The rapid arrival of the coronavirus and the sudden state-by-state issuance of stay-at-home orders created a host of challenges for companies. While most were quick to adapt, taking advantage of workforces that had devices and high-speed internet access at home, few may have considered the array of new cyber risk exposures they now face.
IT leaders know that enforcing cyber hygiene and other cyber risk management strategies is difficult enough when all of a company’s employees are physically located in offices and connected via a single network. Disperse those same employees out across a wide geographic area, multiple internet service providers and a hodgepodge of devices, and protecting the company from cyber threats borders on impossible.
At the same time, crises such as COVID-19 bring out the worst in criminals. While average people are taking pride in finding ways to work together and support each other, cybercriminals are licking their lips and figuring out how to best take advantage of the chaos and uncertainty. Proof of that can be seen in the huge jump of new website domain names including words such as “coronavirus” and “COVID.” Reports point to registration of more than 48,000 new domains related to the crisis. Some are legitimate, but it’s likely that many are going to be used to unleash spam, malware, and phishing attacks on unsuspecting users.
What kind of cyber risks does this new work world create? One of the biggest challenges is that data, users and equipment are no longer in locations that can easily be secured. They’re spread out in employees’ homes, where security may be uneven at best and nonexistent at worst. Security software that blocks hacking attempts and malware in your network likely doesn’t exist in your employees’ homes, so it’s easier for cybercriminals to gain access.
Another issue is that your employees may be sharing that equipment with spouses and with children who are performing online schoolwork. Not only does that give cybercriminals potential access to data that should be protected, but it increases the chances for downloads of malware or other unwanted content.
Improve Risk Management with Policies, Training and Technology
It’s a safe bet that many of the changes triggered by the coronavirus are going to remain in place long after the virus fades. Companies are rethinking travel, meetings and other activities, and there is widespread agreement that work-from-home arrangements will become more common in the future. How can your company protect itself?
A strong telecommuting policy and employee training are good first steps. Because you have less of an opportunity to supervise employees, you need clear policies and expectations that cover everything from who can use devices that are connected to company servers, to expectations regarding work hours and timekeeping.
Employees who are telecommuting should receive regular training about access control and awareness of tactics such as phishing. The policy should clarify who owns the technology and who is responsible for maintenance. Obviously, if the equipment belongs to the company, you can exercise greater control, such as prohibiting family members from using it. Your policy should also address asset management, with requirements for tracking who has equipment and where it’s being used.
You also need to have a mechanism for reporting data breaches and suspicious activities, such as emails that appear to be phishing attempts. Rapid reporting and follow-up are critical. Because employees who inadvertently do something wrong may be afraid of getting in trouble, provide amnesty for those who report. Right now, the most important thing is to protect your company’s data and systems.
Many employees are using online meeting platforms, such as Zoom, for hosting group meetings and conferences. Those platforms may be convenient and even fun to use, but there have been security concerns about others accessing meetings (so-called “zoombombing,” for example). Make sure your policy details what’s acceptable, including the expected level of security, and what can and cannot be discussed on less-secure channels.
Don’t forget to address paper documents. If your employees use confidential documents at home, they need to be secured so they aren’t accessible to other people. They should be shredded when no longer needed, rather than tossed in the trash.
Readily available technology can help you limit the risks. For example, your company can arrange for telecommuting employees to use VPNs (virtual private networks) to provide a stronger level of security. Multifactor authentication can also be used to verify that users of your system are who they say they are. External stamps on emails call attention to messages coming from outside your network. In addition, you can help employees configure their home systems to provide strong end-point protection.
Keep in mind that everyone is racing to solve problems and get things done. People are identifying workarounds that may or may not be beneficial. As you notice things and make changes, be sure to document them so everyone can review the reasoning later.
More Coronavirus Resources
Clear and frequent communication with and training for employees will help you protect the company’s and employees’ interests alike. We’re all operating in a new environment, and others may not be as sensitive to the hazards as those of us who live in the IT world are. The better we educate employees, the safer everyone will be. In addition, because situations are changing frequently, regularly updating policies is also important.
Visit the Hylant Coronavirus Resource Center at https://hylantcoronavirusinfo.com/ to access a wide variety of materials designed to help you navigate these unprecedented times. This site will be updated frequently.
The above information does not constitute advice. Always contact your insurance broker or trusted adviser for insurance-related questions.