In the new work-from-home world of COVID-19 where more business is being conducted remotely using emails, online software and video chat platforms, hackers have ramped up efforts to steal employee usernames, passwords and company data that could put your business at risk.
Four times the normal number of malicious emails with content pertaining to the coronavirus were blocked in March alone, said cybersecurity expert Anthony DeGraw, of Domain Computer Services, during a recent NJBIA webinar. Fortunately, businesses can take steps to mitigate the risks so that employees are less likely to click on malicious emails or have their company-associated passwords stolen by hackers that breach online software applications or chat conferencing platforms.
“You should definitely be enabling multi-factor authentication on any program that you use your username and password to get access to,” DeGraw said. Multi-factor authentication requires an extra step, such as requiring the user to input a code texted to their smartphone.
When it comes to email communication, DeGraw also emphasized the importance of the “human firewall,” especially now when many New Jersey businesses are submitting applications for loans and grants to financial institutions and government agencies for coronavirus-related relief programs. Read emails carefully, hover over links to make sure they contain the correct email address, and if you don’t know the person who sent the email, pick up the phone and verify with the banking institution and government agency that the person is actually employed there before sending confidential information.
“Everybody is under a lot of financial pressure right now and, as we know, things are being sent and actions are being taken very quickly,” DeGraw said. “And what we’re seeing on our end is that due diligence isn’t happening at the scale it needs to confirm things. It’s stressful, but it would be a lot more impactful to your business if all of a sudden all your financial data is all over the internet.”
Everyday business software tools also need to be secure as well, DeGraw said. This includes cloud-based accounting software such as QuickBooks, teleconferencing and webinars platforms, and the ERP systems used by many companies to manage finances, procurement, project compliance and supply chains.
“A lot of these platforms are seeing a huge uptake in their cloud solutions and it’s up to the user to make sure that you’re enabling the right security settings for these,” DeGraw said.
The Zoom video conferencing system, for example, has exploded from 10 million active users to 200 million active users practically overnight because of the COVID-19 pandemic. Hackers who recently breached Zoom’s database stole more than 500,000 passwords and put them for sale on the dark web.
This means your company could potentially be at risk if your employees, for convenience’s sake, used their same company email/user names and passwords to create their Zoom accounts because hackers now have the log-in credentials they need to access your own company’s systems.
Anyone who has made this mistake when they set up a Zoom account should immediately change their password, DeGraw said. If possible, they should delete that Zoom account entirely and set up a new Zoom account using a different email, DeGraw said.
“At a minimum you should be changing that password across all the different platforms you use it on,” DeGraw said. “If you’re using that Zoom password to get into your Office 365 or your Gmail or any other system you’re using, you need to make sure that you go change that password.”
To use Zoom securely, users should create a unique username and password —never their business email address, Facebook account or Google account to sign into Zoom, DeGraw said. Require passwords for all meetings and email invite links directly to attendees instead of posting them online to keep internet trolls from gaining access to your meetings.
As the time for the meeting approaches, use a settings tool that puts participants into a virtual “waiting room” so the host can see who they are before they are granted access to the meeting. Hosts should lock the meetings once everyone who has been invited has joined, and also use the settings to disable screen and file sharing by participants.
Go here to listen to the entire webinar.