The world is staying home, and for many staying home means working from home. But bringing work home has a sinister side effect. Cybercriminals are rubbing their hands in glee as employees unable to access secure in-office computers log on in the kitchen, den and bedroom.

With parents working on the same devices that they and their kids use to game, stream and chat, the attack surface is large and security thin. Add in the COVID-19 fear factor and a thirst for information on the virus, and you lay a welcome mat for bad agents eager to capitalize on the media frenzy

“Groups that we haven’t seen active since about 2011, 2012, malware campaign authors, they’re riding this bandwagon right now,” said Derek Manky (pictured, right), chief of security insights and global threat alliances at FortiGuard Labs. “People have to put more of a safeguard up — not only for their personal health like everyone’s doing with social distancing, but also virtual social distancing when it comes to really trusting who’s trying to send you these links.”

Manky and Renee Tarun (left), deputy chief information security officer at Fortinet Inc., spoke with John Furrier, co-host of theCUBE, SiliconANGLE’s video studio, during a remote CUBE Conversation. They discussed how companies with telecommuting employees need to become hypervigilant in their security practices.

Welcome to the new way of working

The speed at which the workforce has had to transition from physical commuting to telecommuting has caused challenges for companies unprepared for such a massive culture change.

“Companies are scrambling to ensure that they have a secure work at home for teleworkers at scale,” Tarun said. “It creates a lot of different challenges from a security perspective that a lot of organizations aren’t necessarily prepared for.”

Those challenges are both technical and educational. “Having managed endpoint security from distributed enterprise angle is very important because all of these workstations that were within the corporate network before are now ‘roaming’ or from home,” Manky said.

But as always, regardless of the security solutions put into place, the weakest link is the worker.

Whether the attack is plain, old-fashioned phishing, spear-phishing — where the attack is targeted at a specific individual or group within an organization — or anyone of a dozen other methods, employees need to be hyper-vigilant, according to Manky.

“If they’re asking for any information always, always treat that as a red flag,” he said.

Pause, think and verify before opening links or handing out information, according to Tarun. “Similar how in the physical world we’re washing our hands, we’re keeping six feet away from people, we could distance from our adversaries as well,” Tarun said.

Simple actions such as only opening attachments sent by people you know, hovering over the links to ensure that they are from legitimate sources, and calling back on a confirmed number before giving sensitive information on the phone are key.

“Take that second and really think before you start taking actions,” Tarun said. “You need to be careful and think to yourself, was I expecting this attachment? Do I know the person?”

She even recommends contacting the sender directly to ask if the file or link is legitimate before clicking to open.

Companies must crack down on slack cyberhygiene

So what are some steps that companies can take to protect themselves in the current at-home work culture?

Keeping employees in the “security loop” with weekly security updates, instructions on cyberhygiene, and patch management is key, according to Manky. But education is for nothing if employees don’t comply.

“In terms of mentality, education, cyber hygiene, that doesn’t change,” he said. “But I think the way that this is enforced now. That’s a big focus point, especially from an IT security standpoint.”

Here’s the complete video interview, one of many CUBE Conversations from SiliconANGLE and theCUBE:

Photo: SiliconANGLE