Consequences of the coronavirus on the IT security in your company
The global fears surrounding COVID-19, also known as the coronavirus, has forced many companies to develop emergency plans concerning this virus and, among other things, to also consider alternative ways of working. In the effort to protect the health of employees in these uncertain times, it is, however, decisive not to lose sight of a company’s IT security and to consider alternative ways of working and various options while planning for emergencies or implementing such plans.
Cyber actors throughout the whole world are currently seizing the opportunity to use the technological weak spots arising through new ways of working as well as by the insecurity of the employees (the “human being” factor) to their advantage. Therefore it is especially now decisive that companies develop plans for taking suitable measures for protecting themselves quickly from possible cyber-threats during these times of the coronavirus.
Many of the risks ensuing from “home office” or “teleworking” are not new. The enormous number of employees who are suddenly working from home and thus not in the company‘s secure networks or using the company’s internal infrastructure has changed the inherent risk profile:
- An overwhelmed IT Department: Since more employees are working from home, more problems could arise from the use of remote access and the IT Support receiving a high number of phone calls or being overwhelmed by an inundating flood of IT tickets.
- Lack of IT resources: Since a number of IT staff are having to take care of the concerns of their colleagues, personnel resources are lacking for monitoring security incidents and events or for analysing user behaviour.
- Successful phishing and vishing attacks: cyber-actors (hackers) regularly adapt their pretexts for attack to current issues. In states of emergency employees frequently lack sensitivity for or consciousness of the cyber risks arising from phishing emails.
- Bring Your Own Device (BYOD): Owing to time pressures or to implementing measures immediately, it can happen that employees use their own computers, laptops or mobile phones for doing their work. Since these devices are usually not equipped with the most up-to-date security standards, they pose high security risks.
Companies should proactively take measures against potential cyberattacks (especially against attacks resulting directly from changed ways of working) in order to be able to ensure suitable IT security in states of emergency and not to have risks to the company increase.
From the viewpoint of RSM‘s experts, the following measures are, for example, to be taken for securing a company:
- Employees and stakeholders are informed or, if applicable, re-informed about or trained in cybersecurity practices in a timely manner (e.g. recognising fake news and potential attacks through bogus IT support services).
- Questionable emails are either ignored or reported by employees.
- Employees avoid clicking on links to unwanted or questionable emails (care is above all to be taken in opening attachments).
- IT Service Desk and the IT Department are prepared for a large influx of activities
- Suitable controls for authenticating each person at the IT Service Desk area are established (when requesting support from the IT Service Desk).
- All systems, including VPNs and firewalls, are state-of-the art technology through security patches.
- Appropriate protection against denial-of-service (DoS) threats.
- Ensuring a secure connection for remote desktop users.
- Designing and setting up multi-factor authentication for remote access systems and resources (including cloud services).
- Securing work devices such as laptops and mobile phones (if the device used by an employee has not been issued by the company, it is necessary to develop a plan for ensuring such devices are suitably secured).
- Physical security measures of the home office work place by employees (e.g. secure doors, locks and windows, fire and smoke detectors as well as security behaviour such as locking display screens when unattended to. Thus risks can be mitigated if information cannot be called up, used, changed or taken out of a building by unauthorised persons).
Although a company does not have the same measure of control over its employees when they are not in the office or are working from home, it is important that companies prepare their employees as best they can for such situations and the accompanying risks. Regular communication about how to securely work remotely, current threats (especially COVID-19 phishing emails), implementing security controls and regular security updates are the key to maintaining IT security of a company in states of emergency such as we are presently experiencing with the coronavirus threat.
For any questions concerning IT security in states of emergency, please contact our experts at RSM:
Risk Advisory at RSM