The COVID-19 pandemic creates new cybersecurity challenges for organizations of all sizes around the globe.
With government directives for social distancing, including “stay-at-home” mandates both at the state and local levels, many businesses are struggling with business resiliency, cybersecurity for newly remote workforces, and meeting operational goals within these new parameters.
According to Global Workplace Analytics, prior to the outbreak, only about 7% of U.S. employers made remote work available for all or most employees. Fewer than 4% of employees worked from home at least half-time or more frequently.
While technology and marketing led the field for most remote work opportunities, others such as business administration and management followed behind. Today, however, as a result of the coronavirus pandemic, more companies are adopting remote-friendly work options.
Will coronavirus forever alter how companies approach telecommuting? And what unique cybersecurity challenges will organizations face as a result?
Before we dive into those cybersecurity challenges, let’s take a quick look at some benefits and drawbacks for working remotely.
- Almost 80% of surveyed remote workers say they are more productive when working remotely.
- In that same survey, 30% say they’re more effective and get more work done in less time.
- Employees also report some degree of additional personal satisfaction and better quality of life.
- Remote work also is noted for saving money—for both employee and employer. One report shows remote workers saving more than $5,000 based on expenses, with another noting the average employer could save about $11,000 per year for each half-time telecommuter.
- Some remote workers say they’re unable to disconnect from work when working from home, compared to when they are in an office environment.
- Remote workers say they often work more hours when they telecommute.
- Although remote workers may put in more hours, they may feel disconnected from their teams.
- Remote work also creates unique challenges for cybersecurity and data privacy, especially for companies that haven’t implemented remote work policies and procedures.
- Many remote workers say they haven’t received adequate cybersecurity
Cybersecurity Challenges for Remote Teams
When social distancing and other measures went into place across the U.S., many organizations suddenly faced closing their doors and figuring out how to equip employees with tools and resources to work from home.
Unfortunately, many weren’t prepared to make that transition as quickly as the situation demanded.
In a recent Apptega webinar, about half of attendees said that although telecommuting isn’t a new concept for their organizations, they previously didn’t have a lot of regular remote workers. And while 64% indicated their company had existing remote security policies, almost 40% either didn’t or were unsure if their company did.
But even for organizations with existing policies, the sudden influx of remote workers leaves IT teams struggling for quick—and effective—solutions. The reality is that some of these fast, pressure-driven decisions could put sensitive data and information at risk.
“BYOD” and Using Your Own Devices
In a typical work setting, if employees are allowed or required to use their own devices for work, the organization generally has policies and regulations that outline acceptable use and highlight protocols to keep protected information safe.
Where bring-your-own-device (BYOD) isn’t supported, organizations often offer company-issued tools, such as tablets, laptops, and/or mobile devices. But what happens when your organization doesn’t have enough of these devices to serve the volume of employees now forced to work from home?
In these situations, oftentimes companies may permit personal device usage. That means the tablet your employee’s child uses to watch YouTube videos at home could be the same device that is used to access your company data and systems.
Or maybe your employee at home will use personal email to transfer data and files.
Or maybe your employee doesn’t have a secure Wi-Fi connection and has never heard of—or used—a VPN.
Without proper, advance training, how do you protect your company’s data and still meet regulatory compliance?
When talking with your team members about how to protect your company’s data and resources in remote environments, consider an example that’s making headlines right now.
Just like you should wash your hands frequently, you should also frequently practice good cyber hygiene.
That cyber hygiene begins with three core areas: strong passwords, network access, and identity access management.
For all employees—whether they’re using their own devices or a company-issued one, strong passwords are imperative for data protection.
Remind employees they should never share passwords with others (including leaving sticky notes stuck to monitors or desks with reminders), and they should not re-use the same password across multiple systems, devices, or applications—especially repeating passwords they use personally for professional use.
And while it may seem like a no-brainer, don’t forget to emphasize the importance of setting up passwords that are hard for hackers to guess.
A best practice recommendation is to stay away from simple words like “password” or “12345.” Instead, use phrases that include both numbers and letters that won’t be easily guessed.
If your employees struggle to remember complicated passwords—or they’re frustrated by systems that require them to frequently change and not re-use old passwords—encourage them to use a secure password program such as LastPass.
If your employees use mobile devices like a smart phone or tablet, encourage them to use longer six-digit passwords and, where possible, enable multi-factor identification (also known as MFA, 2FA or two-factor authentication) such as a text or email notifications or through a verification application like Google Authenticator.
While no password is fail-safe, these steps can make passwords more challenging to hack.
