contact@ETRMGroup.com202-910-6990 | ETRMGroup.com

Four O�en-Overlooked but Easy-to-Implement Steps to Secure Data

in a Work-from-Home World

Four O�en-Overlooked but Easy-to-Implement Steps to Secure Data

in a Work-from-Home World

In mid-March of 2020, most businesses in the United States either shut down temporarily or sent all employees home to telework due to the COVID-19 pandemic. This massive surge to work-from-home had never happened before in the U.S. during the age of technology. As millions of Americans logged on to their home networks and personal desktops, laptops, tablets and mobile phones in an attempt to keep their companies afloat, cybersecurity issues arose as a complicated problem that companies had to manage. Many corporations – and law firms in particular – suffered data breaches, demonstrating that U.S. industry was not adequately prepared for this transition.

The private sector could learn a great deal from the federal government about securely managing teleworking employees. The federal government has an extensive telework program run by each agency, and the rigor of each program largely depends on how data is classified within that agency. Even with different protocols across agencies, the government overall knows how to securely manage thousands of teleworking employees.

With no end to the pandemic in sight and with more employees indicating they would prefer to have the option of working from home after the pandemic eases, businesses will need to establish additional security protocols to continue to protect data assets. If they follow the government’s lead, there are many ways to secure data that can be implemented quickly and inexpensively.

Here are four strategies that businesses can implement with little effort to secure data for large-scale teleworking.

Step One: Look for Assets, Antivirus and Additional ProtocolsPrivate sector businesses should follow the federal government’s process for telework regarding assets and devices. Federal employees who telework are issued a federal asset or device, like a laptop or tablet instead of a desktop. The laptop includes antivirus software and an approved access portal like Citrix.

If your company or firm cannot issue a standard device to each employee, then provide employees with an approved antivirus subscription and require them to use it. Select an AV program that best interfaces with your network configurations. The benefit of distributing company-owned devices is you can control the who, what and how of employees touching the network. Additionally, the data on the device can be collected – even remotely – and preserved for human resources and litigation purposes.

Federal agencies rely on third-party threat intelligence feeds to identify dangerous websites. The resulting lists allow agencies to blacklist and whitelist. In the private sector, companies can subscribe to commercial sites like FireEye, ThreatConnect, Flashpoint and CrowdStrike to monitor third-party threats.

Identifying assets, antivirus and additional protocols for employees to use is the responsibility of the company and can be relatively inexpensive to set up.

We recommend only one AV subscription per device, as more can cause problems for the device. Remove old AV applications from your laptop if you are going to download or upload a new AV subscription.

EMPIRETECHNOLOGIES RISK MANAGEMENT GROUP

3. If you are the host of the meeting, use the Zoom waiting room. The Zoom waiting room requires attendees to be admitted one at a time by the host. This is time-consuming for large meetings, but if knowing who is attending your meeting is important to you, the Zoom waiting room is the equivalent of roll call.

4. Do not share your Zoom ID with anyone you do not trust, including family members. If hackers have your personal Zoom ID, it is just a matter of time before your password can be cracked.

5. Upgrade to a paid account. The paid Zoom account has end-to-end encryption, encryption at rest and encryption in motion. This means that without the Zoom ID, the password and admission from the waiting room, there is no way to decrypt the conversations within the Zoom meeting.

These precautions are important, easy to implement and all but one are free.

Microsoft® Teams is another great tool for audiovisual conferencing, and the security and safety of Teams is excellent. Widespread adoption of Zoom and Teams is recent and, in fact, not even half of all federal agencies have Teams capabilities. Until the COVID-19 pandemic of 2020, most federal employees attended meetings in person or via conference call, so these collaboration tips apply to businesses in the private sector and federal agencies, too.

ConclusionThese simple steps are the least difficult and least expensive protocols that any organization can put in place to keep company and client data safe while teleworking and can make it more difficult for ransomware attackers to breach your defenses. Trying to get past multifactor authentication takes a great deal of effort, and if you utilize these simple steps, hackers will move on to lower-hanging fruit. Whether we are in a pandemic or have safely recovered, do not let your organization become the easy target.

