By Mary Jo Schrade, Assistant General Counsel, Regional Lead, Microsoft Digital Crimes Unit Asia
Over the past months, we’ve seen organizations of all types and in all industries rapidly undergo an unprecedented shift to working remotely. From the Maldivian Parliament’s shift to virtual proceedings, including parliamentary sessions and legislating, to leveraging technology to enable the dramatic expansion of remote classes in Hong Kong, it is truly inspirational to see the ways technology is being used to stay productive and connected even when people are working apart.
While millions of people around the world are now working remotely due to the lockdown, are they sure they are doing so safely and securely?
It’s an essential business question to ask at the best times. But it is even more so nowadays. These days, our inboxes, mobile alerts and news updates are all about COVID-19, all the time. It’s overwhelming and attackers know it. They know that many people are clicking without thinking because stress levels are high, and the attackers are taking advantage of that. Therefore, we are seeing an increase in the success of phishing and social engineering attacks.
Microsoft’s intelligence shows that these attacks are settling into a rhythm that is the normal ebb and flow of the threat environment, where every country in the world has seen at least one COVID-19 themed attack.
Attackers don’t suddenly have more resources. Instead they are pivoting their existing infrastructure for the distribution of ransomware, phishing emails, and other malware, leveraging COVID-19 keywords that get us to click on links or open emails. Once we click, they can infiltrate our inboxes, steal our credentials, share malicious links with our coworkers, and lie in wait to steal the information that will give them the biggest payout.
Here’s what you need to look for to strike a balance between enabling remote working while ensuring cybersecurity:
Safety and privacy are integral to online collaboration
As we enable work and school remotely, the ability to manage who participates in meetings, who can present and who has access to meeting information has never been more critical. Look for a solution that empowers the meeting organizers to use controls to decide who from outside your organization can join your meetings directly, and who has to wait in the “lobby” to be let in. For further control, the meeting organizer should be able to designate “presenters” and “attendees,” to ensure no unauthorized attendee can take control of the meeting.
Equally important is the ability to moderate and control who is and isn’t allowed to post and share content as well as to monitor chats to help prevent negative behaviors like bullying and harassment.
When recording a meeting, participants should be notified before recording has started and the recordings should be stored in an encrypted repository, available only to those on the call or directly invited to the meeting.
Access is everything
Multi-factor authentication (MFA) is a simple, two-step verification process that is widely used in many consumer applications today, including for online banking. It protects users from attacks that take advantage of weak or stolen passwords.
In the case of collaboration tools, having this feature turned on by the IT administrator provides an additional layer of security. Given that cybercriminals are looking for ways to exploit vulnerabilities and leverage the weakest links, protecting usernames and passwords and requiring users to provide a second form of verification to prove their identity can help organizations to strengthen their security perimeter.
Safeguarding personal data
It is equally critical to ensure that collaboration tools offered to employees are designed for enterprise-grade deployment. They should incorporate industry standard technologies such as Transport Layer Security (TLS) and Secure Real-Time Transport Protocol (SRTP) to encrypt all data between devices and the cloud. They should also have safety measures for data loss prevention and sensitivity labels to restrict and regulate who can access sensitive information.
Privacy by design
There are ground rules that should not be overlooked while deciding on selecting the right collaboration tool for your organization:
- It should not track user data to serve ads.
- It should delete all data after the termination or expiration of subscription.
- It should give the ownership of customer data to the customer.
The future normal, now
It’s very clear that enabling remote work is more important than ever, and that it will continue to have lasting value beyond the COVID-19 outbreak. As organizations embrace this evolution, keeping a very close eye on the security and privacy of data will enable them to work effectively and with peace of mind.