Businesses around the world have responded to the evolving health and financial risk factors posed by coronavirus disease 2019 (“COVID-19” or the “virus”) with significant workforce changes, including asking employees to work remotely to mitigate the risk of transmission in the workplace. Some companies facing more dire circumstances have taken actions including furloughing or laying off workers. Such changes not only pose challenges for businesses from a collaboration and continuity of operations standpoint, they also involve cybersecurity risks that business leaders must carefully assess and mitigate. With headlines suggesting that COVID-19 will remain a top business challenge for some time, leaders should refocus attention on how they can proactively manage risk, including from a cybersecurity standpoint.
This article outlines cybersecurity issues business leaders should take into consideration as they navigate the business changes brought on by the COVID-19 pandemic. In many industries, the current situation is causing unprecedented business disruption. As a result, organisations are either devising or revisiting strategies for weathering the storm. Leaders should identify and prepare for cybersecurity-related contingencies appropriate to scenarios their business may face, which may include (but are not limited to):
- unavailability of key personnel necessary for important cybersecurity functions;
- COVID-19-themed phishing attacks, social engineering activity and targeted intrusions;
- an abrupt transition to a partial or fully-remote workforce; and
- protection of organisational assets, including intellectual property and trade secrets, especially during workforce reductions and subsequent organisational changes.
Businesses should remain focused on proactively addressing cyber-threats
Recently reported cybersecurity attacks – including on the U.S. Health and Human Services Department and private organisations involved in the global fight against the virus – are stark reminders that leaders must not lose sight of cybersecurity threats, even as their organisations are buffeted by the unprecedented financial and operational challenges brought on by COVID-19.
Leaders will face different challenges as they chart a course for their organisations through the outbreak. An organisation’s business model, risk appetite, technology assets and footprint, workforce plans, scale, geographic footprint, and existing cybersecurity capabilities may influence priorities. As an example, a smaller business may need to prioritise implementation of foundational security measures such as mobile device management (MDM) to support effective revocation of access; virtual private network (VPN) solutions to protect data-in-transit; data loss prevention (DLP) to prevent exfiltration of sensitive information; cloud-access security brokers (CASB) to secure cloud access; and employee awareness of common attacks and security best practices. In contrast, larger corporations may have foundational controls implemented and need to focus on the coverage, maturity and efficacy of existing cybersecurity controls, as well as abuse cases likely to be exploited by a more sophisticated adversary (e.g. exfiltration of intellectual property via unmanaged devices, cloud-based solutions, or third party products).
Despite the differences, all organisations – especially those that must protect highly confidential information, intellectual property and trade secrets – should leverage industry standards and frameworks (e.g. ISO, NIST, CIS Controls, or OWASP) to ensure that cybersecurity measures are comprehensive enough to provide effective protection for key organisational data and assets. This last point is critically important. Should regulatory action or litigation arise as a result of the compromise or misappropriation of an organisation’s information, the reasonableness of the organisation’s approach to protecting its information may be scrutinised.
Ensure contingency planning addresses adequacy of staffing for important cybersecurity functions
One of the most challenging aspects of the COVID-19 pandemic is its unpredictability. The disease has affected both young and old and anyone could quickly be determined to be too contagious or ill to effectively carry out their job-related responsibilities. As a result, effective contingency planning should include testing of an incident response and business continuity plan. Organisational business continuity plans should be scoped to include key organisational functions, including cybersecurity processes. Amid contingency planning, organisations often fail to conduct an analysis of “key man risk” for critical cybersecurity processes and initiatives. In a pandemic scenario, it is important for organisations to understand vital cybersecurity processes and whether key personnel can be effectively backfilled if they become too ill to work.
We have frequently seen that even in large, extremely well-resourced organisations, critical cybersecurity functions might fall to one person with no redundancy. Too often, cybersecurity staff operate in a siloed fashion – focused on operation and maintenance of a particular security solution – and there is not enough cross-training and sharing of technical and organisational knowledge to effectively backfill key staff. In the current climate, business leaders and their cybersecurity leadership should ask themselves: “of the critical cybersecurity processes we must perform across the technology organisation, are there any key tasks where we are one person away from not being able to carry out the mission?” Given the nature of the current situation, organisations should prioritise such an analysis and implement a plan to address any identified problem areas.