Network access refers to communication between your connection (for example, ethernet, Wi-Fi, or hotspot) and your computer network.
While your company network may have the best-of-the-best protections, what happens when employees switch to home networks or choose to use Wi-Fi in public places?
All connections can be vulnerable for attack, so be sure to encourage your employees never to use public or unknown connections for work.
Even at home, employees should ensure their personal connections are protected, and, as mentioned earlier, that begins with strong passwords that aren’t easy to hack.
If you can, require all of your employees, regardless of access level, to connect to your operational systems, applications, and data through a virtual private network (VPN).
VPNs protect data exchanges similar to the ways data would be protected if accessed through your private, secure network. Make sure your employees have access to the most current, up-to-date versions of your recommended VPN to help prevent potential hacker access to known vulnerabilities or weaknesses.
Identity Access Management (IAM)
But even if you’re confident your employees use secure connections and VPNs, don’t let your guard down.
If all your employees have full access to all your data and systems, you’re putting your organization at risk.
Instead, limit network access to the minimum level your team members need to complete their specific job function or role. The least amount of access granted can help better secure your data.
During this pandemic, you could experience higher than normal turnover in your teams. Don’t forget about IAM for employees, contractors, or key stakeholders who leave your organization. While you can set a schedule to check access levels and terminate them, automation tools better facilitate immediate access removal. Be sure to include this as part of your organization’s off-boarding processes.
Earlier, we examined the value of VPNs for remote workers. While a VPN will help protect data transfers, the sudden influx of remote workers in your environment can cause additional frustrations and headaches.
Do you have enough seats for all of your critical employees to do their critical functions when they need to do them? Are there licensing or other restrictions that could cause complications?
When you have a high volume of users accessing your network simultaneously—especially if they’re moving large amounts of data—it can slow processes down. That slowdown can often discourage employees from using the VPN. Instead, they may choose to shut it down to keep working at the pace they’re accustomed to. Sometimes that means employees will transfer files and data off your network and onto personal devices, risking exposure of protected data. It also creates issues with version control and ensuring the most current and relevant information is on your network at all times.
While VPN slowdowns are inevitable, make sure your employees know how important a VPN is for data security.
With executive-level buy-in and middle-management support, encourage all employees to always use the VPN—even if it results in slow downs and affects productivity—to ensure that your company’s data remains secure.
Phishing and Ransomware
In Verizon’s 2019 Data Breach Investigations Report, about a third of data breaches involved phishing and another almost 30% used stolen credentials.
Do your employees understand what phishing emails are and how they can be used to steal data including credentials?
Do they understand the severity of what can happen if your company is held captive by ransomware?
If not, now is the time to educate every employee about how easy it is to fall prey and suffer potential devastating impacts.
Now that your teams may be working from home, it’s a good time to highlight the warning the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued about COVID-19 cyber scams in early March.
Here are a few relevant recommendations you can share with your employees:
- Don’t click links on unsolicited emails.
- Don’t open attachments from unknown sources.
- Use trusted, legitimate resources for updates on COVID-19.
- If you receive an email asking for personal information, do not respond and do not provide the information.
Example COVID-19 Phishing Scheme
In light of the COVID-19 outbreak, attackers may prey on people’s fear and questions to lure them into clicking links within emails that look like they’re from a reputable organization.
Here is also an example of a current phishing scheme you may want to share with your employees:
One phishing scheme making rounds looks like to comes from the Centers for Disease Control and Prevention (CDC). The subject line is “Coronavirus outbreak in your city (emergency).” In this example, attackers add the word “emergency” for extra emphasis.
The email address looks close—but not quite—to an actual CDC email address. Instead of the correct email extension of “cdc.gov,” the email extension is actually "cdc-gov.org."
If not properly educated to look for subtle variations like this, your employees could quickly make one click that costs your company tens of thousands—if not hundreds of thousands—of dollars in data loss, compliance fines, civil penalties, and recovery expenses. (And the damage to your reputation and brand could far exceed these figures.)
Data Privacy for Vendors and Partners
While your team members may be your primary focus right now, don’t forget data privacy and security also includes your vendors, partners, and anyone else who may have access to protected information and data.
If you’re not in manufacturing or production, you may think third-party risk doesn’t apply to you, but these days, virtually every organization depends on third-party vendors for goods or services.
