John Burgess, Mainstream Technologies Co-founder and President, is always vigilant in promoting security against cyber threats to his clients and the public at large. With the COVID-19 pandemic forcing more workers to operate from home to the fact that business defenses may be a little down, Burgess offered this advice and update to Talk Business & Politics Editor-in-Chief Roby Brock on how his business and clients are adapting.
Q: How are you dealing with today’s challenge with Mainstream?
John Burgess: After the snowstorm of 2012, we used the lessons learned from that event to improve our resilience. Over the next five years, we made sure every employee had a laptop and could work from home. When the COVID-19 crisis started, we were able to seamlessly transition to a work-from-home footing. Our customer service and revenue generation are intact. However, what we have discovered are cash flow issues. For example, since some customers still pay by check, we must have someone in the office to process them for deposit. The same is true with our vendors. So now, we’re researching alternative ways for processing both digital payables and receivables.
We also have tools in place to allow employees to collaborate electronically, but if I was a team of one, my only interaction with others would typically be meeting someone in the break room. Fortunately, we’ve had different people step up to maintain that connection with creative ideas such as pet photo shows, or Dr. Pepper meetings at 10/2/4, where anyone can join in. These are ways that keep our people from feeling isolated because they’re shut in at home. I won’t be surprised to see other ideas like these come up as the crisis is prolonged.
Q: How have recent events impacted cybersecurity from your vantage point?
Burgess: Responding to the virus with a work-from-home strategy has caused many businesses to weaken their security in two ways. 1) Some have voluntarily poked a bunch of holes in their security perimeters. If their security was based on their machines being in the office, then working from home just sent all of their treasure outside! They have taken their machines and put them on unverified networks. And, depending on their approach on a work-from-home strategy, their workers may also be using unverified machines, potentially creating new vectors for infection.
2) Another way that security can be weakened is by forcing people to use new tools. For many employees, they’re being asked to use new tools to connect remotely. As a result, they’re unsure how to log in, or unsure about notifications or pop-ups, and wondering if they’re legitimate. The whole situation creates opportunities for social engineering or spoofing attacks.
Q: Do you see a shift in the cybersecurity risks?
Burgess: No. We’ve just created more opportunities for them to use the same tactics they’ve been using.
Q: How do you address cybersecurity in today’s environment?
Burgess: First, many businesses are trying to figure out how to survive. Nobody really has disposable funds. The quickest, most affordable way to improve security is through workforce awareness training. Everybody needs to be mindful that we are all targets. Regardless of the business we’re in, we are all at risk and may even be potential avenues to our business partners. A bad actor may target us to get to our partners, clients or vendors.
Second, since many are using home machines for remote work, an organization’s cyber health is dependent on the cyber health of that home machine. Is it patched? Does it have a current and effective antivirus installed? Are the kids using the same computer being used for work? Kids aren’t up to snuff on security and will click anything. Be careful about putting that machine on a company network.
If working from home is a new norm, we shouldn’t treat it as a band-aid. We should take the opportunity to do it right with sound cybersecurity strategies in mind. If work-from-home is a workable, attractive model, then how can we make it as secure as possible? Once we can take a breath, let’s circle back with more planning and ways we can make it more secure, and then take steps to implement the plan.
Q: What else can be done from home to protect a company?
Burgess: Remember that the two main threats inherent in a work-from-home strategy are a weakened security perimeter, and letting your guard down. The two-step remedy for this is to 1) secure your home network: Don’t use a default password on your network. Run a firewall on it. Those features are probably already on your equipment, just make sure they’re turned on. Generally deploy the same policies used in the office.
2) Be aware and vigilant: If employees are using their own equipment, make sure they’re keeping software patched. And be vigilant about clicking on suspicious or unknown emails and links.