Covid-19 Poses CyberSecurity Risks For Top Companies
It has been reported that COVID-19 is causing a digital threat. Forbes claims that coronavirus is a good opportunity for companies to test remote work structures. Everyone is covering COVID-19, few are covering the real risk that comes with trying to contain this virus.
Thousands of workers have been forced to work remotely as a result of this new health scare and thousands more across the globe are preparing to soon join them.
As top countries prepare to turn their brick and mortar offices into virtual work hubs, companies are forced to assess the vulnerability that comes with being remote.
Apps and platforms, like Slack and Whatsapp, that were created to help workforces sync across multiple locations can pose security that can compromise the vitality of any business.
As more employees stay home in the wake of COVID-19, it is increasingly vital for organizations to focus on the cybersecurity and privacy concerns that may arise with increased teleworking and that can pose new threats to business operations.
Here are our Top 10 issues for companies to consider:
Cybersecurity is a team sport, and organizations need to have a playbook for working together. An important aspect of preparedness for COVID-19 is for companies to work across teams and take proactive steps to ensure that key stakeholders are aligned with the company’s strategy for addressing cybersecurity risks and responding to incidents, are informed of their respective responsibilities related to preparedness and response, and are trained accordingly. This becomes even more important when employees are not co-located and need to coordinate while working remotely.
Cybersecurity preparedness and incident response are not just for technical teams. The evolving COVID-19 situation presents a good time for companies to bring together a team from key components of the organization to consider potential cybersecurity risks to the company (overall and specific to the evolving COVID-19 situation) and strategies to mitigate or otherwise respond to these risks. The team will often include representatives from legal, information technology, security, communications, Human Resources, and senior leadership.
Decisions made should be captured in the company’s policies and procedures, such as its cybersecurity incident response plan. For companies that have already gone through this process, this is a good time to revisit those decisions and ensure that they align with current circumstances.
Plan for changes in remote access and teleworking. Remote access may put a strain on an organization’s systems and connectivity options. Before implementing teleworking and remote workforce options on a large scale, organizations should assess whether their current IT capabilities, including VPNs and remote desktop systems like Citrix, can handle the increased demand and, if not, what alternatives are available or additional resources needed.
Organizations should also evaluate their bring your own device (BYOD) policies against the potential scale of usage and to ensure that policies line up with risks associated with broader usage.
Plan for compliance with industry regulations on remote access. Some industry sectors are subject to regulatory cybersecurity requirements for remote access. Government contractors, for example, may be subject to specific technical controls established by NIST SP 800-171, including access control, awareness and training, configuration management, incident response, media protection, physical protection, and system & communications protection.
This is a good time for government contractors to review their system security plans for compliance with these controls for teleworking.
DigitalBank Vault® provides sophisticated Digital Anti Surveillance technologies: military-grade encryption devices for ultra-secure anonymous communication (voice calls & text messaging) with untraceable file transfers & storage solutions
Prepare for changes in threat actor behavior. Organizations allowing remote access should be on the lookout for threat actors deploying new threats to remote workers and for an overall increase in targeting. They may, for example, use spear-phishing attacks that appear to ask company employees to validate their work from home credentials or that are intended to tempt people to open documents that result in the deployment of malicious links/files when launched. During times of increased telework, employees may also be more exposed to social media-based threats and should be made aware of those risks as well.
Assess capabilities to manage information security remotely. Organizations will need to assess their abilities to manage information security remotely, including through their current security operations centers (SOCs). This review should include determining if the company has the infrastructure in place to promptly stand up incident response teams, coordinate response activities, and communicate with key company stakeholders if the individuals involved are not co-located and primary (and secondary) systems are compromised or unavailable.
Prepare for risks associated with shared devices and networks. Shared resources, for example, using home printers and connecting to shared wireless access points, pose high risks that will need to be addressed by organizations that allow teleworking. Education, training, and workshops should be considered to alert individuals to these risks and appropriate actions to address them.
Changes in how technology is used can lead to other changes in employee behavior. While addressing technical risks, companies also need to be aware that changes in employee behavior associated with increased telework may also trigger physical security concerns. For example, teleworking often results in increased use of paper documents, and the possession and use of those documents outside of company facilities. Accordingly, policies and plans related to proper marking, handling, disposal and collection of documents containing sensitive information will need to be developed and shared. If already in place, this is a good opportunity to provide employees with a refresher on them.
Ensure that personal information, protected health information, and other regulated data is appropriately used and properly protected. Organizations will need to take steps to ensure that regulated data, including personal information (PI) and protected health information (PHI), are secured and managed in compliance with applicable laws and guidance across borders where applicable. This includes, for example, considering guidance issued by HHS to clarify permissible uses/disclosures of PHI and limitations placed on companies’ collection, use and disclosure of sensitive health information in many jurisdictions.
Organizations should also be aware that making inquiries related to employee health, including conducting medical examinations, creates potential issues under the Americans with Disabilities Act (ADA).
Ensure that supply chains are also prepared. Now is a good time for organizations to be in contact with their suppliers and vendors to assess what preparations are being made throughout their supply chain and whether those vendors will be able to continue providing goods and services without interruption. Additionally, this is a good time to review service agreements with technology vendors and have conversations about the potential impact of COVID-19 on services and resources, including their ability to accommodate the company’s changing needs in light of increased telework.
Go Dark. Use Anywhere. Leave No Trace
Companies must properly address these challenges to succeed in maintaining business-as-usual.
Securing Access to Data
One essential business security task is providing secure access to corporate accounts and data without ruining productivity altogether. This includes limiting access to sensitive information to a need-to-use basis. Companies also need to deploy additional security parameters such as two-factor authentication or additional access controls. This will reduce the likelihood of password abuse or credential-related attacks.
Enterprises need to educate their employees about online threats that can occur when working from home. In particular, employees should be aware of phishing attacks and fraudulent payment requests. Beyond communication, employees should be provided with online security training that specifically focuses on unique work-from-home risks.
The Supply Chain Links
While large companies may have the necessary know-how and technologies to support a work-from-home environment, smaller companies may not. This poses a cybersecurity threat to companies that rely on suppliers not equipped to handle these new risks.
Yet supply chains are critical to business operations. To ensure that the supply chain continues to operate also in times of work-from-home practices, companies must assess their suppliers’ readiness for a secure remote workplace.
Here are just a few questions that a company should be asking suppliers that have shifted to working from home:
Are remote work practices and policies in place?
How many employees already have remote work capabilities?
How much of day-to-day activity is suitable for remote working today?
What is the company’s remote access mechanism?
Which client devices are allowed to access the company’s digital assets remotely?
Does the company enforce 2FA for employees with remote work capabilities?
Does the company enforce strong passwords for all employees with remote work capabilities?
How does the company control access to internal services for remote working?
This process cannot scale if done manually; it must be automated. It’s important for companies to ensure that their supplier security management process provides suppliers with relevant information about their security gaps, as well as how to close them.