As companies have transitioned en masse to remote operations over the past few months due to the coronavirus, Brian Maletsky has had a front-row seat to some of the missteps businesses have made in terms of cybersecurity.
Maletsky, who serves as director of IT operations for Capital Network Solutions in Sacramento, spoke to Comstock’s about some of the unique security challenges businesses are facing with the coronavirus pandemic. His company provides outsourced IT, including managed IT services and security, for businesses of all sizes in the Capital Region.
Businesses have faced an unprecedented scramble in recent months, with a survey by The Harris Poll estimating in March that 51 percent of American workers had transitioned to working remotely. This came after a 2019 study by the Bureau of Labor Statistics showed that just 7 percent of civilian workers then had the option to work from home.
How many of your clients were poised for COVID-19, and how many of them were really having to learn stuff over the past couple of months?
To be honest, zero of them were ready for this. None of them.
Why is that?
No one had contingency plans to be able to figure out what they’re going to need to do to be able to make their business go forward during this.
What tends to surprise companies most, from a security standpoint, when they get into a situation of forced remote work?
The thing I have seen, not with our company but with other companies, is people have misconfigured and … (are) mapping local resources remotely on home computers and other things like that.
I think that’s where the big mistakes (have been) with this whole thing … when people were like, “Hey, we want to work from home.” They cut corners. IT companies cut corners. And you just see the uptick of remote desktop servers being compromised and/or home computers being compromised.
(Employers) should have just had (employees) connect to their remote office and then connect to their computer and then have that connection be encrypted so that all these other things don’t happen. But there’s a lot of IT companies that have been making that mistake of just misconfigured connections, really.
What sorts of new scams or hacks are you seeing emerge?
It’s always human-based. … With all this COVID stuff, people are generally interested, and they want to see as much as possible, and they get emails that say this or that and they click on links. That’s the human interface reacting to something that they’re interested in.
But, unfortunately, a lot of these campaigns have been just literally to target people for ransomware, for money, whatever the case may be; the laundry list of things that phishing campaigns do. (Though) in this case, it’s a very interesting thing for people to click on. It’s not just like, “Hey!” — the normal spam email that you get. This is very targeted, and at this point it involves everybody. So like, when you see a COVID email, you’re like, “That involves me because I’m dealing with it, too.”
What sort of security concerns should there be for small businesses with Zoom?
Unfortunately for Zoom, I don’t get it, but for whatever reason they’re the buzzword that came out from all this. … Because they weren’t a real big (target of attacks), their security was just not there. … They’ve had like five big security patches in a month, just in April (and other bad publicity and information leaks).
I really think the security problems happened because of how they’ve been developing their software. Security just wasn’t on the forefront; they didn’t think security problems were going to happen. It happened.
It’s really unfortunate, but Google, NASA; they banned the software from any of their employees using it. When you start hearing those types of names banning a piece of software, that means that their reputation is just scorn. I don’t recommend anyone using them.
What are some of the alternatives to Zoom that you would recommend?
Microsoft Teams. Microsoft is, for the stuff that they’re doing with security, they’ve always been at the forefront.
Everyone jumps on a Microsoft (operating system) mostly, a huge percentage. … They’re just more equipped as a company to deal with technology than someone like Zoom. Zoom is, literally all they do is video conferencing. They probably don’t even have a really robust security team, I can imagine.
What do small businesses need to be doing to protect themselves?
The best thing small businesses need to be doing, the first thing I always tell people when I talk to them about security … IT security is about culture. It’s about teaching people and training people to look out for things that are fishy, just like we would if we were running a store and there was a shady individual or something that didn’t look right. We’d raise our hand and say, “Hey, something’s not OK with this.”
It’s the same mentality that needs to happen in the IT industry. Just because it’s an email doesn’t mean you should treat it any … differently. It is definitely something that is trying to get into your business or trying to take money from your company or whatever the case may be.
But security awareness (and) training is just critical. And then obviously having two-factor authentication, having all the policies in place for security to protect your business.
For the typical employee when logging into systems like email, they can get a mix of different notifications sent to their cell phone. There is an app on the phone that will prompt you, or you can get a text message and sometimes you can request a call that will give you a number to enter in. Some companies have supplied their employees with cell phones and others have made them use their personal cell phones — either way, it is more secure than having no two-factor (authentication). Microsoft states that 99.9 percent of accounts hacked (in January 2020 when about 1.2 million Microsoft accounts were compromised) did not have two-factor enabled.
Stay up to date on the effects of the coronavirus on people and business in the Capital Region: Subscribe to the Comstock’s newsletter today.