Compounding the already existing cybersecurity threats, the physical shift to working from home has the potential to put the protection of client data, software, and hardware under even greater stress. This month’s column focuses on free materials for CPAs, including resources that may be new to readers. The Center for Internet Security and CSO Online, plus the items in the Sidebar, are just a few of many resources to help secure the remote technology environment.
Center for Internet Security
The Center for Internet Security, Inc. (CIS) is a nonprofit organization that provides access to its cybersecurity best practices, controls and benchmark tools, and threat advisories on its website (https://www.cisecurity.org). Although most CIS resources are targeted to IT professionals, there are several tools that accountants can use for their own practices, advice for clients, or just general information. The Cybersecurity Threats webpage (https://www.cisecurity.org/cybersecurity-threats/) provides a list of the top 10 malware sources, the most common data breach types (e.g., phishing, stolen credentials), and the current general alert level.
An easy and quick resource is the Daily Tips (https://www.cisecurity.org/resources/), which are also linked to specific CIS Controls recommended action steps. Most readers will recognize, “Don’t share when you’re away from home,” “Use anti-virus software,” and “Protect yourself from phishing scams.” One less familiar issue is “Know how to spot fake software,” which points out that free software offers could actually contain malware. Files and other information shared via peer-to-peer (P2P) networking could be corrupted or could expose the recipient to copyright violations, as explained in “Know your peer-to-peer (P2P) partner.”
A must-see tool on the CIS website is the “Resource Guide for Cybersecurity During the COVID-19 Pandemic,” which is accessible as a webpage or downloadable four-page PDF (https://bit.ly/3jUAcmY). The guide is a fast read with hyperlinks to more detailed resources. The first page covers COID-19-related cyberattacks, addressing phishing and malspam, credential stuffing, ransomware, remote desktop protocol (RDP) targeting, and distributed denial of service (DDoS) attacks, with connections to a variety of tools, including one CIS newsletter article: “What You Need to Know About COVID-19 Scams.”
Many of the tools on the Resource Guide pertain to the work-from-home environment, such as secure employee home networks, employee personal device security, and secure video conferencing. One of the highlighted resources, “CIS Controls Telework and Small Office Network Security Guide,” is an easy-to-follow explanation of basic device and network setups, and includes a handy checklist and an excellent bibliography of several small business guides (https://bit.ly/3hFZJyy). The last page of the Resource Guide also provides a list of other external resources and free tools.
CIS resources include a variety of articles and blog posts, generated by both CIS and outside sources. As an example, “Cybersecurity Challenges of a Sudden Remote Workforce” addresses communication and timing issues, as well as the loss of organizational control over Internet security, caused by moving to a remote workforce (https://bit.ly/3hOAOZw. Employers do not control how at-home workers manage their personal computers or Internet connections. A centralized “patch management” process can aid in ensuring that computer applications and software tools stay up-to-date.
On a related note, “Cleaning up ‘Dirty’ Wi-Fi for Secure Work-from-Home Access,” pulled from Cyber Defense Magazine (June 11, 2020), is an eye-opening discussion of the risks of home workplace access. Wi-Fi networks, which cannot be resolved by a virtual private network (VPN). VPNs have grown in popularity for providing a secure Internet connection, particularly in the work-from-home environment (https://bit.ly/3hOAOZw). VPNs cannot, however, address on their own the threats created by the “dirty” nature of many home Wi-Fi networks. Internet users may not realize the large number of connected devices in their home, each of which create an entry point for a cyberattack. The article references the CIS Wireless Access Controls, Control 15, which recommends the use of a separate wireless network for personal (or untrusted) devices versus home office equipment (https://bit.ly/3f7O4Hb).
“How to Protect Your Nonprofit from Phishing Cyber-Attacks,” linked from the Candid.org blog, discusses five practical steps that nonprofits can follow to prevent phishing attacks. Although nonprofit organizations face the same types of cybersecurity risks as for-profit entities, they have suffered particularly aggressive phishing attacks in the COVID-19 work-from-home environment (https://bit.ly/2BGbFRz). The suggestions include understanding what a phishing attack is and assessing the organization’s risk, using strong passwords, keeping software up-to-date, securing employees’ home networks, and updating access policies.
CSO Online covers a variety of practical cybersecurity, information technology security, and risk management topics, and presents the information in articles, research reports, primers, videos, and other formats on its website (https://www.csoonline.com/). Several current articles address the transition to conducting operations from remote locations, such as “Free Security Resources for Work-from-Home Employees during the COVID-19 Crisis,” which profiles vendors of security-related products and services that are currently offering free resources (https://bit.ly/3gcb1dw). The specific areas covered include application security, email security, network security, phishing protection, and remote access. Vendors are invited to list their products, and readers can check back periodically for updates.
Another CSO Online article, “8 Key Security Considerations for Protecting Remote Workers” (https://bit.ly/30aOE2D) presents links to examples of the types of products addressed in the recommended practices. The discussion begins with determining what protection should be required for employees’ home computers, with specific consideration of Windows and Macintosh products and a link to a five-minute video that identifies good questions to ask. In determining what software remote employees might need, be aware that, on the positive side, some licenses do allow installation on multiple devices; on the negative side, firewalls must be configured properly to prevent ransomware attacks. “8 Video Chat Apps Compared: Which is Best for Security?” is a handy review of popular virtual conferencing software, such as Zoom, Microsoft Teams, and Webex (https://bit.ly/30btYYo/), along with applications for one-to-one or up to four-person interaction, such as WhatsApp.
“Pandemic Impact Report: Security Leaders Weigh In” summarizes the results of a March 2020 survey of 150 U.S.-based security and technology executives regarding how their organizations were responding to social and work restrictions in the COVID-19 environment (https://bit.ly/2D-m8lLF). Prior to COVID-19, only 16% of respondents’ employees worked from home at least 60% of the time, increasing to a 78% remote workforce by the time of the survey. The study revealed that small to mid-sized businesses were likely to have been under-prepared for the shift to remote staff and the increased cybersecurity risks.