The COVID-19 pandemic has changed the world—fast. People are working remotely. Workforces are being displaced and some employees are being let go. And people are more than a bit scared.
But certain things haven’t changed. Hackers and fraudsters are still out in force. And your company still has legal obligations to your customers, employees, counterparties, and investors to protect them from the damage that hackers can inflict.
The question is how to meet your ordinary legal obligations in the extraordinary time of COVID-19. In short, the answer is to keep doing what you’ve been doing, but change the emphasis.
The three pillars of security—confidentiality, integrity, and availability—have not changed. But the critical “human element” of defense will play an even more vital role.
Remote working increases technical security risks
Riskier home networks
Employees are working from home, and home networks don’t always have information security comparable to the office network.
Cable modems and wireless routers often have out-of-the-box passwords that homeowners have not reset. Internet-of-Things (IoT) devices may have listening and recording capabilities.
And other family members may present risks without realizing it. (Are your kids browsing the web on your computer when you step away?)
To mitigate these risks, consider issuing or reimbursing employees for MiFis or cellular hotspots on work-issued phones. And you probably already have cyber training and awareness programs—keep those up!
Virtual private networks (VPNs) and remote desktop protocols (RDPs)
These allow employees to connect to company resources and information, but VPNs and RDPs greatly vary in security, and that might not protect against malware on an employee’s home computer.
Companies using either technology should consider enhancements, such as detecting the security of the local network the user is connected to and adjusting the type of information the employee can access.
Untested workarounds
Your organization probably already has decided which apps your employees can and can’t use at work.
But in times of stressed resources, employees may be tempted to create workarounds using unapproved apps.
You may need to weigh the risks of allowing employees to craft creative solutions. One option is to switch from whitelisting (employees can use only approved apps) to blacklisting (employees can use apps unless prohibited).
Bring your own danger
For companies that mostly use desktops at the office, it may not be realistic to procure, configure, and issue laptops or tablets for home use.
Companies may consider allowing personal computer use instead—“bring your own device” (BYOD).
But if your company goes this route, be sure to review your IT use and security policies promptly to ensure that they still provide adequate security in a world of BYOD.
Fixing things you can’t touch
Your company probably already has an incident response plan, but the plan might rest on the assumption that IT personnel will be in the office.
If IT personnel are working remotely, they may be facing an entirely uncharted challenge.
Ensure your standard operating procedures are updated to take into account remote access from off the premises.
Access control
Given the increased likelihood that a threat actor may gain entry to your system(s), you may want to reinforce your backstop security measures to limit and contain the damage.
Ensure employee contact information is updated and consider using multi-factor authentication.
Unexpected layoffs create human risk and increased room for error
Furloughed and former employees always heighten the security risk for data exfiltration, whether inadvertent or intentional.
Companies weighing classic redundancy options should consider whether layoffs en masse will overwhelm remote-working IT and HR departments, which may miss imperative steps such as access revocation.
This makes it all the more important to maintain access controls diligently.
Strong emotions heighten the risk of phishing and social engineering
We have seen an increase in social engineering attacks, such as phishing, that exploit strong emotions about coronavirus.
Employees may be scared and more likely to click on links offering information about the pandemic.
Unfortunately, hackers prey on precisely these sorts of emotions. And because there are so many COVID-19-related emails circulating, employees may have a harder time spotting a trojan-laden email.
Remind employees to check email addresses thoroughly and avoid unknown websites.
Administrators should continually update content filters to deny access to known malicious sites and email domains.
Plan for coming out on the other side of this crisis
The current challenge is to adapt to the business interruption caused by the pandemic, but companies should plan now for the challenge of returning to normalcy.
Backups, uploads, and deletions
During the course of remote working, employees may be working offline or using different software than normal, which means data is being stored outside your usual data management framework.
Companies should plan for how and when to safely migrate documents and data.
Updates to internal policies
This remote work period will likely highlight needed changes to the company’s relevant policies (e.g. business continuity plan, incident response plan, remote work policy, BYOD policy, etc.)
Consider documenting lessons learned in near-real time now so that details are not missed when aggregated and reviewed later.