With most companies operating as a remote workforce, it’s can be easy to blur the lines between "work" and "home," increasing your vulnerability for cybersecurity attacks. In this episode, RJ Sudlow covers the little things that play a factor in keeping you and your data protected and offers advice on three steps you can do now that will help you stay safe and hopefully vigilant, while being part of a remote workforce.
[00:00:09] JL: Welcome to today's edition of DHG’s GrowthCast. I'm your host, John Locke. At DHG, our strength lies in our technical knowledge, our industry intelligence, and our future focus. We understand business needs and are laser-focused on company goals. In this ever-changing world, DHG's GrowthCast provides insights and thought-provoking conversations on topics and trends that address growth opportunities and challenges in the current and future marketplace. Thanks for joining us as we discuss tomorrow's needs today.
[00:00:42] ANNOUNCER: The views and concepts expressed by today's panelists are their own and not those of Dixon Hughes Goodman LLP. Always consult the advice of your legal and financial professional before taking any action.
[00:00:58] JL: Today’s guest is RJ Sudlow, a Manager in DHG’s IT Advisory practice. RJ has a wide array of experiences within the information technology field, focusing primarily on penetration test, static source code reviews, and web application securities assessments. RJ operates out of our Atlanta office. For the past six years, he has led technical assessments for our firm’s clients in nearly every industry, including financial services, technology, nonprofit entities, and public sector organizations. RJ is a graduate of Clemson University and has got a Bachelor of Science in Marketing and Management Systems.
RJ, welcome to GrowthCast.
[00:01:37] RJS: John, thank you. I appreciate it. What an awesome introduction.
[00:01:41] JL: Well, it’s just great to have you here today and to talk about a topic that I'm sure if people are articulating every day, they’re thinking about it behind the scenes, and that’s cybersecurity in this age of the COVID-19 pandemic. Now, what have you noticed? There are some of the factors that are impacting the organization when it comes to cybersecurity in this really day-to-day work-from-home environment. What do people need to know?
[00:02:10 RJS: Yeah. I think the biggest thing that we've noticed is really trying to educate employees the difference between their work person and their home person, right? It’s very easy to get into the mindset. When you get in the car, you go to the office, and you sit down and boot up your work laptop about the things to look for; checking your emails and not responding to fishing ones or making sure you don't go to sketchy websites on your work laptop. But when you take a step back and now the new normal is working remotely, that drive to the office now becomes getting up and going to the shower and then hopping right over to the computer, right? Maybe a trip to go get some coffee. Those lines are being bored a little bit. In some cases, people are using their own work devices that they had. They just took them with them. In some other cases, they’re just using their home laptop or their own computer. We’ve noticed a big uptick of people that are treating the work environment more like their home environment and making sure that the security stays the same from one piece of the next.
[00:03:10] JL: Hey, RJ. I saw something recently about the COVID response emails companies have been sending out to their customers actually being a cover for phishing scams. Has there been an influx of cybersecurity attacks in recent months?
[00:03:23] RJS: Absolutely. I think what that has really caused – A big issue for employees is they’re used to seeing the emails that came through that were legitimate first. Inundation from organizations and companies that they might do business with on a day-to-day basis on how X, Y, Z company is handling the COVID-19 crisis. For a while, there really wasn't that much of an uptick in phishing emails that were taking advantage of that type of email that was coming through in their inbox.
But Google actually has done some metrics on it. I believe it was in April of this year. They did a study and there were over 18 million phishing emails that were being stopped that were just pertaining to COVID-19 and readiness to come back into the workforce. It’s something that if it wasn’t COVID, it might've been taken advantage of tax returns during this time of year. But I think it's something that it’s just a hot button, and the attackers are trying to take advantage of people and just prey on those people that aren't looking and spending that extra couple percentage points of interest into the emails that they’re getting.
[00:04:27] JL: Makes total sense. Are there any controls in place to mitigate these attacks, and have you noticed a much larger pressure on internal IT departments as a result of these types of cybersecurity threats?
[00:04:38] RJS: Yes. There’s really two main different I guess answers to that question. One of them relies on the struggles that the IT departments of their companies and organizations that they work for are facing as far as getting their environment ready for a, what, larger influx of remote workers. The other side is controls that you as an individual can do to focus on security as, again, we spoke about earlier that bore between your work self and your home self.
When it comes to you as an individual, there are certain things you can do. Pay special attention to the emails that you're getting. Ask yourself, am I expecting this email? Is it coming from someone that I know and I trust? Is there anything fishy about it that I’m not really 100% sure I should be answering? Then also, take it one step further and then ask yourself, how am I accessing my email? How am I accessing my corporate resources? Is it over a VPN or something that’s been set up by my organization? Or am I just really just logging in as I would normally throughout the day and not paying attention to any other extraneous factors for security?