About Empire Technologies Risk Management GroupThe Empire Technologies Risk Management Group was founded by a group of technical and legal experts who believe that cybersecurity is a foundational building block of every successful legal process or technology.

The team of lawyers and technologists at the ETRM Group have more than 100 years of collective experience in cybersecurity and information assurance, having served the Department of Defense, the U.S. Department of Treasury, the Federal Trade Commission, the White House, and more. For more information, visit www.etrmgroup.com.

Step Two: Reboot!Employees should be your active partner in protecting company and client data. When employees work from home, provide them with a rebooting schedule for all their assets:

• Reboot home Wi-Fi routers at least once a month if work-related assets are connected to home Wi-Fi. Turn the router off and then unplug it for five minutes. After five minutes, plug it back in and wait for the lights to come back on. Rebooting the router allows updates and clears out garbage. It also can increase internet speed.

• Shut down laptops every day (not just restart). Save and close all open documents and programs and turn your computer off. This allows programs to run updates like security patches and clear out any temporary files. Maintaining updated security patches is a must if companies want to protect devices from ransomware.

• Mobile devices should be powered off every night and allowed to fully reboot. Many employees conduct work on company mobile devices as well as personal mobile devices. Rebooting a mobile device serves the same purpose as rebooting a laptop: updating applications and cleaning out temporary files, including harmful ones.

Step Three: Clear Out Super�uous Passwords Federal agencies have multifactor authentication for many applications and passwords expire at least every 90 days. Federal employees must have a PIV card, a username, a password and a pin. It is difficult to keep up with these measures, especially the passwords. However, it is important to know that every password you have ever had has been captured and put on the darknet – every single one! If you do not believe this to be true, go to https://haveibeenpwned.com and enter any of your email addresses. It will instantly tell you how many times you have been “pwned” (from gamer-speak for being “owned” or dominated by another player).

Password management apps can help employees keep track of the myriad of passwords they must have. They can:

• Create passwords that are long and complex. • Store passwords securely so they do not need to be written down. • Allow employees to change passwords frequently.• Allow for different passwords for different applications.

If companies can manage it, add facial recognition to laptops. Utilizing the facial recognition feature many laptops support will allow employees get into their laptop and keep everyone else – except their identical twins – out.

Step Four: Secure Zoom, Teams and Other Collaboration Sites Zoom has proven to be a vital asset for employers to use to connect colleagues and clients. Employers need to be aware there are thousands of fake Zoom sites that are presumably created to capture Zoom IDs and passwords. Fake Zoom links are used for phishing. Zoom bombing (joining a meeting uninvited) is used to steal confidential information and/or trade secrets and harass legitimate attendees. Secure Zoom in the following ways:

1. Instead of using your unique Zoom ID for all meetings, allow Zoom to issue an ID for meetings where confidential information will be shared. When the meeting is over, the ID alone will have no value.

2. Use a password. If the meeting has a unique ID and password, it is nearly impossible for Zoom bombing to occur.

In mid-March of 2020, most businesses in the United States either shut down temporarily or sent all employees home to telework due to the COVID-19 pandemic. This massive surge to work-from-home had never happened before in the U.S. during the age of technology. As millions of Americans logged on to their home networks and personal desktops, laptops, tablets and mobile phones in an attempt to keep their companies afloat, cybersecurity issues arose as a complicated problem that companies had to manage. Many corporations – and law firms in particular – suffered data breaches, demonstrating that U.S. industry was not adequately prepared for this transition.

The private sector could learn a great deal from the federal government about securely managing teleworking employees. The federal government has an extensive telework program run by each agency, and the rigor of each program largely depends on how data is classified within that agency. Even with different protocols across agencies, the government overall knows how to securely manage thousands of teleworking employees.

With no end to the pandemic in sight and with more employees indicating they would prefer to have the option of working from home after the pandemic eases, businesses will need to establish additional security protocols to continue to protect data assets. If they follow the government’s lead, there are many ways to secure data that can be implemented quickly and inexpensively.

Here are four strategies that businesses can implement with little effort to secure data for large-scale teleworking.