Here are a few examples you might not immediately think about:
- Point-of-sale and payment hardware and software
- Human resource systems and software
- Invoicing and billing systems
- SaaS applications
- Customer relationship management systems
- Content management systems
- External marketing agencies
All of your third-party partners should adhere to the same data privacy, compliance, regulatory, and cybersecurity policies and procedures as your internal operations.
It’s important to routinely conduct vendor risk assessments to determine if your business associates meet compliance and security standards.
These assessments shouldn’t just happen when you’re vetting new relationships. And although you should include security requirements and expectations in both your contracts (new and renewals) as well as your Service Level Agreements (SLAs) and business associate agreements, they shouldn’t begin and end there. Routine audits can help you uncover gaps in your vendors’ processes and provide guidance on ways you can mitigate risks for your organization.
Facilitate Open, Accurate Communication
While emphasizing the technical components for cyber health, don’t forget the value of effective, trusted communication between your organization, your employees, customers, and key stakeholders.
CISA’s recommendations include using trusted, legitimate sources for COVID-19 information. Some agencies to reference include the World Health Organization and the Centers for Disease Control and Prevention.
Using unverified or inaccurate information in your employee communications erodes trust. Times like these, especially if your team is newly dispersed in remote roles, call for trust-building and communication best practices.
Find Your Cybersecurity Gaps Now
While COVID-19 creates unique cybersecurity challenges, it also creates opportunities to seek out weaknesses in existing security policies and procedures so you can focus on quick mitigation and remediation.
Many organizations that previously limited or prevented remote work may have directed most of their information security resources to protecting internal systems and networks. And while this is not the time to downplay that importance, it’s a great time to highlight how every company should include remote work in their cybersecurity policies and procedures. Even just one employee with one-time, unsecured access to your network can put you at significant risk.
Here are a few questions to consider as you evaluate gaps in your existing cybersecurity program:
- Does your organization routinely update and review logs for all connections on your network, no matter how infrequent or short-lived?
- Do you have tools that give you visibility into all assets that may connect to your network, whether that’s on-premises or in the cloud?
- Do you know your regulatory and compliance standards and have you effectively communicated those standards and expectations to your team and vendors?
- Do you have an on-going vulnerability management program? How mature is it?
- Have you adopted asset discovery and vulnerability assessment into your cybersecurity program?
- When you find weaknesses or configuration issues, does your organization have tools or processes in place to help you prioritize which risks to tackle first?
- How do you communicate weaknesses and vulnerabilities across teams to ensure fast remediation?
- Do you routinely monitor all of your company devices for configuration or other changes?
- Do you have patch management processes?
- How do you address systems or software that can’t be patched or upgraded because doing so may cause disruptions or disable needed equipment or processes?
- Can you monitor which software or apps your employees use to access your data?
- Do you include cyber hygiene and telecommuting policies and procedures in your company’s onboarding processes?
- Do you have effective access management processes?
- How are you communicating your cybersecurity challenges—and successes—to your executive leadership team and stakeholders (such as board members), so they support your program with the resources and financial support you need to keep your organization safe?
- Are your employees well-versed and routinely educated about compliance, regulatory, and data privacy requirements?
- What if you experience a data breach? Do you have response and recovery plans in place? Are these plans up to date?
- Do you test current response and recovery plans to ensure they will be effective when put into action? Do all the necessary team members have accesses to these plans in the event of a breach? What if the breach takes all of your systems offline?
COVID-19 and Protecting Your Organization from the What-Ifs
COVID-19 response is a learning experience for organizations of all sizes. Whether you have a large, well-resourced on-site cybersecurity team or you outsource services to other agencies, this pandemic is forever changing the way companies address data privacy and remote workforces.
How is your organization responding?
If you’re cobbling together disparate tools and solutions, you may benefit from using a single platform to help you better manage all the core elements of your cybersecurity program.
From cross-walking multiple compliance frameworks to tracking compliance and creating easy-to-understand reports, Apptega can help protect your company while your remote workforce changes and grows.
Here are some of the frameworks Apptega supports for compliance:
- PCI DSS
- SOC 2
- ISO 27001
- CIS V7
- 23 NYCRR 500
- NIST 800-171, 800-53, and CSF
- Other custom frameworks
Or, if you need more information about cybersecurity while your team works remotely, check out our free, on-demand webinar, “Everyone is Telecommuting: How to Ensure Cybersecurity.” It takes a deeper dive into the points highlighted in this blog and offers tips and recommendations you can put into action right now, regardless of how mature your cybersecurity program may or may not (yet) be.
We’ll have more COVID-19 cybersecurity resources coming your way soon. Keep an eye out for related topics on our resources pages.