As much as 25% to 30% of the workforce will work remotely multiple days a week by the end of 2021, according to projections by Global Workplace Analytics. Remote working is new to many of these workers, and hackers will prey on those concerned about health and financial matters. March alone saw a 667% increase in phishing emails, and Gmail is blocking 18 million COVID email scams every day.
The problem: Fewer than half of all organizations are equipped to prevent and respond to an attack. Joe Vigorito, C1’s senior director of cyber security lifecycle management, shares 5 ways you can protect your organization in the post-COVID world.
It sounds obvious, but it’s important for organizations to revisit their security strategy, which may have changed under the virus. Creating an incident response plan is the first step, ensuring you’ve practiced and know how you’ll respond if attacked. Companies should line up an outsourced hacker who understands hacking and who can uncover how a hacker got into your system, how long they were in, what they looked at, what data they may have deleted, stole and seen—and what needs encryption.
Executives should develop something called the “Right of Boom.” A term coined by former Undersecretary in the Department of Homeland Security Juliette Kayyem, the Right of Boom refers to the five stages of a crisis: protection, prevention, response, recovery, and resiliency. The “boom” is the catastrophic negative event that occurs between prevention and response. Because it happens where you are, not necessarily where you want to be, your strategy must factor in an assumption of crisis so you can build your architecture, analytics, policies, and visibility with the worst case already factored in.
Cyber risk insurance is also a given. Rather than simply covering the theft of basic information, these new forms of insurance protect against reputation damage, the cost of upgrading systems, and any lost operation capacity. The average breach costs about $3.92 million, including repairs, forensic investigations and lawsuits, according to IBM’s 2019 Cost of a Data Breach Study. That’s 12% higher than in 2015. “I’ve seen many companies go bankrupt after a cyber attack,” says Vigorito.
Vigorito also recommends a business continuity plan, which is often confused with a disaster recovery plan. Disaster recovery planning is actually just one component of a business continuity plan, which involves planning for some resilience in case of a hack. For instance, if a hotel loses access to its reservation system, how does it still operate?
It’s also recommended CIOs subscribe to or hire a firm to handle dark web monitoring.
You would be amazed at how many people use their work credentials for social media accounts. When your social media gets hacked, your work credentials then appear, often unencrypted, in dark web marketplaces and available to cybercriminals.
As more employees continue to work from home due to COVID, CIOs must be clear about how they do so responsibly, and create a statement that clearly tells them how they operate from home. “They are tonal, high level directions on how you as an employee should behave each day when performing work,” Vigorito says.
Virtual educational programs about hacking can also reduce risk. This could include simulating phishing scams to identify which of your employees will click on them. Once they’ve clicked, the employees can be walked through an online course —perhaps 8-10 minutes long—that teaches them how to spot potential malware attacks. Employees should be reminded to open coronavirus subject emails with great caution and not to print documents while working remotely, and should be educated on how to avoid Zoombombing (or interruptions from unwanted visitors to video Zoom calls).
Ensuring employees feel valued and trusted—and part of the team—can also reduce your risk of attack. While the pandemic forced a division of “essential” and “non-essential” employees, workers should never hear that they’re non-essential. If someone feels they don’t matter or the company doesn’t care about them, they become potential insider threats.
Security experts warn that the supply chain is insecure. In fact, anywhere from 39% to 63% of breaches are caused by attacks perpetrated on third parties. As hackers grow more sophisticated, it’s important to look for the vulnerabilities posed by outside partners and suppliers.
Vigorito conducts certificate-based training in cyber security at Rutgers University and Pace University and says that vendor risk management is by far his most popular course. He recommends executives, when rehashing contracts with partners and suppliers, ensure they follow the same data protection protocols that their own companies do. If necessary, require that they agree to an internal audit to identify different layers of access, who has access and to what. If they refuse, consider alternatives in the marketplace.
Companies should take an asset managed approach to work-from-home equipment. With so many remote workers in this new COVID economy, IT teams must be hands on when it comes to technology used by their workforces. When COVID quarantine forced work-from-home, those workers used the equipment they had, and consequently, they were running outdated operating systems, sharing a computer with a child, or relying on a weak wireless access point.
For those who work with highly sensitive data, (and with social distancing in mind) executives should send technicians out to help people get a handle on their equipment and check to see what technology people are using. An asset management system can also assist. IT sends out a simple form asking what type computer and wireless system people are using, and if they don’t know, the IT team talks them through it. A virtual desktop, or VDI, where information stays in a data center or cloud rather than on the local desktop, can also reduce exposure. Otherwise, equipment at home simply becomes a window into a company’s application and data environment.
Executives again must educate staff. Remote protection is key because the average company has five to seven layers of protection running inside corporate and regional offices, but at home, that protection drops to about one or two layers. Shore up cyber security for remote workers just as you would your office workers by adjusting licensing, adding capacity to your Virtual Private Networks, providing secure DNS capability and up-to-date, AI-based endpoint protection.
The cyber assaults on governments and organizations has never been greater. CIOs must beef up their armor by tapping people and groups outside their departments to ensure they receive needed answers. This could be an outside security firm and regular conversations with fellow industry professionals. Leaders must take a close look at budgets to understand whether cyber security assets are being used to their full capability, and if not, it’s necessary that they get help to make that happen. Vendors can provide special offers, a labor attorney can assist in wading through legalities of what can and cannot be accessed on employees’ home computers. Executives should consult with a labor attorney and HR to determine whether it’s in the company’s best interest to have employees sign a Standards of Business Integrity document, which outlines codes of conduct when working remotely.
Cyber security is not magic. Rather, it is a chess game in which organizations are forced to think one step ahead of the cybercriminals and prepare for the right of boom moment. Avoiding crisis will involve planning, preparing your teams, and execution. Those leaders who make the right moves now may find that the resounding boom of the pandemic that shook the world’s economy was their organization’s last big crisis.