Earlier in February, Salesforce detailed how it would reopen it’s offices around the world.
While we commend Salesforce for taking what is likely seen as a massive step by many other firms, it does pose an important question – how does one secure an environment where anybody can work from anywhere?
We know all to well that cybersecurity came under increased threat in 2020 as the attack surface grew and that won’t change.
According to chief trust officer at Salesforce, Jim Alkove, it’s important to start with the basics.
“As we enter the next phase, one where ‘work-from-anywhere’ environments are here to stay, let’s rewind, pause and remember that the secret to success is to do common things uncommonly well. Like washing your hands or wearing a mask during a pandemic, nailing the basics to promote cybersecurity hygiene can go a long way toward eliminating the risk associated with common cybersecurity threats,” writes Alkove.
The CTO (though CTO generally means chief technology officer here it represents chief trust officer because Salesforce likes weird titles) has outlined five basics companies should get right.
Enable multi-factor authentication
While passwords are good enough for most applications, what businesses should really be doing is enabling multi-factor authentication (MFA).
MFA relies on three basics that users must present to prove they are who they say they are:
- Something you have
- Something you know
- Something you are
How these factors are applied may differ. For instance, something you have could be an access card or a dongle that generates a unique passcode. Something you know could be a password or PIN while something you are is your biometric data.
MFA makes it harder for cybercriminals to infiltrate an organisation. We say harder because it’s not impossible to bypass safeguards but MFA adds roadblocks that cybercriminals can’t ignore.
It seems simple but the number of times that unpatched software has had disastrous consequences is too high to parse.
Regular patching can mitigate some of the risk that software holes present and it should be done at every level of the business.
“Patching corporate devices is a simple, effective and direct way of ensuring employees inoculate themselves against known vulnerabilities, resulting in much-improved resilience against common attack vectors like ransomware,” Alkove explains.
“Through patching, corporate devices also automatically add necessary new features, remove outdated ones and fix performance issues. Encourage your employees to patch their personal devices as well,” the CTO adds.
A rather simple solution to insuring remote workers access company data through a secure pipe is by using a VPN.
Implementing a VPN means a company has the ability to dictate the terms of the engagement when sending and receiving data.
We should point out that good cybersecurity hygiene is a must before implementing a VPN service.
Keep an eye out for phishing
Since the pandemic became everything people could talk about, cybercriminals have used this trend to their advantage.
The below advice was shared by Alkove as a means to identifying COVID-19 related phishing attempts but the knowledge is transferable for all phishing attempts.
Questions you should ask yourself when receiving a suspicious email include:
- Is the subject line off?
- Is the email from a known person or organisation?
- Is there anything suspicious about the attachment?
- Is there something “phishy” about the credentials requested?
- Is the email poorly written?
- Is the message requesting immediate, urgent attention or money?
- Is the call from a familiar phone number?
If you answer yes to any of those questions, your suspicions should be raised and you should contact your IT administrator.
Secure video chat
Finally, securing your video chat is a simple way to make sure that no ne’er-do-wells aren’t privy to insider information.
This seems obvious but when you have folks quite literally tweeting out meeting IDs and passwords, it’s worth reiterating that crims can learn a lot from a video call.
“Using a platform’s built-in security features — such as meeting rooms, passwords and screen-sharing permissions — can be basic but critical steps to managing activity and preventing unauthorised access to meetings. Where possible, use unique passcodes and access links for meetings and disable ‘beta’ features you don’t need like file-sharing or livestreaming to minimise human error,” says Alkove.
[Image – CC 0 Pixabay]