What is Social Distancing?
As of the writing of this blog, many health officials are suggesting that social distancing may be one of the most effective tools for slowing the spread of COVID–19. Social distancing is a public-health protection measure intended to reduce and slow transmission of disease by reducing the probability of contact between people carrying an infection and others who are not infected.
Reducing contact related to non-critical functions such as attending a movie, going to a party or taking part in a festival may simply be a matter of personal choice and inconvenience. But reducing contact related to essential services, government, education, supply chains and other business functions can be highly disruptive and, in many cases, impractical.
Social Distancing and Business as Usual
Although social distancing is currently not required or enforced in the U.S., many organizations are putting these measures into practice. As they do, they are striving to keep disruption to a minimum and create an environment that enables business as usual, as much as possible. The Centers for Disease Control (CDC) has offered guidance specific to these objectives:
Explore whether you can establish policies and practices, such as flexible worksites (e.g., telecommuting) and flexible work hours (e.g., staggered shifts), to increase the physical distance among employees and between employees and others if state and local health authorities recommend the use of social distancing strategies. For employees who are able to telework, supervisors should encourage employees to telework instead of coming into the workplace until symptoms are completely resolved. Ensure that you have the information technology and infrastructure needed to support multiple employees who may be able to work from home.
Some current examples include:
- Harvard University is transitioning to virtual instruction for graduate and undergraduate classes. When the transition is complete, students are asked not to return to campus, but rather satisfy their academic requirements remotely until further notice.
- Many large technology companies including Microsoft, Google and Apple have asked employees to work from home to help slow the spread of COVID-19.
- Telemedicine, the practice of treating patients remotely via live video streaming, has been growing steadily in recent years, primarily due to increased convenience and reduced cost of treatment. In recent weeks, the use of telemedicine to accomplish social distancing objectives has skyrocketed.
Not surprisingly, these initiatives and many others are enabled by the Internet and technologies that support telecommuting and remote collaboration.
Social Distancing Opens the Door to New Cyber Threats
Change almost always creates opportunity and the rapid and widespread changes being activated to achieve social distancing are no exception. Unfortunately, many of these new opportunities are not positive and some are malicious in nature. For example, the World Health Organization (WHO) has issued warnings that cyber criminals are already taking advantage of the fears surrounding COVID-19 by disguising themselves as WHO. “WHO is aware of suspicious email messages attempting to take advantage of the 2019 novel coronavirus emergency,” said in an organization in an alert. As another example, the Evidence-Based Cybersecurity Research Group, operating out of Georgia State University, has published a video of a cybercriminal selling face masks on a dark market.
Business as Usual (and More!) for Cybersecurity
As cyber criminals continue their unrelenting assaults and expand their techniques to take advantage of the opportunities created by COVID-19 fears, cybersecurity teams should be sure to keep pace with the new types of threats. Now more than ever, business as usual or even hardening of the defenses, should be the objective for cybersecurity professionals. In addition to business as usual, cybersecurity programs can also be enhanced to better align with the recommendations for thwarting the spread of COVID-19. One such opportunity is to transition from on-site, in-person audits to remote desk audits of the cybersecurity program.
Cybersecurity Desk Audits
A desk audit is the term for a remotely performed audit by a 3rd party that ordinarily would have been conducted in-person, on the premises of the organization being audited. Historically, the compelling reasons for conducting desk audits include:
- Convenience: For the auditor, the opportunity to eliminate the need to travel can be significantly more convenient and more cost-effective than going on-site, especially if the audit spans multiple days.
- Reduced Disruption: For the organization being audited, having an auditor on-site can be highly disruptive. This often requires multiple senior staff members be available to respond to ad hoc auditor requests during the process. Shifting to an off-site desk audit can greatly reduce this overhead.
- Transparency: Desk audits are often facilitated by providing the auditor with controlled access into the system(s) of record. Done correctly, this approach can be viewed by the auditor as offering a high degree of transparency in the audit process.
Today as we look for opportunities to enable social distancing while minimizing disruption to critical business functions, desk audits of cybersecurity programs may offer another benefit – further reducing the risk of exposure to, and spread of, COVID-19. For organizations using a cybersecurity management platform such as Apptega, facilitating desk audits should be very straightforward. The auditor can be provided with login credentials that enable an “auditor view” with permission that limits access to dashboards, reports and other data that is relevant to the scope of the audit. The auditor’s access can also be tracked to ensure that nothing important has been missed.
Looking ahead, as we continue to discover additional reasons to evolve from on-site audits, the use of desk audits is likely to become more widespread, perhaps even becoming the standard approach for cybersecurity program audits.
Click here to learn more about facilitating cybersecurity audits with Apptega.