COVID-19 and Preparing for Changing Cybersecurity Risks
There is no denying that the COVID-19 pandemic is significantly impacting many people’s daily lives, with “social distancing” quickly being added to the social lexicon, schools closing, and events being canceled. Additionally, many businesses are rapidly moving to a remote and work from home model. While many organizations already have a large number of employees that work remotely, some having tested mass work from home as part of business continuity planning, this situation will be new for many organizations and their employees. It is essential that during these sudden changes to business processes, that companies consider the challenges and also work to decrease Information Security risks.
While pandemic flu response has been a staple of business continuity planning for a long time and is often a subject that comes up during vendor and third-party assessments, those plans are often focused on the loss of essential staff. We don't know what the future holds, and while we certainly hope that people stay healthy, it is important to plan for the possibility that staff will be unavailable. It is important to consider things like ensuring people are cross trained for essential roles and making sure processes are well documented.
This blog will focus on the current challenges of moving to a work from home model. When looking at Incident Response or business continuity processes, effect-based scenarios are usually most productive. In this case, regardless of the cause, the effect here is that a large number of employees are now working from home or remotely with little to no notice. Organizations that have implemented robust business continuity plans and have tested these plans will be better positioned to endure the current situation.
First, ensure that your remote infrastructure is robust enough to handle the concurrent VPN connections, remote meetings, and web application traffic that working from home will generate. Be sure to consider this from both a licensing and a stress-testing perspective to ensure that remote work does not cause operational issues and/or unexpected system behavior. One of the most common things we see during business continuity testing is that there are not enough VPN licenses for the number of people that need access.
A major risk when employees are working from home is that they are no longer on your corporate Internet. They may be using insecure wireless networks or home networks with insecure home IoT devices and/or printers to access and work with sensitive corporate information. Bandwidth may also be an issue, especially with schools canceled, employees may be sharing their bandwidth with students using distance learning or streaming services.
Especially given the fact that the work from home period is likely to extend several weeks for many employees, making sure that computers are still receiving essential updates and patches should be a priority. This is an area that many organizations already struggle with for traveling salespeople and others who do not regularly work from the office, and with more employees suddenly remote, this will likely continue to be a major issue.
Consider your critical controls and whether or not they rely on physical elements that could be easily overlooked in a situation where employees are forced to work from home. Things like clearly identifying individuals over phone or email before performing sensitive tasks like password resets or releasing funds become extremely important when organizations used to in-person transactions make a shift to working remotely.
Educate your employees so they can be vigilant against attackers using COVID-19 as a pretext for gaining access to systems, data, or money. Because many businesses are responding to the virus by restricting physical access to offices, attackers can easily make requests to service desks under the guise of vendors, clients, and employees that cannot physically access the office and now need help performing business functions remotely. As with any large news story, COVID-19 will be used as a pretext for many scams and phishing attacks. The FTC and other organizations have already issued warnings about this. It is important to make sure that employees are not only aware of threats to organizational data, but also threats to their personal data and accounts as well. With any stressful situation, and with employees being understandably preoccupied and distracted by worry about their families and a myriad of other things, they may be less vigilant.
Some attackers may even be so bold as to attempt to physically access offices that have implemented aggressive work from home policies. Ensure that sensitive systems and data in these locations are locked away and closely monitored to help ensure that physical breaches do not occur while most of the workforce is working from home.
Communication is key. Keep employees updated as to the rapidly changing situation. Continue to provide security awareness information to employees, sending weekly updates and reminders about the importance of keeping data secure, and make sure people are aware of the latest issues. Remind employees that criminals will use the COVID-19 pandemic as a pretext for phishing and other social engineering attempts to help them remain vigilant at home.
Now is also a good time to ensure that monitoring programs are functioning as intended. Being able to recognize anomalous events and logins and respond appropriately is always a fundamental element of Information Security, and it is especially essential given the current circumstances.
Make sure that plans are in place for essential and business-critical functions, ensuring they will continue if assigned staff are not able to perform them. Cross-training and thorough documentation can go a long way to minimizing disruption, should staff become unavailable.
Taking action to minimize the impact of COVID-19 on the workforce is very important, but organizations should also ensure that they are adjusting controls to ensure that they do not make a bad situation worse by unnecessarily opening themselves up to opportunistic cybersecurity attacks.