The coronavirus outbreak has forced businesses around the world to rapidly transition to remote working in order to continue their operations. While some companies were more prepared for this transition than others, all organizations have had to deal with a massive spike in the number of cyberattacks, phishing scams and other security related issues during the pandemic.
To better understand how businesses have dealt with these issues and learn more about how organizations can improve their security, TechRadar Pro spoke with editor and cybersecurity expert at Private Internet Access, Caleb Chen.
In terms of cybersecurity, what have businesses learned so far from the coronavirus outbreak?
Businesses around the world have had to quickly pivot to remote work and many have discovered that they do not have the cybersecurity conscious culture and practices in place to effectively transition in a safe way. There has been an increase in phishing attacks, and even a heightening of privacy standards for the remote tools that employees use for work – such as Zoom. I think that businesses and their employees have realized just how important, and vulnerable, internet use is without the proper protections.
What steps should organizations and individuals be taking to improve their cybersecurity posture during the outbreak?
Establishing a strong cybersecurity conscious culture and practices is the best way to effectively improve cybersecurity for employees during the outbreak. Best practices include maintaining strong passwords or preferably passphrases, staying vigilant for phishing emails, and making sure to remember to use software such as VPNs whenever possible. There’s no reason not to encrypt your internet traffic at all times – it protects you from potential snoopers on your own network, and also the known snoopers at your ISP.
How have businesses dealt with the transition to remote working and do you think many companies will continue to allow their employees to work from home once this is all over?
Considering how sudden the switch to remote work has been in some locations, businesses have dealt extraordinarily well with the move to remote work. Many companies will continue to allow their employees to work from home after the pandemic is over.
The current trend has always been towards working away from an office. What many companies needed was an impetus to test remote work and collect data on changes in productivity to make decisions on remote work in the future. For those companies that have measured a reduction in productivity, it’s worth noting that remote work that happens post pandemic won’t be burdened by the same workday childcare responsibilities which this pandemic has imposed on many employees.
What can businesses do to ensure that their video conferences are private and secure?
Businesses need to implement strict rules on how video conferences are used. Sound video conferencing practices include using a strong password to secure the video conference, only sending the video conference invite link to participants, not posting the link in public places, and using other built in features like screening participants before they’re added on the call or locking the call once all participants have arrived.
Video conferencing tools, like any other software, are only as secure as the people using them. However, some video conferencing software has been discovered to have privacy or security flaws that are outside of the user’s control. All software used by businesses needs to be evaluated with their privacy and security history in mind before deployment.
VPN usage has increased significantly as more employees work from home. What advice would you give to a small business looking to invest in a VPN solution for its remote workforce?
Small businesses can participate in securing the internet connections of their employees by investing in a VPN solution. All small businesses should ensure that their employees access the internet using an encrypted connection, but not all small businesses will need site-to-site VPN functionality such as expensive solutions offered by companies like Cisco Systems and Juniper Networks. It is important to understand the differences between site-to-site VPN services and remote access VPN services. Site to site VPN services allow an employee to connect to a business’s servers using an encrypted connection and are generally pricier and more or less about security, not privacy. On the other hand, remote access VPN services such as Private Internet Access allow an employee to connect to the wider internet in a more secure and private way.
Private Internet Access recently added ten new server locations as part of its VPN network expansion plan. What goes into choosing data center partners and is the company planning to expand its network further?
Data center partners are chosen based on their jurisdiction, whether they have the hardware and connectivity that we require, and their historical privacy performance, among other things. Data center partners in jurisdictions that have laws on the books which are anti-privacy or require logging are not considered even if they have the capabilities we need.
One factor that we look at in particular is the data center partner’s past actions and their respect for the rule of law. If a data center provider has been revealed to cooperate with authorities in a way that could compromise our no logging commitment, we drop them – this happened to our data center partnership with LeaseWeb in Germany, for instance.
Private Internet Access is always evaluating new data center partners to be used in new exit gateway locations. The ten new server locations established recently as part of our VPN network expansion plan were just the beginning – and PIA is planning to expand its network further in both the short term and the long term.
What benefits does the WireGuard protocol bring and what additional protections has PIA added to ensure that its server-client connections remain private?
WireGuard brings a kernel level VPN protocol to the available VPN connection options for Private Internet Access users. It uses newer encryption algorithms and improved cryptographic techniques such as cryptographic agility and provides a solid VPN connection using substantially fewer lines of code than OpenVPN.
To protect the privacy of WireGuard specific connections, Private Internet Access has supplemented the core WireGuard software on our VPN servers with an RSA certificate protected RESTful API that allows us to implement the same server-client connection privacy-preserving best practices that are also present in OpenVPN and IPSec. Our VPN servers, all of which feature WireGuard, also have a daemon that deletes server-client connection data periodically whenever keepalives are no longer being sent for three minutes.
What will be the legacy of the coronavirus outbreak where cybersecurity and data privacy are concerned?
The legacy of the COVID-19 pandemic on cybersecurity and data privacy will be two-fold. On one end, internet users around the world are waking up to the fact that cybersecurity and privacy are important. On the other side of the coin, we’re seeing governments grasping with both hands and security companies salivating to try and increase their ability to invade the privacy of the average user. It is our hope that the prior wins out over the latter, and the average internet user finally comes to grip with the fact that if they fail to actively protect their privacy rights, their government will eventually erode them.
How will attitudes towards the use of location data change as a result of the pandemic? And what is the worst case scenario when it comes to the abuse of this kind of data?
It is our fear that attitudes of individuals around the world will shift towards favoring the alleged public good over individual civil liberties. Now that governments have successfully convinced telecommunication companies to share supposedly anonymized location data with government agencies under the guise of contact tracing, the bar has been set for the kinds of crises that warrant an expansion of government surveillance powers involving ubiquitous phone location data. As time goes on, this bar will be set lower and lower and government tracing of location data may become the norm. The worst case scenario is that the public accepts this erosion of their privacy under the guise of “public safety” and lets it happen during crises and lets it remain afterward.
What would you say cybercriminals have learnt from the crisis?
Cybercriminals are likely having a field day with the amount of new vulnerable targets that have shown up on their doorsteps. I imagine that many cybercriminals have learned a lot about themselves and the depths of their depravity that they would sink to target the world during such a vulnerable time.