As recent reporting highlights, cybercriminals and nation-state actors are already seizing on this moment of panic and misinformation to use traditional hacking methods to steal data—from using interactive maps with Coronavirus infection statistics to plant malware on devices to phishing scams where hackers pose as CDC officials. While the response to COVID-19 has rightly been focused on its human toll, and as organizations take action to confront the threat posed by COVID-19, they must also prepare for the uptick in cybersecurity risks that we are seeing. Below are practical tips that can be implemented quickly without the need to rebuild your IT infrastructure or redraft policies (which likely will not be feasible in the immediate term).
- Remind Your Workforce of Phishing Dangers. Phishing is a well-known tactic that hackers have used for years, but it is a particularly powerful tool during a global pandemic when people have more questions than answers. Cybercriminals have already used phishing scams to exploit feelings of insecurity and panic, and individuals are at increased risk of falling victim to such schemes amid the chaos and irregularity of their new work arrangements. You should consider sending your workforce a reminder to be alert for phishing attempts and to remind them to be vigilant of external emails and unusual requests for their credentials.
- Instruct Your Workforce on Remote-Work Best Practices. Many of your employees might not have a home office, a reliable broadband internet connection, or access to a printer. This state of play presents unique security risks you need to address. Here are some areas you should consider providing guidance on.
- Public WiFi Networks: Unlike the office environment, you will not be able to control how employees access the internet from home or other locations. Employees may rely on unsecured wireless networks to do their work. To mitigate the risk of unauthorized access to your organizations’ information, you may wish to provide your employees with instructions to secure their personal wireless network by, for example, protecting it with a password, restricting network access to specific devices, and updating their router firmware regularly. If feasible, employees should connect to the corporate environment using a virtual private network (VPN), and setting one up for your organization will take less time than you think.
- Confidential Business Information: Remind your employees of the proper handling of confidential business information as they transition to remote work. If your company has sensitive data, you likely will not want your employees to forward work emails to their personal accounts or to send confidential information to a local printing shop for printing. If an employee already has sensitive information in hard copy, you should consider recommending that hard copies be kept until they can be disposed of properly when it is possible to return to the office or by using a home shredder if one is available.
- Software Installation: As more companies shift to authorizing remote work, employees and companies will discover a variety of software tools (for conference calls and video conferences, for instance) designed to make telework easier. Be careful. You should consider designating which tools are the preferred and approved tools so that you have some control over how your information is being handled and shared.
- Consider Your Approach Toward BYOD Devices. Allowing your employees to work remotely presumes that they have the devices to do so. Not all organizations issue laptops to employees, and remote work arrangements may require companies to allow their employees to use their personal devices for work-related purposes. Your organization will need to be mindful of the risks of such a BYOD approach. In deciding whether to allow such access, consider the risk your specific organization faces in light of, among other things, the necessity of employees to access your network remotely, the security protections in place to enable such access, and the potential risk of harm resulting from a compromise of your data.
- Once you have stabilized your operations, you can then consider other steps to enable secure access from personal devices such as virtual desktop environments and mobile-device-management (MDM) systems.
- Ensure Your IT Team Can Conduct Incident Response Remotely. Your IT team may be limited in how it can help your workforce. Your onsite IT team might have to work remotely itself and, even if it does not have to do this, with more non-IT employees working remotely, the IT team might not be able to provide the same level of support as it would to employees present in the office. Prepare for these limitations now. You should ensure that your incident response protocols are clear, that incidents continue to be appropriately flagged and escalated as appropriate, and that the incident response team can communicate using off-band communications if needed. In order to accomplish this, you need clear, reliable communication channels for both internal and external parties.
- Review and Update Your Telework Policy. Although updating policies may not be your first priority among the many steps you’ll need to take to prepare your workforce for remote work, you should consider whether the emergency steps you are taking are consistent with your telework policy and make clear that the exceptions to the policy are being authorized in light of the unusual circumstances. When time permits, and with the benefit of the lessons you have learned from your organization’s initial response to COVID-19, you’ll want to take a fresh look at your telework policy and ensure that it accurately reflects your practices and cybersecurity best practices.