Step One: Look for Assets, Antivirus and Additional ProtocolsPrivate sector businesses should follow the federal government’s process for telework regarding assets and devices. Federal employees who telework are issued a federal asset or device, like a laptop or tablet instead of a desktop. The laptop includes antivirus software and an approved access portal like Citrix.

If your company or firm cannot issue a standard device to each employee, then provide employees with an approved antivirus subscription and require them to use it. Select an AV program that best interfaces with your network configurations. The benefit of distributing company-owned devices is you can control the who, what and how of employees touching the network. Additionally, the data on the device can be collected – even remotely – and preserved for human resources and litigation purposes.

Federal agencies rely on third-party threat intelligence feeds to identify dangerous websites. The resulting lists allow agencies to blacklist and whitelist. In the private sector, companies can subscribe to commercial sites like FireEye, ThreatConnect, Flashpoint and CrowdStrike to monitor third-party threats.

Identifying assets, antivirus and additional protocols for employees to use is the responsibility of the company and can be relatively inexpensive to set up.

contact@ETRMGroup.com202-910-6990 | ETRMGroup.com

EMPIRETECHNOLOGIES RISK MANAGEMENT GROUP

3. If you are the host of the meeting, use the Zoom waiting room. The Zoom waiting room requires attendees to be admitted one at a time by the host. This is time-consuming for large meetings, but if knowing who is attending your meeting is important to you, the Zoom waiting room is the equivalent of roll call.

4. Do not share your Zoom ID with anyone you do not trust, including family members. If hackers have your personal Zoom ID, it is just a matter of time before your password can be cracked.

5. Upgrade to a paid account. The paid Zoom account has end-to-end encryption, encryption at rest and encryption in motion. This means that without the Zoom ID, the password and admission from the waiting room, there is no way to decrypt the conversations within the Zoom meeting.

These precautions are important, easy to implement and all but one are free.

Microsoft® Teams is another great tool for audiovisual conferencing, and the security and safety of Teams is excellent. Widespread adoption of Zoom and Teams is recent and, in fact, not even half of all federal agencies have Teams capabilities. Until the COVID-19 pandemic of 2020, most federal employees attended meetings in person or via conference call, so these collaboration tips apply to businesses in the private sector and federal agencies, too.

ConclusionThese simple steps are the least difficult and least expensive protocols that any organization can put in place to keep company and client data safe while teleworking and can make it more difficult for ransomware attackers to breach your defenses. Trying to get past multifactor authentication takes a great deal of effort, and if you utilize these simple steps, hackers will move on to lower-hanging fruit. Whether we are in a pandemic or have safely recovered, do not let your organization become the easy target.

About Empire Technologies Risk Management GroupThe Empire Technologies Risk Management Group was founded by a group of technical and legal experts who believe that cybersecurity is a foundational building block of every successful legal process or technology.

The team of lawyers and technologists at the ETRM Group have more than 100 years of collective experience in cybersecurity and information assurance, having served the Department of Defense, the U.S. Department of Treasury, the Federal Trade Commission, the White House, and more. For more information, visit www.etrmgroup.com.

Step Two: Reboot!Employees should be your active partner in protecting company and client data. When employees work from home, provide them with a rebooting schedule for all their assets:

• Reboot home Wi-Fi routers at least once a month if work-related assets are connected to home Wi-Fi. Turn the router off and then unplug it for five minutes. After five minutes, plug it back in and wait for the lights to come back on. Rebooting the router allows updates and clears out garbage. It also can increase internet speed.

• Shut down laptops every day (not just restart). Save and close all open documents and programs and turn your computer off. This allows programs to run updates like security patches and clear out any temporary files. Maintaining updated security patches is a must if companies want to protect devices from ransomware.

• Mobile devices should be powered off every night and allowed to fully reboot. Many employees conduct work on company mobile devices as well as personal mobile devices. Rebooting a mobile device serves the same purpose as rebooting a laptop: updating applications and cleaning out temporary files, including harmful ones.

