By Gray Taylor and Dave de la Plante
ALEXANDRIA, Va.—On March 11, 2020, the World Health Organization (WHO) characterized COVID-19 as a global pandemic. Within two days, the planet was operating under an unprecedented state of emergency, requiring a majority to stay home and shelter in place.
It is virtually impossible to secure everyone’s homes to the same level as their work locations. Much will be learned from the COVID-19 emergency, and extended security policies and workflows will be reviewed and adjusted for working from home. In the meantime, Conexxus suggests three practices to increase security:
1. PERSONAL FOCUS/SEGREGATION OF TASKS
Make a conscious effort to separate work time from family time and household responsibilities. During focused work time, turn off your social networks, personal email, games and searches. Keep your attention, computer and network activity on work-related tasks, the most common being company- related email, conference calls and collaboration tools. If possible, segregate work and personal use to different devices (computers, laptops, tablets), and do not permit family use of your work devices.
2. FUNCTIONAL BUSINESS SYSTEMS
Sensitive financial, customer, HR, product and operational data should only be accessed through a virtual private network. A VPN is set up and implemented by IT administration and permits your work device(s) remote access to a company’s secure internal network. For those who primarily work at the office, VPN access should be mandatory to work at home.
3. ESSENTIAL SERVICES SUPPORT STAFF
There are many critical office staff responsible for 24/7 support of the essential retail services of the business. During the COVID-19 pandemic, home-based monitoring of, and access to, mission critical infrastructure will be required. For retailers and vendors, the help desk, software development and QA teams, field technicians, back office and payment systems specialists must be able to operate with high availability and security.
During the COVID-19 crisis, many of our Conexxus members have securely installed fully operational support systems at the homes of critical staff. These home installations require the same PCI safeguards as internal systems and workflow processes. The following are a few examples of how Conexxus members are enabling essential service support at home:
• Securely prepped, tested and installed production point-of-sale systems. Lock down hardware, secure Windows/Linux image, PA-DSS application software, printer, scanner, and payment terminal.
• Secure remote access to test and certification labs for quality assurance and development staff. Provide test cards (payment, loyalty, gift) and secure access to above site test systems.
• Prepped, shipped and installed pump dispenser and pay at pump simulators to critical developers and QA staff.
• Acquired smaller desktop versions of pay at pump simulators from pump manufacturers. These desktop devices are excellent for both office and home use, not only during emergency periods but also to facilitate 24/7 response to critical field issues.
• Technicians sent to install equipment, while ensuring their safety, and the safety of the families at home.
Conexxus is seeing a shift by cybercriminals to exploit home attacks during COVID-19. These recommendations are not only best practices that should be adopted at home but also necessary to stop an increase in business-related cyberattacks to workers’ homes. A recent Law360 article indicates a new spike in cyberthreats related to the disruption of COVID-19.
“Hackers are exploiting vulnerabilities stemming from the global coronavirus pandemic, including distracted workers and stretched-thin IT staff, as cybersecurity attorneys say the spread of COVID-19 has also brought with it a spike in data security incidents,” Law360 reports.
The article further states that companies need to double down on cyber-defense during the crisis, as the shift to remote work gives hackers more ways to infiltrate networks and take advantage of potentially panicked staff. It’s challenging to segregate work and family activities while sheltered in place at home. Unlike the office, where security policies restrict personal use of the company network, combined personal and work-related internet use is more the norm at home.
During the COVID-19 pandemic, the Conexxus Data Security Committee (DSC) has been advised of substantial increases in cyberattacks resulting from sudden, unplanned relocation to our homes.
• More than 50% decrease in office-related security events due to the sheer volume of offices moving employees to remote work.
• More than 80% increase in active phishing activities and 30% increase in active blocks of malicious content. People are at home surfing Facebook and other social networks.
• More than 200% increase in logged events from remote network equipment as IT departments put their teams at home, rapidly deploy VPN infrastructure, and in some cases decrease security controls—all of which serves to increase vulnerability to attack.
• A surge in COVID-19-related phishing emails, ransomware and duping online payments and wire transfer services.
Download a pdf of the quick reference guide “Functioning in the Age of Shelter in Place” here.
Gray Taylor is executive director, Conexxus, and Dave de la Plante is strategy and program director, Bulloch Technologies.