Small businesses with staff now working from home: time to take stock of your cybersecurity Looking back, we see that the fast onset of the COVID-19 pandemic forced us all to make unprecedented operational decisions and act with a degree of haste. Many shortcuts have been taken just to keep things going. Now that we are settling into new routines, it is time to take a serious look at the cybersecurity risks which may have been underplayed or overlooked entirely. Here are the latest reports on cyber-attacks, all of which are relevant to small UK businesses:In the latest report from Proofpoint, 80 percent of all possible threat scenarios revolve around the Coronavirus pandemic.In the UK alone, victims lost over \u00a3800,000 to coronavirus scams in February, (National Fraud Intelligence Bureau).Global content delivery network, Cloudflare, say that online threats have risen six-times normal over the past four weeks alone, citing the Coronavirus pandemic as providing the lure behind the cyber-attacks.From Barracuda Networks, we see that phishing attempts shot up 600% during March, these included extortion attacks like ransomware, as well as business email compromise and impersonation scams frequently targeting directors and financial staff. The message is clear: this pandemic makes it a field day for cyber criminals who are taking full advantage. Now is not the time to risk your organisation with unnecessary exposure to data breaches and cyber-attacks. Securing your business, yourself and your home working staff: With business operations in so much flux and cyber criminals licking their lips, how can your business lessen its exposure?\u00a0 Here at Phishing Forensics our cybersecurity experts have brought together 12 top tips for increasing the security of your business and its homeworking staff. While recognising that every organisation is different and has varying requirements, they have found the following factors to be the most common failure points in establishing the \u2018work from home\u2019 cybersecurity culture of your business. Our 12 Top Tips for Homeworking Cybersecurity: \tSetting up new accounts and accesses. If you need to set up new accounts for your staff to work from home, you need to set strong passwords for those accounts. We recommend this tool for easily generating secure password suggestions: Secure Password Generator and Checker \tMulti-factor authentication (MFA) for online services. Whenever possible activate MFA. This will protect against unauthorised access to your accounts. While this is a policy level and technical decision, it should be implemented as the National Cyber Security Centre regard this a requirement for effective cybersecurity. Best advice is here: NCSC MFA Guidance \tChange the default password on your home Wi-Fi router. Hackers often find it easy to gain access to home networks. Mitigate this risk by encouraging staff to change the default passwords. Start by performing a Google search for how to do this on any home router by entering this search term: how to change the default password for (add your router name and model, i.e. Virgin Media Hub 3.0) \tEncrypt all the traffic to-and-from your devices. A Virtual Private Network (VPN) service sends your internet traffic securely through an encrypted VPN tunnel. This allows your confidential data, including passwords, to stay safe. This can be critical over untrusted and public Internet connections. While there are many VPN services available we consider https:\/\/protonvpn.com\/ to be a good example. The free version is good enough for most small businesses and individuals and can be used across all your devices. \tKeep all software updated. When security vulnerabilities are discovered in software, cybercriminals share this information and are very agile in exploiting them. Vendors generate updates and patches to block these vulnerabilities as soon as they can. You are then notified when they are available and should install them asap.Very important: Do not update from links displayed in pop-up notifications or emails: these can be faked and lead to malicious copycat websites that aim to deliver malware to your devices or to steal credentials. Update only from the vendors actual site, usually from within your account. \tProvide training and advice for staff. keep in mind this can be a particularly stressful time for staff who are new to working from home. Remind them of any relevant company security policies. Ensure they are aware of their responsibilities to keep company data safe, and know how to protect that data on devices in their home. Inform them of how to report problems. Produce \u2018How to\u2026.\u2019 style guides for everything your staff are expected to do. \tStolen or lost devices and ones needing repair. Homeworkers are more likely than office workers to have problems with their devices. Be sure a clear policy of reporting is established. This is particularly relevant to those who use their own devices for work purposes. For example, some staff might not consider reporting back to the company about a personal device, holding company data, which is later stolen. \tLimit access to company systems and data. When setting up staff to work from home, cybersecurity risks are increased. Avoid giving anyone blanket access to systems \u2013 allow access only on a \u2018need to use\u2019 basis. It may not be possible to monitor data on employees home-based devices thus increasing the threat from malicious insiders. Ensure wherever possible that data is encrypted on those devices. More in depth information here: NCSC insider threats \tUSB\u2019s, transferring data & security. When USB drives and data cards are readily shared, a who-what-where-when scenario can develop over who has used them.\u00a0GDPR goes out the window!Require staff to transfer files using alternative means. A common small business solution is to use encrypted cloud storage. Staff can be given their own logins with multi-factor authentication (MFA. Here is an up-to-date Top 10 review of these services: Techradar review of the best cloud storage \tStay alert to phishing attempts. Continuing their use of emails, text messaging and phones, cybercriminals are busy harvesting user credentials, such as usernames and passwords, to gain access to company accounts.With COVID-19 as the imperative, they are causing panic and prompting people into hasty, erroneous actions. Watch out for these tactics which are in addition to all the usual ones. \tBe Alert to Fraud & Other Scams. Attackers employ numerous methods to defraud small businesses of money and assets. Cybercriminals are agile, intelligent and highly motivated. They rely on psychological tricks to achieve their goals. They use our ignorance and inattentiveness against us.Vigilance and knowledge are our best defences. Relevant and effective, online cybersecurity awareness training courses are available for all levels of staff and management through Phishing Forensics Cybersecurity Awareness Training. \tData access after returning to the office. After this Coronavirus crisis has passed, most of us will return to our office environment. When staff have used their own devices, company data and system access remain on that equipment indefinitely. At that point, have a procedure ready ensuring all passwords on company systems are changed. Also ensure company data is removed from all staff devices that are no longer used for work. What next? The most essential thing we all do is follow medical advice and stay safe from COVID-19, it is also important that we stay vigilante with our cybersecurity. After all, I doubt any of us would allow strangers to wander freely through our offices while our backs are turned. Who knows what the consequences could be! From all of us at Phishing Forensics, we wish you well and hope that you and your families stay safe during this outbreak. Feel free to leave a comment in the section below if you have anything to add, we would be glad to hear about it.