COVID-19 has changed the way America is working, with businesses needing to close their doors or encouraging remote work for their employees. Federal government agencies haven’t been exempt. The Office of Management and Budget (OMB) recommended maximum telework flexibility for those eligible, and safety leave for people who aren’t.
With such a massive and critical workforce moving from nondescript cubicles to their home offices, how can we protect them and the mission while still maintaining the critical functions they support?
For employees working from home, from both the government and the private sector, how does our new (hopefully) temporary situation introduce risk, including data theft?
The OMB noted in its FAQ from March 22 that VPNs, employee training, not using personal accounts or devices, and avoiding social media for government business would all be important, but that a large risk is also introduced from employees needing to access government systems that have automatic lockout.
All accounts without PIV/CAC or special hardware two factor authentication are at risk of account takeover. Passwords are challenging. They are constantly at risk of being stolen, and password reuse seems to be getting worse rather than better. With the constant theft of passwords, NIST has even recommended that organizations not use any “passwords obtained from [a] previous breach.”
With that in mind, being able to know what passwords have already been stolen (even from someone else who used the same one) is critical to ensure that accounts can’t be taken over during a time when support requests can be overwhelming and social engineering can be easy (we’re finding that the global pandemic is creating more opportunity for bad actors).
Keeping government work credentials limited to work accounts, and not reusing them for personal accounts, is an important guideline. For employees who were zoning out during security training, it’s critical to know when and where your credentials are exposed to remediate the problem as quickly as possible.
Another challenge for government security teams during this remote work experience is knowing when a password reset isn’t enough. If an employee is using an infected machine, whether that’s a personal device or one that’s government-provided, password resets won’t matter.
Botnets and keyloggers see when a new password is typed just as easily as they captured the old passwords. Identifying potentially-infected machines or IP addresses that may be tied to employees can help security teams prevent a much bigger network infection, reducing the burden on teams that are already stressed and strained trying to support a surprise mobile workforce.
SpyCloud clients are adapting to newly remote workforces without stressing about the security of their employees’ accounts. They are able to protect their most valuable assets (the people supporting the mission) and their access by understanding what their real risk is around account takeover and enabling automated password resets to shorten exposure windows for vulnerable accounts. To bolster efforts to detect malware infections affecting both corporate and personal systems, SpyCloud customers also receive access to infected user information to guide decisions about how to secure those machines.
In the meantime, we can all stay a little safer by:
- Educating users about how to recognize phishing attempts, particularly given the current prevalence of COVID-19 scams
- Keeping all machines patched and updated, as well as keeping software on all machines up to date
- Ensuring that antivirus software is updated regularly
- Continuously monitoring employee breach exposures – take advantage of our free exposure check to see what data we have for your domain
Reach out if you’d like a closer look at your domain’s exposure details or access to your infected user data.