Unprecedented conditions have led companies around the world to ramp up many home-based employees, in some cases hundreds -- or thousands -- at a time. While speed is of course necessary to ensure business continuity, Authoriti is encouraging our customers to reconsider their routine IT checklist items during remote roll-outs. Spinning up 100 home employees the way you usually add one employee presents opportunities for fraudsters waiting to capitalize on the chaos and distractions we are currently facing. Bad actors are known to take advantage of disruptions like this to take over accounts and create fraudulent transactions.
For example, the seemingly benign process of setting or resetting passwords for colleagues who are working remotely for the first time (or the first time in a long time) can increase your vulnerability to cyber attacks such as account takeover or business email compromises. To reduce the potential for fraud, here are three simple tips for your IT team and employees to observe. These will add a layer of trust and security to your VPNs and critical applications, and help you avoid a worst-case scenario: 1 - Don't trust the usual channels. When setting up or resetting the password, public email, messaging, and phone calls simply can’t be trusted. You never really know who is asking for a password to be changed or access granted. Rather than trying to secure an inherently insecure channel, secure the request itself that rides in the channel with asymmetric encryption, such as PKI. 2 - Confirm identity for every transaction. Be vigilant - colleagues on both ends of the transaction need to confirm the identity and intent of every phone caller and email or text that has information about the VPN setup. Don’t assume the person is part of your organization without verification. 3 - Establish authorization for the transaction. Make sure that the validation includes not just multi-factor authentication, but also multi-factor validation of the requested action. This will ensure without a doubt that you know not only the identity of the person requesting the password but also what they are going to use it for.