Working from home? Follow these cybersecurity best practices.

The global pivot to remote work at the start of the pandemic sent organizations scrambling to set up work-from-home solutions to keep business moving along. While we’re much further along than those early days—and embracing hybrid work arrangements—there are still a lot of security gaps in remote workforces.

And cybercriminals are exploiting those vulnerabilities in laptops, mobile devices, home networking gear, virtual private networks (VPNs) and cloud-based applications. They’re also using social engineering techniques to trick employees into giving away passwords and sensitive information.

Now, wherever you’re working, it’s more vital than ever to stay vigilant—and a step ahead of those cyber sneaks.

The evolving nature of online fraud

It’s a good time to take stock of your own cybersecurity practices to protect all your data — both personal and work-related. Consider that from January 1 to July 31, 2022, there have already been 52,735 Canadian reports of fraud, with losses totalling $284 million according to the Canadian Anti-Fraud Centre (CAFC).

And those are only the cases that have been reported.

CAFC estimates fewer than five per cent of victims file a fraud report and that a majority of phishing scams that solicit personal information don’t involve direct financial losses. “Financial loss isn’t the only consequence of a security breach,” says Anna McCrindell, Vice President, Commercial Insurance with Wawanesa. “Aside from being less productive, you could also lose intellectual property, be hit with compliance fines, risk damage to your company’s reputation and ultimately, lose customers.”

How cybercriminals trick you

Cybercriminals view pandemics, natural disasters and other high-profile events as an opportunity to breach vulnerable technology—and vulnerable people.

At the start of the pandemic, for example, phishing and social engineering attacks homed in on anything pandemic-related: CERB payments, the purchase of PPE and the availability of vaccines for COVID-19.

But these phishing and social engineering attacks continue to evolve.

For example, you might receive a ‘security alert’ about unusual activity on one of your accounts, or an email that you’ve ‘missed’ a scheduled Zoom meeting. Phishing was the top-reported fraud incident in 2021, according to CAFC, but there are also romance-related scams (preying on people’s loneliness and isolation during the pandemic) as well as investment scams.

“These attacks are becoming much more sophisticated, and often much more customized,” explains McCrindell. “Victims are enticed to click on malicious links, give up passwords or install unauthorized software. From there, cybercriminals can gain access to corporate systems, steal sensitive data, extort ransom or even add your computer to a botnet to launch malicious attacks on other computers.”

The $4 billion and growing threat of ransomware

In terms of cyberattacks, ransomware continues to be a top concern. The Macarthy Tétrault Cyber/Data Group reports that Canadian organizations lost $4 billion to ransomware (both in paid ransoms and lost productivity) in 2020. And since this is such a lucrative market, cybercriminals are evolving their methods—making ransomware even more insidious.

For instance, they’re using methods such as double encryption (two layers of encryption for two separate ransomware payments) and ‘double-dipping,’ where organizations are extorted to get their data back—and then they’re extorted a second time to ensure the cybercriminal doesn’t share or leak sensitive data.

But ransomware is just one type of malware.

Others include Trojans (which hide in legitimate applications and launch attacks or provide a backdoor to hackers), worms (which propagate, overload servers and cause denial-of-service attacks) and spyware (which secretly tracks activity and collects user information). And those are just a few.

How you can practice good cyber hygiene

As Canadians continue to work from home or embrace hybrid work, it’s a good time to look at security measures to protect both your personal and work-related data—particularly if you’re accessing work-related applications, systems and networks from home.

Here are some best practices to follow—and what to avoid:

Do:

• Familiarize yourself with potential risks related to your work and your industry, particularly if you handle sensitive information.
• Trust health-related information only when coming from reliable medical sources, and trust professional information only from sources you can verify.
• Use hard-to-guess passwords for email, cloud storage and corporate networks (including VPNs), and use different passwords for different accounts.
• Change the default password on any home network devices, including routers and Wi-Fi access points, and update the firmware.
• Use two-factor or multi-factor authentication.
• Use company approved methods for file storage, sharing and collaboration.
• Use your work computer for work purposes only.

Don’t:

• Provide business information, even seemingly innocuous information, to requestors you cannot verify with certainty, whether by phone or email.
• Use remote work as an excuse to bypass regular work processes, such as authorizing payments.
• Disable security software or automatic updates (whether security or operating system updates) on your work computer.
• Leave work-related documents and files with sensitive information lying around openly at home.
• Give family members or other individuals access to your work computer.
• Use your work computer for private business.
• Email business documents to your personal email account.
• Use any cloud services or install any software on your work computer that your company hasn’t authorized for business use.

“It’s also important to ensure your company has an incident response plan if and when a security breach occurs—from who to contact if an incident occurs, to how to isolate infected devices and restore data from the last backup,” adds McCrindell. Bookmark this information from your Intranet (or wherever it may be stored), and if a plan doesn’t yet exist, suggest it to leadership.

While there’s no guarantee you or your team won’t be the victim of a security breach, proper cyber hygiene can make you a less attractive target to cybercriminals and mitigate any potential damage.

Contact your broker to add Wawanesa Cyber Coverage to your policy