The Mainstay Playbook: Cybersecurity Layers & Workflows to Protect Your Company

By mainstay | May 19, 2020

In a new work environment, what was once familiar can seem unfamiliar. With the quick move to remote work,  individual users are more likely to fall for social engineering attacks while navigating a new environment and establishing new norms. Additionally, home networks often lack the security layers of business networks. These weaknesses are exploited by hackers who capitalize on the opportunity to leverage those threats as often as they can.

In light of these real challenges, here are three key security recommendations your organization can act on today in an effort to reduce risk and secure your remote workforce moving forward:

1. Implement Multi-Factor Authentication (MFA)

Having a secondary form of authentication in order to access sensitive data or key accounts can reduce the risk of hackers accessing your information remotely. Multi-Factor Authentication (MFA), sometimes seen as Two-Factor Authentication (2FA), are most effective when tied to something you physically have or physically are, like a code sent to a phone or a fingerprint scanner. MFA should be implemented as a security measure for any accounts holding sensitive information. For example, your electronic banking application should already have some form of MFA in place, but an organization’s email, VPN/remote access tools, file hosting services, and any sensitive applications typically don’t have this in place. This secondary layer of protection really should be implemented as well.  

2. Provide Staff with Cybersecurity Training

People are your organization’s number one security risk, even while using a secure network at your office. That risk is only increasing as the workforce has shifted to working from home. Ensuring that your organization has security awareness training for all new hires, ongoing updated training, and annual organization-wide training will go a long way to helping build a culture of cybersecurity. Ultimately, this reduces the largest exposure to risk an organization has—your people.

Integrate secure email practices in your staff training schedule.91-percent of breaches begin over email. Threat actors are leveraging COVID-19 to send highly sophisticated phishing emails from resources appearing to be the Center for Disease Control (CDC). In training your organization’s staff to identify real versus phishing emails, here are four key considerations before clicking a link or replying to the email. First, click reply in order to verify the authenticity of the email address and see if the sender is reputable or if the address is familiar. Second, make sure to hover over any links with your cursor, which will display a dialogue box with the actual domain name. Confirm that the link does not look strange or have any misspellings. If possible, avoid clicking on any links whenever possible—navigate to the source directly through your web browser. If you do suspect a malicious email, move the email to the spam folder, where your email’s filtering settings will direct all future emails from that sender. The third consideration is to refrain from clicking the “download images” button in Outlook if you do not recognize the sender. Finally, if you are unsure of an email coming from an individual, give them a call to voice verify if the person who the email claims to be from to ensure the email is valid. Sending an email to that person is not enough, because their email may be compromised. These four considerations can help avoid email phishing attacks.

3. Establish an Information Security Program

Security is an ongoing discipline and implementing an Information Security program is critical to adopt effective policies, procedures, and workflows. It also ensures you have a program to actively assess and mitigate your risk through regular phishing tests, user training, and dark web monitoring. Compliances often require organizations to actively monitor, manage, and integrate security controls, and each of those requirements are fulfilled through a comprehensive Information Security program. This program should determine the “rules of the road” for your organization, which is even more critical as staff continue to work in unfamiliar environments with new and undocumented workflows. While security is not a new concept, the way we address it certainly is. When threats are no longer coming from a physical break-in but from cyberattacks in any part of the world, we need to begin shifting our focus from the integrity of the locks on the doors to the technological and cultural locks within organizations themselves. Pivoting towards this new approach of digital transformation and cybersecurity may seem like a b leap, but simply having the proper precautions, intentional training, and thought-through workflows will help to mitigate risk and build