CYBERSECURITY: HOME EDITION
Agents Council for Technology virtual meeting shares tips for cybersecurity at home
By Christopher W. Cook
The COVID-19 outbreak made this past springtime odd for the Rough Notes editorial team. What is typically a busy time of traveling for conferences and networking events was a period of state-mandated staying at home. My trip to the mailbox (when I found the energy to make it) was predominantly my “leaving the house” between late March and early May.
Responding to the numerous stay-at-home orders, organizations across the industry switched to virtual meetings, providing speakers on relevant topics from the comfort of the attendees’ homes. The Independent Insurance Agents and Brokers of America’s (Big “I”) Agents Council for Technology (ACT) hosted such a meeting in late April, providing four sessions of information. At the time, having recently finished an article on remote work best practices, I was intrigued by and “attended” the session titled “Cybersecurity from Home.”
Dustin Mooney, co-founder and principal consultant at Rigid Bits, LLC, a cybersecurity company based in Colorado that specializes in helping insureds identify and reduce their cybersecurity risks, led the discussion on cybersecurity best practices for employees working from home.
“There is no secure; there is only more or less risk,” Mooney said. “When somebody tells you that the product they’re selling or the application that you’re using is secure, that should send up a red flag because the word ‘secure’ is too binary. We have this idea that something is secure or isn’t secure. That is the opposite of how we should be thinking about cybersecurity. We want to be thinking in terms of risk, which allows for a broader range of possibilities and a clearer picture of where gaps and deficiencies may exist.”
Mooney started his session with what he refers to as Cybersecurity 101, the basics of viewing cybersecurity in terms of risk. This is broken down into the formula:
Risk = Likelihood x Impact
“As part of the risk formula, there are two variables we need to consider in assessing whether something is more or less risky—the likelihood of a negative cybersecurity event happening to you and the impact it will have on your data and the systems that process that data,” said Mooney. “For likelihood, one of the most influential factors is vulnerability, which is a weakness in a system, a process, a person, or a piece of software or hardware.”
What makes one vulnerability more severe than others?
- Ease of discovery. How easy is it for a group of hackers to discover this vulnerability?
- Ease of exploit. How easy is it for a group of hackers to exploit this vulnerability?
- Awareness. How well known is this vulnerability to a group of hackers?
- Intrusion detection. How likely is an exploit to be detected and stopped?
To calculate the impact on your business, Mooney suggested thinking in terms of a CIA of cybersecurity—CIA being an acronym for confidentiality, integrity and availability.
“Confidentiality being ‘can I keep the information secret that I want to remain secret’?; integrity being ‘can I trust that the data I’m relying on to do my job hasn’t been changed’?; and availability being ‘can I get to the data and systems I need to do my job?’” said Mooney. “These items will all directly influence how impactful something is going to be to you.”
Think of an email being compromised. An employee mistakenly gives out his or her password and hackers log into the account. That employee may have an important role and possibly communicates with the CEO regarding financial matters. This is a “breach of confidentiality,” said Mooney. “Information that you did not want everyone to know about is now being read by somebody who shouldn’t have access to this information.”
Mooney warned that after gaining access, hackers will monitor email conversations and then wait for a financial transaction to happen. They’ll interfere with the exchange by posing as a trusted source and changing the routing and bank numbers.
“This is an example of breach of integrity because the individual receiving those numbers [is] expecting them to be one thing, but then they get changed in that email,” Mooney said.
For an attack on availability, a hacker may simply change an individual’s password and lock them out of their account.
Mooney emphasized that understanding and calculating risk is key to making informed decisions about cybersecurity. While using technology to operate a business efficiently comes with the cost of associated technological risks, cybersecurity decision making based on fear reflects an attempt to eliminate risk, which is inherently unfeasible.
“As we use technology, there are benefits to help us sell more and bring in more customers. There’s a cost associated with that, and that cost is risk,” said Mooney. “Someone who tells you they can eliminate your risk should be a big red flag. We’re trying to identify our cybersecurity risks and find cybersecurity best practices we can implement, which will ultimately reduce our overall risk exposure.”
Challenges and solutions at home
While your employees are working from home, what are some best practices that can be implemented for their new work environment?
“As we move away from the office and into our homes, it’s possible that some of the best practices we implemented [at the office] aren’t as applicable as they used to be,” said Mooney. “You have some new exposures that you might want to consider.”
First is to identify your attack surfaces, or the entry points where an unauthorized user can try to extract data.
“Your computers are talking outbound to the internet and are continuously chatting with one another, especially over networks,” Mooney said. “Setting up protection on external communications can block access to malicious sites.”
With all your devices in constant communication, “Hackers will use [device intercommunications] to find out where other computers are in your network. If you have a company-issued computer or tablet, these are endpoints. Protect these devices; put anti-malware on them.”
As for controlling access, make sure you know who in the household is using each device. Does the entire family share one desktop or laptop?
“If you are working on this shared device and you give it to your kids to play games, you have to consider the possibility that they’re doing things you may not know about,” Mooney said.
He also recommended protecting and securing all your home devices before accessing cloud-based resources. This includes computers, phones and video game systems. Think about your friends, or your kids’ friends, who have come to your house and logged onto your network.