Enforce cybersecurity controls for remote workers
Many larger companies will already have implemented foundational security controls to support remote work, such as MDM solutions to monitor, manage and secure staff devices and VPN solutions that encrypt data in-transit and leverage multi-factor (MFA) authentication. Smaller companies may not have these controls implemented but should consider adoption depending on the organisation’s scale, mission and assets. Larger companies may need to evaluate the security of VPN solutions in use by the organisation as well as other controls that support remote work, including authentication and authorisation, conditional access controls and DLP solutions.
Key considerations for all organisations include (but are not limited to):
- Whether VPN solutions, network infrastructure and devices in use by the organisation have received the latest security updates and patches.
- Whether MFA is implemented for all VPN connections.
- Whether VPN latency (the amount of time it takes between sending a request and receiving a response from the resource being accessed) is acceptable in a mass usage scenario, or whether personnel’s ability to perform key tasks is impaired.
- Whether technology and cybersecurity staff are able to effectively detect and respond to incidents and attacks through log review and other incident response and recovery tasks.
- Whether identity and access management controls are appropriately restrictive for remote work scenarios, especially access from home networks; and
- Whether the organisation has restricted the URLs – particularly malware-infected or phishing websites – that staff can access while working remotely.
Whether the organisation has restricted the URLs – particularly malware-infected or phishing websites – that staff can access while working remotely.
Promote security awareness
Cybersecurity awareness is particularly important for organisations that may be working to implement controls to support remote work. Staff needs to be aware of key security issues including (but not limited to):
- Best practices for acceptable use of corporate technology;
- Best practices for password complexity;
- Best practices for locking unattended devices;
- Data protection and handling policies and key organisational assets that need to be safeguarded;
- The specific risks associated with public wi-fi networks, including man-in-the middle attacks that could result in interception of corporate information;
- Guidelines for employees if secure, private wi-fi networks are unavailable, including by identifying and rejecting insecure certificates and avoiding downloading organisational information over public wi-fi, or by leveraging a mobile hotspot; and
- Increased phishing and vishing activity, social engineering and other targeted attacks leveraging COVID-19-related themes.
Protect organisational data during workforce changes
A baseline requirement for protecting corporate information at any time, but particularly during a scenario where workforce reductions are contemplated, is identifying critical hardware and software assets, prioritising their protection based on relevant abuse cases and enforcing controls to prevent unauthorised access and exfiltration of sensitive information. This is particularly important for protection of intellectual property, trade secrets and other confidential business information when workforce changes are expected.
Beyond knowing and prioritising protection of your business’s most sensitive information, there are a number of potential issues to consider ahead of potential workforce reductions and subsequent staff reorganisations:
- Whether data loss prevention (DLP) and other enterprise controls have been validated through testing to ensure that they have the appropriate coverage and operate as designed (i.e., test to ensure controls are able to prevent the exfiltration of the organisation’s most sensitive assets);
- Whether the activity of departing personnel with access to sensitive data are monitored through tools including DLP, file integrity monitoring and security information and event monitoring (SIEM) solutions;
- Whether identity and access management solutions and processes are adequately centralised to provide effective revocation of access by disabling the accounts of terminated employees; and
- Whether the organisation should conduct a comprehensive user access review following workforce reductions and subsequent organisational changes, to validate that staff have not accumulated excessive privileges through role changes.
The ultimate effects of the COVID-19 crisis are unpredictable and will obviously vary from industry to industry. But as the saying goes, “those that fail to plan, plan to fail.” Cybersecurity is no exception to this rule. Whatever your business is, paying careful attention to foreseeable cybersecurity threats and implementing appropriate safeguards will help mitigate some of the risk and uncertainty in the current situation.
Swapnil Deshmukh, CTO and co-founder, Certus Cybersecurity Solutions