Office Hours: Webroot and COVID-19 August 25, 2020

Hello Webroot Community! 

I hope you’re all having a great week so far and staying cool. We’ll get started in a moment with your questions. 

If you didn’t have a chance to submit them earlier this week, feel free to ask below. 

Thanks!

Do you believe that Enterprise organizations, since they plan to have their employees work more and more from home instead of from the office, also should be responsible or involved in strengthening the security posture of those 'home environments' beyond the endpoints (laptops) that are most likely already owned and controlled by them? - Marco R. 

Of course, businesses want employees to work from home, the cost dynamics for them improve significantly. However, there will undoubtedly follow legislation on this as it is a severe imposition on some.  And, post-pandemic employers who don’t offer a choice will be penalized by employees forced to work under less than ideal circumstances.

But getting to the question,Yes, the employer whether enterprise or a small business needs to be responsible for that home environment if they are replacing or substituting a place of work. It will be about ensuring security, there will be insurance implications, minimum working conditions and standard equipment provided (desk, seating,  monitors) should apply equally in the home as the formal office.

There also needs to be very clear lines about what is and isn’t acceptable from a privacy and intrusion nature by the employer.

Frankly I think there is a lot more that will play out over the next few years as things return to a true ‘normal’ and implications social, psychological and environmental that are not yet fully understood – humans are social creatures and tech doesn’t deliver that, in fact the opposite.

What’s the best way of making security an important topic when many users are working from home? - Gordon K. 

At a minimum sending users’ information and education about the risks they face working at home. A weekly or fortnightly (every 2 weeks) update. You need to cover the ways scammers, phishers, cyber-criminals and other dangerous actors will try to compromise them, both technically and via social engineering.  (Growth in vishing was reported as a major problem this week by the FBI and CISA here:
https://www.zdnet.com/article/fbi-and-cisa-warn-of-major-wave-of-vishing-attacks-targeting-teleworkers/

Of course, I would also add adopting Security Awareness Training and conducting phishing simulations. We are literally releasing new phishing templates and lures every 2-4 weeks right now and doubled courses and content around WFH and COVID. Also you can trial it free for 60-days and we have new MS Azure AD so enrollment is a breeze, and now trials cover all the training content.

What's one tip you'd recommend to users facing a BEC (business email compromise) attack? – Eden

Don’t trust an email if you are being asked to do something you don’t know about, cannot verify or it’s asking you to do it immediately.

Our phishing research around the ‘psychology of the click’ published as Hook, Line and Sinker (and by the way a new version in a couple of weeks) shows that the phrase ‘act at speed, repent at leisure’ has never been truer.

So my tip is ‘think carefully’ before you act and provide anything - are you sure  it’s 100% trustworthy, really necessary, needed and if it involves money or data then check personally first, don’t be engineered by urgency.

Thanks again to @GeorgeA for answering questions and spending a little time with us today. 

If anyone has any additional questions, be sure to stop by next Tuesday, September 1, at 1:00 PM MT. or add your questions here and we’ll do our best to answer all of them.

Until next week, stay resilient!