While employee safety and maintenance of productivity are critically important, remote work arrangements during the COVID-19 pandemic have potential security implications that cyber criminals may attempt to exploit.
Crises by nature disrupt the natural order of things, and consequently security awareness should be a top priority.
Agilient considers the challenge for many organisations will be the ability to scale technology securely and effectively, especially if you are aiming to implement new IT practices during the COVID-19 pandemic.
We are currently responding to many important queries raised by CEOs and executives, and thought you might find some of the typical questions we receive and our recommendations helpful.
Q1: What vulnerabilities are created by people working from home?
Cyber risks: Remote work risks include malware, infection, unauthorised access, data security and unsecured devices used by staff.
Malware, links to questionable sites, and 97% of ransomware are delivered via phishing, especially spear-phishing.
- Using Security Awareness training packages that will assist management in educating all employees about phishing attempts;
- Reminding employees to always independently verify requested information. For example, a supplier requesting a change to bank account details should be followed up by calling the supplier to check if it is a legitimate request or not;
- Ensuring employees’ remote devices have the most current security features to minimise organisations’ vulnerability to cyber-attacks;
- Reminding all staff that shared computers at home are potential sources of data breaches i.e. a user may have inadvertently allowed a shared computer to be infected with malware that can steal credentials;
- Ensuring that remote workers are aware of the importance of protecting company data stored on their home computers. A shared machine should involve encryption and access control to directories and files;
- As telecommuting always has risks, consider using multi-factor authentication to mitigate the risk of credential theft;
- Using mobile device management to set up a work partition on a BYOD phone, tablet or computer,
- Consider using endpoint protection to prevent unauthorised activities on a remote device, as it will disallow the device from connecting to the company network without the right versions, patches and anti-malware updates applied.
Cloud-related risks: If organisations hadn’t migrated to the cloud prior to the outbreak of the pandemic, it presents a new set of cybersecurity risks, as the size of your organisation and availability of IT personnel will influence the pace at which your business can migrate to the cloud.
- Cloud services (IaaS, PaaS, Saas, XaaS) offer attractive solutions that many companies may have already implemented. However, the hybrid cloud model is likely to provide the quickest solution. This presents several integration challenges when using the cloud to provide overflow capacity. Preservation of confidentiality and data integrity when transiting between on-premises and the cloud is critical. Ensuring encryption during the entire path to and from the cloud and ensuring the cloud connection is not used to breach the corporate network is very important;
- Infrequently used remote access solutions are suddenly heavily subscribed. Rapid adoption of collaborative products has prompted some new/hastily drafted policies, and procedures may need refining to ensure enterprise-wide adherence and effectiveness;
- Manufacturing companies that provide remote access for employees to work from home to run SCADA/ICS systems which are normally accessed in the office should use a secure remote access method to get onto the office network and connect to the Operational Technology from there. They should not publish access to ICS directly on the internet;
- Companies that contract new suppliers of products could potentially be exposed to new supply chain attacks;
- Fraud emails have overtaken ransomware as the preferred and most profitable cyber-criminal income stream. Social engineering is a significant tool in hackers’ arsenals, particularly in the current unusual circumstances. Hackers gain information, attain authorised access, and have people remit funds to them because of their perceived authenticity.
Privacy and data breach risks:
- Business Continuity Plans or contingency arrangements should include an anticipated increase in remote-conferencing capacity. Increased uptake of web-based video conferencing technology services such as Zoom and WebEx services that allow staff, clients and service providers to communicate via the web have skyrocketed. Recent media articles have raised concerns about serious and unresolved issues around Zoom’s security, privacy and data use, which could prove costly for consumers;
- Online collaborative services, such as Slack and Microsoft Teams, enable employees to collaborate online. Agilient favours MS Teams for its security protection;
- The uptake of telehealth has dramatically increased in response to COVID-19. Hospitals and health service providers are justifiably sensitive to cyber-related disruptions to their operations – a data privacy breach where personal patient information is disclosed can have significant consequences. The Australian Privacy Principles (APPs) continue to apply to employees working remotely. Consequently, agencies and employers need to consider security measures for employees working remotely just as they would apply in normal circumstances.
Q2. During COVID-19, what are the essential inclusions in an organisation’s risk management and cybersecurity plans?
