It’s been just over four months since COVID-19 was declared a global pandemic by the World Health Organization. Since then, companies of all sizes have been working tirelessly to ensure their IT infrastructures can accommodate the almost instant change from working in an office to work-from-home settings with no potential end date in sight. While many companies have polled their employees to determine their comfort level with a potential return to the office, and plan on doing so in waves to promote safety, the question remains: what will this new normal look like and how can organizations and their employees be best prepared?
Now that employees are remote and are relying on unfamiliar technology, such as video conferencing tools, and as employees connect to company servers using potentially unsecured devices, increased opportunities for cyberattacks will continue. Other vulnerabilities include online video and chat sites, home routers and Wi-Fi connections, mobile devices, and popular apps, including shopping apps, that could have security gaps.
In light of these vulnerabilities and to best understand the post-pandemic realities, business leaders and CISOs need to grasp the cybersecurity impact of these strategic digital shifts and retrain their employees when it comes to issues such as safe ways to login remotely, how to spot suspicious messages and how best to access data that is stored in the cloud.
There are additional steps businesses should be taking to address the challenge of how to secure remote working practices while ensuring critical business functions are operating without interruption. Businesses can also use these steps to keep the organization protected from attackers looking to exploit the uncertainty of the situation.
- Communication: Open the lines of communication with employees about the risks they face and do so on a frequent basis via video conference. Employees can then discuss how to best address potential threats, and they can be part of building the reporting process. The security and privacy flaws discovered on the popular Zoom video conferencing application are a reminder that businesses and employees have a role to play in reducing exposure to cyberattacks.
- Establish a clear reporting process: When an employee receives a suspicious email or phone call, what should they do with it? Employees need to have a way to report suspicious activity that includes knowing how and where to report incidents as well as actions they need to take and an expected response.
- Foster a culture of cyber resilience: Set clear expectations on what your employees can and cannot do. With additional platforms and applications, employees can become frustrated quickly with having to remember login credentials for each system. You should therefore emphasize the importance of not disabling encryption and password protection in software. Do not allow any employee to reconfigure devices to remove some of their security protocols. These systems are essential to protecting company data.
- Education: The most critical aspect of cybersecurity is educating and training the workforce. In order to report issues, employees need to understand how to identify them. Even in a remote environment, companies should be deploying simulated social engineering and phishing campaigns to help employees spot phishing emails and to assess their level of preparedness.
Business Continuity Plans to Feature Global Pandemics
Many organizations have business continuity plans, but with the impact of COVID-19, it is clear that many did not account for this in their plan. As such, companies need to revisit their business continuity program and incident response plans to revise resilience planning processes and test them, equipping crisis management teams with the skill sets and experience to manage under intense pressure. In simple terms, business continuity plans – going forward – need to address risks large, small and even those of pandemic proportion.
A “pandemic” cyber attack would spread faster and further than any biological virus. The cyber equivalent of COVID-19 would be a self[1]propagating attack using one or more “zero-day” exploits, techniques for which patches and specific antivirus software signatures are not yet available. Most likely, it would attack all devices running a single, common operating system or application.*
However, this isn’t the only threat to account for.
- Increased scope of phishing messages: While phishing attempts were already a problem pre-pandemic, remote workers can now expect to see emails impersonating officials from the Centers for Disease Control and the World Health Organization, among others. Once an employee clicks on a link, they could be taken to a website that looks legitimate but is actually a dummy site set up by hackers to mirror sites of legitimate organizations.
- Rise in social engineering: Social engineering has always been a successful attack vector for hackers. Hackers will know that employees will now need to communicate with IT and with management remotely, and they will look to exploit that need. Hackers can pose as IT support, as representatives of the company’s financial departments or as managers in the company requesting sensitive company information, for example.
- More opportunity for physical access-based attacks: With offices now standing empty, these are now also highly vulnerable. Hackers may attempt to gain physical access and either steal your devices or easily install malicious hardware or software on them.
- Software vulnerabilities: Manufacturers are rushing out new update releases or new software versions in an attempt to respond to businesses needing remote operational capabilities. However, there may be overlooked security issues that emerge from this. The same applies to current software. If security updates are rushed without proper testing, your systems may be even more vulnerable once your company devices are updated.
- Theft of video conferencing credentials: As each employee logs on to your video conference app or website, a hacker could be looking in, as well. Hackers can post video conferencing credentials on the dark web, which leaves your company’s proprietary information – and in some cases, your entire systems – open for anyone to steal. When setting up video conferences, be sure to use passwords and use the waiting-room feature so that you’re able to screen who is attempting to join your meeting. For ideal safety, change passwords for each video conference.
In conclusion, COVID-19 will change our lives forever in terms of adapting to new work styles, new cybersecurity issues and personal safety issues. As such, the fight against it is not just for the organization, employee or customer but a joint effort from all. Organizations that have spent time rethinking and re-evaluating their cyber risk management measures will likely experience less financial impact than those less prepared once business operations resume in offices. Additionally, these entities will be best prepared for the next pandemic.
Source
This information has been provided as an informational resource for NFP clients and business partners. It is intended to provide general guidance, and is not intended to address specific risk scenarios. Regarding insurance coverage questions, each specific policy must be reviewed in its entirety to determine the extent, if any, of coverage available for the impact of the Coronavirus. If you have questions, please reach out to your NFP contact. This document does not amend, extend, or alter coverage. Insurance services provided by NFP Property & Casualty Services, Inc. (NFP P&C), a subsidiary of NFP Corp. (NFP) and related NFP subsidiary companies. In California, NFP P&C does business as NFP Property & Casualty Insurance Services, Inc. License #0F15715. Neither NFP nor its subsidiaries provide tax or legal advice.