“Consider who is on your network,” he said. “Your kids may have laptops or other devices on your network, and if those become infected, that could be an infection point for your work computer that’s on the same network.”
“Create a cybersecurity policy [for employees] who are working from home,” he said.
He also recommended creating a “hotline” or email address to which employees can report and share suspicious emails with one another.
“As we communicate and share this information, it’s a great way to protect ourselves,” Mooney said. “From an incident reporting perspective, if somebody needs to report an incident, make sure employees know whom to talk to.”
Mooney is also a fan of weekly check-ins and using test phishing emails.
“All of us are living in a strange time, and we may have some mental fatigue; we may just start clicking on things without thinking about them,” he said. “As you check in with your employees, make sure they’re doing okay and that their mindset is right.
“Acquire a security awareness training platform; you can pay a monthly subscription and as you get these test emails, it builds a culture of employees actually stopping to think ‘What is this email and should I be clicking on it?’”
Additional action items
Documentation and implementation are keys to cybersecurity. The ACT session ended with a list of action items for the participants to take back to their agencies.
“I want to stress the importance of writing down things you’re doing,” Mooney said. “Maybe you have one representative managing all these action items for you and they’re floating around in this individual’s head. Eventually they are going to [get lost]. It’s important to keep track of what you’ve done, what you want to do and where you’re going.”
Actions items included:
- Create a plan of action and milestones (POA&M). This is a list of all the things you want to do to start implementing cyber security best practices. “You can use this list and start checking things off one by one, and as you check things off, you’re reducing your risk,” Mooney said.
- Home LAN/Wi-Fi. “Take that old router you bought 15 years ago and throw it away, because now you can purchase security intelligence-enabled routers,” Mooney said. “If you accidentally go to a malicious website, or maybe you go to a legitimate website that has some malicious code, these routers have a database of known malicious websites, and they’re going to block it.”
For Wi-Fi, change default passwords and create separate networks for work and home use. “You can set up multiple networks on your router,” said Mooney. “Create a work network. Put a specific password on it, and don’t share that with the kids or anybody else. As you work, connect to that network, and when you’re done for the day, disconnect and go back to your home network. This will provide an extra layer of security.”
- Protect endpoints. “For IT managers and decision makers, consider extending your antivirus or endpoint protection software licensing so that individuals working from home can install it on their home computers,” Mooney said. “Make sure that this [endpoint detection and response] EDR solution has a console: a centralized location for whoever is managing your licenses. They can log in and see when bad things are happening.”
- Remote access. “If you’re a decision maker or IT manager and you’re configuring remote access options, you’re probably using VPNs (virtual private networks) or RDPs (remote desktop protocols),” Mooney said. “Risks are associated with using these technologies. Make sure to set up certificates and use multifactor authentication [in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism].”
- Remote cloud access. “Make a list of all of your cloud-based applications,” Mooney said. “Know what those are, and for all of them, go through and check if you’ve turned on multifactor authentication.”
Mooney also recommended reviewing user accounts. Individuals who no longer work for the agency may still have access to its cloud-based applications. Restricting the number of administrative accounts is also suggested. Administrative accounts should be used only to conduct administrative tasks; all other tasks should be done under a general user account.
- Email. Harden your email configuration. Office 365 and similar products come with a default configuration. “As an administrator, turn on some specific security checks,” Mooney said. “Send employees test phishing emails. Get their minds right so they’re expecting them.”
Track employees’ progress with the test emails and communicate frequently with those who may be more likely to open malicious content.
- Password management. As with endpoint licensing, employees should have access to some form of password management. “They probably have hundreds of logins at work and they have logins at home, so they have a lot of passwords to remember,” Mooney said. “As you use this password management software, turn on multifactor authentication, and make sure employees are using strong passwords with unique characters and that they haven’t used these anywhere else on the internet.”
Signing up for a Dark Web monitoring service is also beneficial. These can locate compromised passwords that are for sale on the internet by scanning through Dark Web message boards.
- Process considerations. “If you are approving financial transactions,
use the dual approval, so no one person can complete a financial transaction,” Mooney said. “This requires two people to look at the routing number and the bank account number to make sure it’s going to the right place.”
Also, consider your processes regarding user accounts for remote access and how you add people to and remove people from them.
- Incident planning. “If you have an incident response plan, add a section about working from home,” Mooney said. “Disseminate it to your employees so they know what to do if something happens.
“[Employees] should receive direction from the agency about what to do, so make sure you’re communicating and that everybody knows what their roles and responsibilities are,” Mooney said. “Make sure you’re aware of state, federal, or regulatory breach notification laws.”
- Cyber liability. “Take a look at your policy; are you covered for employees who are working from home?” asked Mooney. “Make sure you know the answer to that and make sure your coverage amounts are sufficient. If not, consider bumping them up.”
Employees in a home environment can help by being vigilant about phishing emails, creating a separate home network for work use only, using only one specific device for work-related activities, reporting phishing emails and malware infections, and being cautious with web browsing and file transfer.
To request a POA&M, visit: www.rigidbits.com/working-from-home-poam.
For more information:
Agents Council for Technology