Step Three: Clear Out Super�uous Passwords Federal agencies have multifactor authentication for many applications and passwords expire at least every 90 days. Federal employees must have a PIV card, a username, a password and a pin. It is difficult to keep up with these measures, especially the passwords. However, it is important to know that every password you have ever had has been captured and put on the darknet – every single one! If you do not believe this to be true, go to https://haveibeenpwned.com and enter any of your email addresses. It will instantly tell you how many times you have been “pwned” (from gamer-speak for being “owned” or dominated by another player).

Password management apps can help employees keep track of the myriad of passwords they must have. They can:

• Create passwords that are long and complex. • Store passwords securely so they do not need to be written down. • Allow employees to change passwords frequently.• Allow for different passwords for different applications.

If companies can manage it, add facial recognition to laptops. Utilizing the facial recognition feature many laptops support will allow employees get into their laptop and keep everyone else – except their identical twins – out.

Step Four: Secure Zoom, Teams and Other Collaboration Sites Zoom has proven to be a vital asset for employers to use to connect colleagues and clients. Employers need to be aware there are thousands of fake Zoom sites that are presumably created to capture Zoom IDs and passwords. Fake Zoom links are used for phishing. Zoom bombing (joining a meeting uninvited) is used to steal confidential information and/or trade secrets and harass legitimate attendees. Secure Zoom in the following ways:

1. Instead of using your unique Zoom ID for all meetings, allow Zoom to issue an ID for meetings where confidential information will be shared. When the meeting is over, the ID alone will have no value.

2. Use a password. If the meeting has a unique ID and password, it is nearly impossible for Zoom bombing to occur.

The only weapon against stolen passwords is to change them frequently.

In mid-March of 2020, most businesses in the United States either shut down temporarily or sent all employees home to telework due to the COVID-19 pandemic. This massive surge to work-from-home had never happened before in the U.S. during the age of technology. As millions of Americans logged on to their home networks and personal desktops, laptops, tablets and mobile phones in an attempt to keep their companies afloat, cybersecurity issues arose as a complicated problem that companies had to manage. Many corporations – and law firms in particular – suffered data breaches, demonstrating that U.S. industry was not adequately prepared for this transition.

The private sector could learn a great deal from the federal government about securely managing teleworking employees. The federal government has an extensive telework program run by each agency, and the rigor of each program largely depends on how data is classified within that agency. Even with different protocols across agencies, the government overall knows how to securely manage thousands of teleworking employees.

With no end to the pandemic in sight and with more employees indicating they would prefer to have the option of working from home after the pandemic eases, businesses will need to establish additional security protocols to continue to protect data assets. If they follow the government’s lead, there are many ways to secure data that can be implemented quickly and inexpensively.

Here are four strategies that businesses can implement with little effort to secure data for large-scale teleworking.

Step One: Look for Assets, Antivirus and Additional ProtocolsPrivate sector businesses should follow the federal government’s process for telework regarding assets and devices. Federal employees who telework are issued a federal asset or device, like a laptop or tablet instead of a desktop. The laptop includes antivirus software and an approved access portal like Citrix.

If your company or firm cannot issue a standard device to each employee, then provide employees with an approved antivirus subscription and require them to use it. Select an AV program that best interfaces with your network configurations. The benefit of distributing company-owned devices is you can control the who, what and how of employees touching the network. Additionally, the data on the device can be collected – even remotely – and preserved for human resources and litigation purposes.

Federal agencies rely on third-party threat intelligence feeds to identify dangerous websites. The resulting lists allow agencies to blacklist and whitelist. In the private sector, companies can subscribe to commercial sites like FireEye, ThreatConnect, Flashpoint and CrowdStrike to monitor third-party threats.

Identifying assets, antivirus and additional protocols for employees to use is the responsibility of the company and can be relatively inexpensive to set up.

contact@ETRMGroup.com202-910-6990 | ETRMGroup.com

EMPIRETECHNOLOGIES RISK MANAGEMENT GROUP

3. If you are the host of the meeting, use the Zoom waiting room. The Zoom waiting room requires attendees to be admitted one at a time by the host. This is time-consuming for large meetings, but if knowing who is attending your meeting is important to you, the Zoom waiting room is the equivalent of roll call.

