accounts. When a user is offboarded or if there’s a risk of the account being compromised, access to all accounts can be suspended by suspending the one master account.
We use SSO at LMi and it’s a game changer. I no longer have to type in passwords for every online service I use. I have a single account I log into which grants me access to all other accounts. It’s more secure and much more convenient. I can’t imagine going back. Unfortunately, unlike enabling 2FA for your users, enabling SSO is a more time consuming and user-impacting process, so if your business is struggling due to the shelter-in-place, this item is something we should discuss later when business returns to normal.
Try not to be intimidated by these confusing terms and processes. Once set up, these systems become second nature and actually make access easier and you’ll sleep better knowing you’ve taken reasonable steps to secure your data. Just because you’re comfortable with a process doesn’t mean it can’t change. Avoid being that organization that rushes to make a change only because a breach happened. Heed the warnings you read about here and online. This is not just fear mongering. The threats are real and, most of the time, they are not targeting you specifically. Usually malicious groups look for easy targets. Stay under the hacker’s radar!
Working from home security challenges
Luckily, some of you use professionally managed business laptops as your primary business computer which makes working from home relatively safe, but for those of you whose home users are forced to use a home computer, there are particular security concerns to be aware of:
- Home computers are generally shared with other family members and are inherently less secure than professionally managed business computers.
- Remote logins to the office are at an all-time high and credentials can be intercepted if proper precautions aren’t in place.
- Data leakage can occur if home computers are used to store company data. Users may save email attachments, sync Dropbox/Google Drive files to their home computers, and files can be copied from the company file server directly to a home computer. If this computer were to fall into the wrong hands, either digitally or physically, company data is at risk.
- Data loss may occur if users are saving files locally to their home computers and, if something happens to the computer such as a failed hard drive or computer theft, data and productivity loss can occur.
We have no idea how long the shelter-in-place can last so it’s probably a good idea to consider the work-from-home paradigm lasting for at least another month or two but possibly even longer. If your organization has users accessing company resources on their home computers, we highly advise getting laptops used exclusively for work. We can help select powerful laptops that will work well after people return to the office. We’ll of course be conscious of the cashflow limitations facing many organizations when selecting computers, but it’s always advisable to get business grade computers instead of rushing to BestBuy and buying a $500 laptop which will become a doorstop in 1-2 years and won’t perform as well as the computers they are used to using.
If getting new laptops is not possible, consider having LMi manage the home computer like we do the work computer. With us managing the home computers, we’ll make sure computers are up to date with security patches, have antivirus and DNS protection to help prevent malware, and we’ll be able to encrypt some computers to prevent data loss in case of theft. This also allows us to provide the same level of support to the user to keep them working efficiently.
We also offer a la carte antivirus for only a few dollars per month per computer, so this is another good option of securing a home computer.
If getting a laptop or allowing LMi to manage the home computers is out of the question, I’ll provide some tips you can tell your users to employ to help secure the home computers:
- Mac and Windows: Install MalwareBytes Antimalware. Install it, update it, and ideally pay for it so it runs in the background, but if you don’t pay, at least run it manually once per week and remove any infections it finds.
- Mac and Windows: Perform all operating systems updates manually each week.
- If there’s a company file server or cloud server, tell your staff to not save files locally to their own computers. Ask them to save important company data to the server. If the users don’t have a place to save data that’s not supposed to be shared with users, we can create personal folders for them to save their data to.
- If users have no choice but to save data locally to home computers, consider installing cloud backup software on the computers to backup company data to the cloud. Costs are around $10 per month per computer.
- If the home computer is shared with others in the home, especially teenagers, it’s highly advisable to convert user accounts used by others in the house to non-admin accounts which prevents those accounts from being able to install most malware. We can work with the user and connect remotely to configure this.
- Ask your users to alert us if they notice anything strange about their computer. They may notice additional browser plugins running they don’t recognize, or maybe they notice more pop-ups than usual, or maybe they notice a sudden slowdown. We can remotely connect and help, to a limited degree, with home computers, so we highly encourage your staff to keep a watchful eye on their computers and to alert us if anything seems out of place.
Considering we might be in this surreal state for some time, it might be good to know there are options to improve how your users work remotely. For example:
-Clients who have Windows Servers are able to utilize a feature called RD Gateway which allows the user to control their work computer from their home computer without needing to connect to a VPN first. It’s a fast, efficient, reliable, and secure method of remotely controlling their office computer requiring minimal configuration from the user.
-If you’re ready to take a huge leap forward, you can ditch work desktop computers entirely and build a VDI (Virtual Desktop Infrastructure), which essentially means the user never has a physical computer but instead remotes into a virtual computer using a small thin-client which is used only to connect to the remote server. Windows Server has the ability to provide a terminal experience which allows the user to remotely access their own virtual desktop, email, and apps without even needing a powerful work computer. This can also be done via a cloud server.
Please let us know if you want to schedule time to speak with one of us regarding anything covered above or anything else regarding changes to your IT infrastructure to accommodate remote work.
May life hopefully return to normal soon.