Cybersecurity company eSentire knows a thing or two about viruses.

And although their expertise is in the field of computer rather than human infection, it turns out there are a few best practices that apply to both – particularly as employees move a company’s business into their homes.

Prime among them? Plan now. Plan and take proactive action. Because everyone is particularly vulnerable to security breaches right now.

"Criminal elements take advantage when we are disabled, distressed, or otherwise distracted, and kick you when you are down and strike when you can least afford it,” says Mark Sangster, eSentire’s Vice-President and industry security strategist.

“Organizations must keep employees safe and manage the associated cyber risks with travel restrictions and a workforce working from home en masse because if a data breach occurs during COVID-19, they won't get a pass.”

ESentire, based in Waterloo, specializes in keeping companies’ data and information infrastructure safe through what’s called “managed detection and response."

Sangster has put together a list of best practices for companies throughout Waterloo Region (and beyond). And the first, and perhaps most important, bit of advice?

Run a simulation in the event one of your employees tests positive for infection. Not only is a fast response crucial from the standpoint of supporting and caring for your people, their infection may indicate others in your company are at risk and that crucial business functions may be impaired. One chief security officer who Sangster works with closely is currently putting his executives and IT teams through a lunchtime table-top drill that simulates the decision-making required if an employee tests positive.

“It’s a smart approach,” says Sangster, who adds that companies should also review their business continuity plans and disaster response plan.

Other suggestions?

    • Review remote access protocols with employees. Criminals know employees are working from home. That’s go-to time for phishing lures. Reset passwords, use multi-factor authentication and restrict access to critical information not needed for everyday duties.

    • Inform employees. Remind them that cyber criminals will attempt to take advantage of the chaos created by COVID-19 through fraudulent invoicing, fake donation sites and the like. Forewarned is forearmed.

    • Speak to your supply chain. Identify supply-chain risks. Do your vendors have COVID-19 protocols? As eSentire reported last year, a survey of 650 executives found that nearly half had suffered a material business-disrupting breach as a result of vendor actions (or inactions).

    • Be vigilant and expect attacks.

And Sangster has specific tips for employees working from home. To wit:

    • Follow company policies.

    • Keep abreast of company updates.

    • Use caution when sharing COVID-19 information and ensure it comes from a credible source. People or organizations take advantage of crisis situations for their own gain, including spreading misinformation for profit. Numerous scams or untested and unlicensed treatments have been reported. More often than not, these sites contain links to malicious websites, attachments that spread malware or are intentionally deceptive.

    • Keep kids off work devices. Kids click on shiny objects which can infect your computers.

    • Keep devices up to date with latest software – new software has the strongest security profile.

    • Back up your information. Apple, Google and Dropbox offer cheap cloud storage.

    • Use passwords for online meetings.

    • Use strong passwords of at least 12 characters composed of a mix of numbers, symbols and upper and lowercase letters – and two-factor authentication.

    • Secure your home network. Your IT manager can help.