- Key person risks during pandemics present a significant threat to businesses, and communication of emergency plans to employees and key stakeholders is essential. Therefore, communicating the chain of command to all stakeholders in the event that the CEO, CISO or IT Help Desk personnel become incapacitated is mandatory;
- Your remote working security policy should disallow remote printing of company data. If printing of some material is essential, it should be shredded when it is no longer needed;
- A password management policy should be in place;
- Robust access privileges to your organisation’s data should be in place;
- Compliance with government regulations relating to Work, Health and Safety requirements when working from home/remotely should be adhered to;
- Allocate time to staff security awareness training and testing to ensure that appropriate levels of education and understanding are achieved.
Your employees are required to comply with relevant risk management and cybersecurity policies, including:
- Knowledge and understanding of their responsibilities if/when an organisation’s emergency risk plan is activated;
- Keeping the physical workplace at home secure;
- Keeping personal and work-related information segregated;
- Only using company-supported storage data i.e. not USBs or external hard drives;
- Avoid free Wi-Fi and consider a using a VPN to ensure that internet traffic is encrypted;
- Shutting down devices when not using them;
- Immediately report any suspicious activity to the relevant IT contact.
Q3. How important is employer communication during the COVID-19 pandemic?
- It is essential to communicate accurately and often with employees and all other stakeholders;
- Your communication must be clear and consistent in style to mitigate against conveying mixed messages or misinformation and to allay stakeholders’ fears or concerns;
- Only source and disseminate authorised information e.g. from entities such as the World Health Organisation, the Australian and State or Territory Governments and reputable news agencies;
- Employees should be discouraged from sourcing potentially incorrect or misleading information via social media;
- Consider using various communication channels to convey the same information e.g. WhatsApp, YouTube video or email to ensure maximum uptake.
Essential information should include:
- The current status of the situation and the business impact being experienced;
- WHS guidelines regarding remote work/in-house arrangements;
- Management’s expectations of their employees regarding adherence to the risk management strategy, including cybersecurity risks and the Business Continuity Plan.
Q3. What should CEOs be asking their CISOs?
Many CEOs are dealing with a multitude of operational problems caused by the Coronavirus pandemic. CISOs are critical to contingency strategies, given that technology mediates most business interactions.
The priority for CTOs or CISOs is to ensure that their organisations can manage the major and sudden spike in demand for remote-working capacity caused by the closure of offices and other facilities.
Agilient recommends that CEOs should ask their CISOs:
- Are the new working from home arrangements proven to be secure?
- What is our security awareness regime and current position?
- What were the results for the security testing of the new/improved online presence?
- What extra measures in terms of management frameworks, policies or IT can we put in place to help us manage and assist staff as they adjust to these new circumstances?
- How will cloud-based companies manage their potential workforce shortage during the COVID-19 pandemic. Whilst cloud computing provides effective remote work options, it may also expose supply-chain vulnerability during the current pandemic.
Q4. Do you have any other advice for CEOs?
Change often causes workplace stress and some areas of businesses are significantly busier while others may be idle.
- As optimising workforce effectiveness may involve reallocating people and additional training to prepare them for the new role, employees should be advised how their effectiveness or performance will be measured;
- Flexibility and sensitivity should accompany an organisation’s agile mindset as everyone comes to grips with the ‘new normal’;
- Reinforcing messages about safe hygiene practices in the home and workplace to minimise the spread of Coronavirus, as it can remain viable and infectious in the air for hours and on surfaces for days;
- From an IT perspective, software packages and services with proven track records are available to help with threat identification, telecommuting, capacity expansion, security awareness education and ongoing assessment;
- Be aware that supply chains are attack points e.g. the recent Toll Group breach caused some of their customers to also suffer infections by a similar cryptovirus;
- Consider whether vendors having ISO 27001 Certification in place is relevant for your organisation;
- Consider conducting a security assessment of suppliers’ networks, policies and practices to provide assurance of their cyber resilience.
One optimistic aspect of managing organisations during a pandemic like COVID-19 is that it provides an opportunity to build enterprise-wide trust and resilience.
Agilent’s consultants are available now to assist you in strengthening your organisations’ security to mitigate risks during the current COVID-19 pandemic. Contact us today to find out how we can assist you.
Author: Phillipa Lee, Agilient Consultant