4. Do not share your Zoom ID with anyone you do not trust, including family members. If hackers have your personal Zoom ID, it is just a matter of time before your password can be cracked.

5. Upgrade to a paid account. The paid Zoom account has end-to-end encryption, encryption at rest and encryption in motion. This means that without the Zoom ID, the password and admission from the waiting room, there is no way to decrypt the conversations within the Zoom meeting.

These precautions are important, easy to implement and all but one are free.

Microsoft® Teams is another great tool for audiovisual conferencing, and the security and safety of Teams is excellent. Widespread adoption of Zoom and Teams is recent and, in fact, not even half of all federal agencies have Teams capabilities. Until the COVID-19 pandemic of 2020, most federal employees attended meetings in person or via conference call, so these collaboration tips apply to businesses in the private sector and federal agencies, too.

ConclusionThese simple steps are the least difficult and least expensive protocols that any organization can put in place to keep company and client data safe while teleworking and can make it more difficult for ransomware attackers to breach your defenses. Trying to get past multifactor authentication takes a great deal of effort, and if you utilize these simple steps, hackers will move on to lower-hanging fruit. Whether we are in a pandemic or have safely recovered, do not let your organization become the easy target.

About Empire Technologies Risk Management GroupThe Empire Technologies Risk Management Group was founded by a group of technical and legal experts who believe that cybersecurity is a foundational building block of every successful legal process or technology.

The team of lawyers and technologists at the ETRM Group have more than 100 years of collective experience in cybersecurity and information assurance, having served the Department of Defense, the U.S. Department of Treasury, the Federal Trade Commission, the White House, and more. For more information, visit www.etrmgroup.com.

Step Two: Reboot!Employees should be your active partner in protecting company and client data. When employees work from home, provide them with a rebooting schedule for all their assets:

• Reboot home Wi-Fi routers at least once a month if work-related assets are connected to home Wi-Fi. Turn the router off and then unplug it for five minutes. After five minutes, plug it back in and wait for the lights to come back on. Rebooting the router allows updates and clears out garbage. It also can increase internet speed.

• Shut down laptops every day (not just restart). Save and close all open documents and programs and turn your computer off. This allows programs to run updates like security patches and clear out any temporary files. Maintaining updated security patches is a must if companies want to protect devices from ransomware.

• Mobile devices should be powered off every night and allowed to fully reboot. Many employees conduct work on company mobile devices as well as personal mobile devices. Rebooting a mobile device serves the same purpose as rebooting a laptop: updating applications and cleaning out temporary files, including harmful ones.

Step Three: Clear Out Super�uous Passwords Federal agencies have multifactor authentication for many applications and passwords expire at least every 90 days. Federal employees must have a PIV card, a username, a password and a pin. It is difficult to keep up with these measures, especially the passwords. However, it is important to know that every password you have ever had has been captured and put on the darknet – every single one! If you do not believe this to be true, go to https://haveibeenpwned.com and enter any of your email addresses. It will instantly tell you how many times you have been “pwned” (from gamer-speak for being “owned” or dominated by another player).

Password management apps can help employees keep track of the myriad of passwords they must have. They can:

• Create passwords that are long and complex. • Store passwords securely so they do not need to be written down. • Allow employees to change passwords frequently.• Allow for different passwords for different applications.

If companies can manage it, add facial recognition to laptops. Utilizing the facial recognition feature many laptops support will allow employees get into their laptop and keep everyone else – except their identical twins – out.

Step Four: Secure Zoom, Teams and Other Collaboration Sites Zoom has proven to be a vital asset for employers to use to connect colleagues and clients. Employers need to be aware there are thousands of fake Zoom sites that are presumably created to capture Zoom IDs and passwords. Fake Zoom links are used for phishing. Zoom bombing (joining a meeting uninvited) is used to steal confidential information and/or trade secrets and harass legitimate attendees. Secure Zoom in the following ways:

1. Instead of using your unique Zoom ID for all meetings, allow Zoom to issue an ID for meetings where confidential information will be shared. When the meeting is over, the ID alone will have no value.

2. Use a password. If the meeting has a unique ID and password, it is nearly impossible for Zoom bombing to occur.