10 steps to securing your teleworking during Covid-19
Work from home, anyone? Or should we say, work from home, everyone?
As we all know, one of the methods that businesses have adopted to help stop the spread of COVID-19 is to allow people to work from home. With the need to social distance from each other, telecommuting (the trendier term is “teleworking”) makes perfect sense to keep employees as far apart as possible. Sure, you may have the dogs, the kids, and the occasional telemarketing call to deal with, but overall, there’s little doubt that teleworking offers a highly effective way to reduce virus spread.
Interestingly, perhaps it took a seminal event like the virus to accelerate a trend that was already well under way. According to a recent CNBC article, working remotely has been on the rise for quite some time.
“The coronavirus is going to be a tipping point. We plodded along at about 10% growth a year for the last 10 years, but I foresee that this is going to really accelerate the trend,” Kate Lister, president of Global Workplace Analytics, told CNBC.
The same CNBC article states that a typical company saves about $11,000 per half-time telecommuter per year, so there is certainly incentive for companies to encourage the continuation of teleworking, even after the pandemic is under control.
Unfortunately, the teleworking trend necessitated by the current health crisis, while offering numerous benefits, is also creating the potential for an increase in a problem that keeps many business executives up at night: cyberattacks. In fact, with the sudden shift to work-from-home operations, businesses are now forced to deal with increased activity from both independent and nation-state cyber criminals.
The world has more than its share of malevolent cybercriminals who will exploit any crisis to access and steal a company’s data; a global pandemic that forces a large percentage of the workforce out of the office is the perfect opportunity. With entire companies teleworking, the risk of a compromise is heightened.
Case in point: back in mid-March, The Hill reported that the Department of Health and Human Services (HHS) in the US was attacked by hackers as the agency worked to respond to the coronavirus pandemic. Of particular note was this quote, offered by Sara Sendek, a spokesperson for the Cybersecurity and Infrastructure Protection Agency (CISA), the cyber agency at the Department of Homeland Security (emphasis added):
“Sendek added that CISA has taken a number of steps over the last several weeks to increase cybersecurity preparedness across federal civilian agencies, including enhanced monitoring, issuing recommendations as agencies shift to telework, and identifying and protecting particularly important systems supporting COVID response efforts.”
Why the increased threat? There are a number of reasons why the sudden move to a remote workforce can lead to cybersecurity breaches, some related to technology, others related to basic human nature. These include:
- Behavioral changes: Working off site, employees tend to be more relaxed and more likely to let their guard down – perhaps even answering emails designed to provide data access to hackers. Also, with stress levels increased, staff might be more inclined to be reactive and less strategic in their actions. Malicious actors typically apply high pressure and quick turnaround.
- Situational changes: Working in disparate locations, security instructions and access rules can fall through the cracks. This can result in less stringent oversight of transactions and other key workflows.
- Technological changes: Suddenly companies are forced to extend their firewalls beyond the physical boundaries of their office. Company systems are being accessed from a wide range of devices, even personal devices. These changes can lead to compromise, data sprawl and other challenges in several ways: insecure Wi-Fi connections, open printer ports, browsers with various unvetted plug-ins, trackers or social media feeds, and document shares on unprotected cloud folders.
- Loss of focus: Businesses have understandably shifted almost 100% of their attention to keeping their workers safe, as well as figuratively keeping their doors open. Consequently, they are losing focus on the computer viruses, malware, and other forms of cyberattack that employers, IT staff, and even in-house workers would not ignore under normal circumstances.
There is no question that the coronavirus – and the teleworking trend that has sprung up in response to it – has created an environment in which cybercriminals have a greater chance to ply their trade. Still, it doesn’t mean that businesses are helpless; there are multiple strategies that can be implemented to significantly minimize, if not eliminate, the threat. Ultimately, businesses need to employ a combination of enhanced vigilance and new processes and procedures to ensure that cybercriminals are not successful during this time of increased risk.
On a macro-level, the federal government has issued guidance through the Federal Trade Commission (FTC) and reissued guidance from the National Institute for Standards and Technology (NIST) encouraging companies who are authorizing telework to: 1) expect cybersecurity threats and implement strong authentication, secure encrypted networks, and implement network segmentation and limited access controls; 2) develop a strong telework policy with a risk-based approach to access; 3) ensure remote access servers are adequately secured, and; 4) maintain current security standards on telework client devices.
Steel Root, a company focusing on cybersecurity and data compliance, has advised a number of companies on how to shore up their cybersecurity to prevent potential attacks and data breaches during this teleworking phase. They suggest implementing the following 10-step plan:
- Organize your response to this crisis in advance of a problem. Get communication, incident response and business continuity plans in place, and share with all personnel.
- Adapt and set organizational expectations and rules of engagement for communications.
- Make sure you have a Disaster Recovery plan, with Backup and Restore of all systems.
- Establish approvals for key workflows, such as transactions or security permissions – and ensure that you have a process for verifying these critical activities (such as wiring money).
- Prioritize the use of multifactor authentication or other conditional rules for accessing company systems remotely.
- Make sure your employees are only using approved company devices to access company data – set strict guidelines for the use of personal devices.
- Check to see that you are appropriately licensed – some VPN solutions, which make it easier to telework, will not allow users over the maximum license count.
- Speaking of VPN’s, they should be updated – as should network infrastructure devices and other devices being used to remote into work environments – with the latest software patches and security configurations.”
- Business must go on. Workflows must continue. Make sure you have the tools and infrastructure in place to support normal working conditions remotely.
- Enlist the assistance of your IT/security team/outsourced providers to support your business through this temporary but substantial change.
Jim Purtilo, associate professor in the computer science department at the University of Maryland, said in a recent TechNewsWorld article, “Move your operations out to home offices on the fly. What could go wrong, besides everything?”
Despite the overt pessimism, Purtilo has a point: there are any number of things that can go wrong, not the least of which is the foundation of a company’s digital security.
Still, with increased vigilance, some basic employee training, and the implementation of common-sense preventive strategies, ill-intentioned hackers may find that their attempts to sow cyber-chaos are more difficult than they had hoped.
With the words of Jim Purtilo: “Unfortunately, far too many.”
Andy Sauer
Andy is Director of Cybersecurity at Steel Root, a firm specializing in cybersecurity and data compliance. He is focused on building cybersecurity maturity for small and medium-sized organizations. He specializes in helping defense and federal contractors meet their compliance obligations and build their cybersecurity capability to meet the modern threat landscape head-on. Prior to joining Steel Root, Andy managed IT operations and cybersecurity in the defense industry, internally and as a consultant. He currently holds the following certifications: CISSP (Certified Information Systems Security Professional) from ISC2 and a CISM (Certified Information Security Manager) from ISACA.