When you take a step back and go to the internal IT side of the controls that their IT department are putting in place, those are ones that as an individual you won't really have a lot of choice in doing but it will be able to help protect you as it gets into a VPN or at using multifactor authentication to be able to access those corporate resources to make sure that when you're logging in, those resources know it's you and it’s not someone somewhere else.
[00:06:08] JL: That's really excellent. I do have a question to ask you about this really quick transition that most of corporate America made within almost like a week or two. I mean, everybody went maybe from a partial at-home work environment to an intense full-time work environment. One of the questions that I personally have been thinking about was should I have done any kind of a internal security check before I just started ramping up here? I mean, should I have checked some of my firewalls? Should I look at any kind of router settings? Because I’m thinking back through what happened and I moved into a full-time work environment in just, I mean, a couple of days. I didn't even think about that is. Is there something we should be thinking about relative to more security around our traditional, more leisurely home environment?
[00:07:05] RJS: That's a great question, and you brought up an interesting topic about how you became now a remote workforce expert in about six days. Then security was kind of something as an afterthought after you got used to the standard day-to-day basis, right?
[00:07:20] JL: Exactly. One of the easiest things I think that people can do to educate themselves and make sure they're taking security more seriously, like you said, is just go and look and see how your connecting to the network. Are you still running the same Wi-Fi password that is written on the back of the router from when you first moved in and you never really thought about it again? Or are you not taking care to protect your passwords and you’re staying logged into your browser, so you can go check your bank account. Then when you take your 15-minute break for some coffee, you’re going to check Facebook and have those passwords stored into the same browser. It’s lots of little things like that that build on top of each other that you can do to protect yourself and ultimately protect your online persona but also your work data as well.
[00:08:07] JL: Great. Let’s help our listeners think really strategically about this if they haven’t. Consider the fact that maybe I'm not familiar with cybersecurity. What can I do going forward now to be proactive against potential cybersecurity threats?
[00:08:27] RJS: I think one of the easiest takeaways that you can do if you have, let’s say, zero interest or really zero expertise in the realm of cybersecurity. The easiest one you can do is enable multifactor authentication wherever you can on any login that you have, whether it be a personal or a business one. If it’s a personal one, that setting tells that website or that location that you're logging into that, yes, this really is me and this is me just giving you another form of identification to verify that it actually is me logging in and not someone else. That’s pretty similar to logging into a website and then sending u a text message with the code or maybe they might email that one-time passcode to you. It’s just another added layer of security to protect you from someone else that might be trying to impersonate you.
Another one that you can do as well is making sure that if you are accessing work devices or any other cloud infrastructure that has sensitive data on it, doing so from a VPN or a known safe home or network. For instance, your home network is probably going to be the most safe one that you know of just because you're there. You’re involved with it all the time. Most Wi-Fi routers that are running from home networks have an encryption method on them. Make sure you change that password, right? Don’t’ keep that default password around. But doing that is going to help you make sure that what you're trying to access doesn't have any other prying eyes or people that are listening in the background to see what you're getting into.
Those are really the two main things that we would recommend doing that you as an individual can do outside of what your IT department has set up for you.
[00:10:05] JL: Yeah. If you haven't revisited your home set up like me, which I am just now as I’m talking to you, it’s like, “Well, how come I didn't do this?” Now is a good time because it’s never too late, and this environment is not going to go away as far as vulnerability. It sounds like I need to go back and initially look at the way I'm set up. Look at my passwords to see if I've changed those. Set kind of a priority for me to see if I can get some multifactor authentication when appropriate, especially with sensitive websites related to financial documents. Of course, whenever appropriate, utilize a VPN if it's available. Does that kind of sum it up for us novices?
[00:10:50] RJS: Yeah, absolutely. I think the only other thing that I would add in there as well is, John, when you go back and check your router, not that I'm saying that you haven't done so, but you probably shouldn't use that same password anywhere else. Don’t use the same password for your Facebook that you would log into your bank account and then log into your DHG account. Try and keep those all separate.
[00:11:11] JL: Yeah. Password management becomes a big deal as we move forward in making sure that they’re good solid passwords and they vary throughout all the different types of accounts that we have, so yeah.
[00:11:24] RJS: Absolutely.
[00:11:25] JL: That’s a great reminder, RJ. Hey, listen. Thanks so much for spending time with us today, RJ, and sharing some of your insights around what's happening in the world of cybersecurity in this current COVID-19 era of doing business, especially for all of us who are working at home more often than not.
[00:11:45] RJS: Absolutely. Thanks for having me on, John. It’s been a pleasure.
[00:11:47] JL: Great.
End of Interview
[0:14:10] JL: You’ve been listening to DHG GrowthCast with today's guest, RJ Sudlow, Manager of DHG’s IT Advisory practice in Atlanta, Georgia. We hope you picked up a few tips on how to stay safe and protect your data in today’s work-at-home COVID-19 environment.
I’m your host, John Locke, and I look forward to reconnecting with you soon on another episode of DHG GrowthCast.