RISK MANAGEMENT: As coronavirus spreads, factor cybersecurity into remote-work policies
Over the past few weeks, we’ve seen individual businesses and entire industries swiftly – and sharply –curtail operations to slow the spread of the COVID-19 coronavirus. These efforts to limit contagion have upended global commerce and shifted operating models in ways that are intensifying IT risks, including cybersecurity.
In the wake of the coronavirus outbreak, many organizations are hastily shifting to a remote-work operating environment to accommodate scattered workforces. But most corporate processes, policies, and culture were not designed for a remote workforce, and that can introduce a raft of new risks to their information systems and data. Bad actors have developed new phishing campaigns based on coronavirus lures, preyed on distracted employees, and leveraged chaotic workplace conditions to slip through the cracks of cybersecurity defenses.
The World Health Organization (WHO), for instance, recently warned that scammers posing as WHO employees are sending phishing emails that encourage workers to open malware-bearing email attachments or links. Similarly, new email updates purportedly from the Centers for Disease Control and Prevention (CDC) prompt recipients to click a malicious link that lists new coronavirus cases in the recipient’s area.
Even more tempting are attacks that lure users with a live map of global coronavirus infections. Once users click the interactive map created by Johns Hopkins University, malware designed to steal credentials is installed on the user’s device, according to security site Krebs on Security.
If these threats have one thing in common, it’s this: They all rely on a persuasive combination of misinformation and fear to spur employees to action. Making matters worse, the 24/7 stream of information – and frequent misinformation – is highly distracting, creating a chaotic environment in which workers may be less vigilant about cybersecurity, even as cyberattacks intensify.
Government and private-sector organizations alike will need to address the risks associated with employees working from home during the pandemic. Hastily implemented remote-work policies can change business processes and increase threats in unanticipated ways. Increased remote connectivity, for example, expands the cyberattack surface by creating additional endpoints. These new endpoints may lack consistent security controls because businesses often initially prioritize functionality over security in times of crisis. To overcome gaps in remote-work safeguards, organizations will need to review current cybersecurity policies to make sure that the basics – strong password policies, secure file transfers, secure remote-access connectivity, and up-to-date incident-response plans – are in place and effective in a remote environment.
Compounding matters, staff may be asked to assume unfamiliar roles and responsibilities when other employees work from home or become sick. Cyber-risks can increase because employees are forced to wear multiple hats and may be unaware of security risks outside their traditional roles. Similarly, business executives are likely to be consumed with contingency management planning and may back-burner cybersecurity and privacy initiatives. Together, these factors can present the perfect opportunity for cybercriminals.
Planning an effective response to the coronavirus pandemic will require input from stakeholders across the organization. The first step will be to examine the existing business continuity and disaster recovery (BCDR) plans under the lens of a remote-work environment to make sure they are relevant and practical. The plan should carefully consider the controls and processes necessary to secure highly vulnerable remote workers.
Plans should be validated, tested, and, if necessary, adjusted before work begins. Consider, for instance, the use of virtual private networks (VPNs). VPNs are a foundational element of secure remote connectivity, and a significant increase in the number of users can degrade performance and potentially overwhelm IT help desks. IT will need to test the performance of the VPN based on volume and load capacity, and adjust bandwidth as needed.
An unexpected spike in remote workers also requires that organizations review business processes, in addition to technologies. For example, organizations should make sure that homebound workers can collaborate with others with the same ease and efficiency as on-site staff.
Establishing the right controls and processes to guide a remote-work program is as exigent as it is essential for many organizations today. Controls and processes to consider include:
- A risk-based assessment of technologies and processes to identify security gaps, particularly those related to remote access
- Enhanced network monitoring for early detection of anomalous activity
- Multifactor authentication
- Properly configured firewalls
- Anti-malware and intrusion-prevention software installed on all systems
- Patched and tested VPNs and other access tools
- Automated password-reset tools and requirements for complex passwords
- Updated incident-response plans that factor in workforce changes like a reduced on-site IT staff
- Frequent, up-to-date employee training on techniques like phishing and social engineering
- An ongoing plan to manage the cultural changes created by a large-scale remote-work program
Bhavesh Vadhani, Principal, National Director, Cybersecurity, Technology Risk, and Privacy
On-Demand Webinar: Mitigating Coronavirus Disruption
Coronavirus Resource Center
InsightNew SEC cybersecurity guidelines: Next steps for public companiesBhavesh Vadhani, Scott CorzineNew rules require public companies to elevate their cybersecurity risk management and disclosure practices. Read key changes, deadlines, and action items.
InsightFederal agencies face complex cyber compliance – but relief is underwayBhavesh Vadhani, Bill Hughes, Adonye ChamberlainWith a new national cybersecurity strategy expected to create a baseline cybersecurity standard, read how to get a head start in the meantime.
InsightToday’s boards need cyber expertise more than everCyber risk is fundamentally unlike every other risk that companies face, and boards should add expertise accordingly. Read why – and how to get started.
InsightZero Trust 2.0: Strengthening security for a shifting threat landscapeAdonye Chamberlain, Bhavesh Vadhani, Bill HughesA new federal maturity model offers insights for entities of all kinds looking to protect their users, devices, and networks. Learn more.