Day: April 10, 2020

Cybersecurity Recommendations for Companies During Pandemics

“This changes everything.” We’ve heard this many times before. Also, “This time, it’s different.”

Usually, it’s not different. Things feel different for a little while, and then things return to normal.

This time, I think, truly is different. The COVID-19 pandemic has forced most businesses to close their doors. Conferences, concerts, and sporting events have been cancelled. And companies have their employees working from home. More employees now work from home than ever before.

“When a crisis like the new coronavirus temporarily forces companies into remote work, it tends to show them that it can be done successfully,” says Kate Lister, president of Global Workplace Analytics and cited in the Chicago Tribune.

Remote work probably is here to stay. For that reason, honing your remote work policy is my number one recommendation during the pandemic. I also recommend working on and practicing your disaster and contingency planning policies, storing sensitive data centrally, and encrypting sensitive information.

 

A little background on me: I’m a former CIA officer, so I know a thing or two about traveling and working remotely. Almost 15 years ago, I started working “remotely” under minimal supervision. My work was representing the US Government in meetings with other governments. These were countries most people have never heard of.

When I left the Agency, I found myself consulting and working remotely for companies throughout the US and throughout the world. My clients extended as far away as Poland and Ukraine. I never met my clients Poland face to face. The business was entirely remote.

I co-founded a company. My partners and investors were based in Boston. I worked, you guessed it, from home. My responsibilities necessitated travel. I had to spend some personal time with my team in Boston. I spent about one week each month onsite.

The amount of time needed on-site could vary. While my startup required a good deal of me being onsite, many consulting projects were done remotely. I’d say most any job can be accomplished remotely.

There has been significant discomfort in the past about remote work. I have experienced this first hand. As I rose through the ranks at the CIA, people wanted me for increasingly senior positions. My working from home became more of a problem for my supervisors. Companies might be comfortable with a developer or designer telecommuting. They are definitely not comfortable when it comes to a job that involves managing a team. Last January, I had discussions with companies who loved my skills and experience. They wanted what I had to offer. But the distance and telecommuting was a deal-breaker. So they backed out because they were uncomfortable.

Technology has made Location Irrelevant

Before the coronavirus, management and HR policies were stuck with the old ways of doing things.

The need for physical distancing has forced us to work from home. Many business leaders, managers, and even employees were uncomfortable with the concept. Most will find remote work isn’t bad or scary. Many will even become comfortable with remote work as standard policy. An April 6, 2020 ZDNet article reported that 74% of CFOs say they expect to move previously on-site employees remote post-COVID-19. Gartner found that a quarter of respondents will move at least 20% of their on-site employees to remote work permanently.

Pandemic Recommendation #1: Hone the Remote Work Policy

Remote work is here to stay. Remote work maximizes worker time by cutting out commutes. It decreases the need for parking and office facilities. It saves energy too. Not as much gasoline is used. There are fewer traffic accidents. There is less pollution because people are not driving to work en mass.

But remote work also raises a whole new set of security issues. How do we keep customer or other sensitive data secure when that data is in an employee’s home?

Simple mistakes can lead to large consequences. Failing to patch a computer program or server invites hackers to exploit the flaw.

Do you remember the Equifax incident? Equifax couldn’t be counted on to patch its centralized systems.
Their systems contained huge amounts of personal information. How can we handle personal information printed on little Johnny’s color printer? No company wants to be responsible for the next Equifax-type incident because its employees are working from home.

Having employees work from home presents more vulnerable endpoints. “More personnel telecommuting adds to cybersecurity risks. These people carry devices packed with data. “Opening remote access creates more challenges,” according to Parry Aftab, Executive Director of The Cybersafety Group. Be sure you have considered endpoint security as part of expanded remote access.

And what happens if a worker is injured while working from home? Will they be eligible for Workers’ Compensation benefits?

For these reasons, my number one recommendation is to hone in on your Remote Work Policy. If you don’t already have a remote work policy, then you need one right away. What is the policy now, and what will it be after the crisis is over. If you do have one, now is a great time to review the policy. Make sure it still fits today’s needs and contexts. Update the policy as needed.

The policy should include the expectations of employees. What security measures are employees expected to use at home. Clarify legal liabilities. How will you protect privacy and remain GDPR and/or CCPA compliant? What are the company’s policies on equipment use and repairs? A complete Remote Work Policy will address these issues.

Ensure that employees maintain a safe remote work environment. Secure their devices with anti-malware software. These devices should have personal firewalls, and regular patching for software vulnerabilities.

Pandemic Recommendation #2: Disaster Preparedness & Contingency Plans

A few years ago, I was walking the halls of RSA with one of my clients, helping them make sense of the complex and confusing world of cybersecurity. RSA is *the* conference for cybersecurity. 45,000 people attend each year including more than 600 vendors. We were walking the expo halls. We saw an endless supply of hi-tech security offerings. There were vendors offering proactive protection. Some had advanced threat detection, while others had automated or AI-augmented remediation tools.

 

There were vendors offering proactive protection of one kind or another. Out of the 669 vendors at RSA, not one were there to help companies prepare for disaster recovery and contingency plans.

Out of the 669 vendors at RSA, how many were there to help companies prepare for disaster recovery and contingency plans? I didn’t see one. When it comes to pandemic, we’re mostly on our own. There is no Coronavirus as a Service (CaaS). When we face potential times of crisis, it’s a good reminder to test our continuity plans. If there are no continuity plans to test, then it is vital to create them.

It all starts with your business continuity & disaster recovery plan. Such a plan is a standard part of a NIST 800-53’s CP-1.
It includes strategies like having alternate data storage sites. Alternate data storage sites are important if the main storage site becomes inoperable or compromised. Backups should be in multiple locations far from each other. If one is on the west coast of the United States, the other should be on the east coast. The midwest is also a very good location for remote workers. That region is good for fail over data centers or other cloud resources.

You will want to review your plan. Identify and account for all assets, both technology and human.

Review alternate operations center options. Current areas of operations may become inaccessible. A pandemic may make it unsafe for people to congregate in one place. This is a good time to review or create work-from-home programs. Consider remote fractional vCISO services. Ensure you can maintain your security operations even if employees can’t physically come to the office.

Pandemic Recommendation #3: Store Everything Securely

With so many employees working from home, it’s easy for sensitive information to leak. Remote work often involves creating and editing work-related information. These can be emails, Word documents, and Excel spreadsheets. A customer’s personal identifying information could be left on a personal printer. Sensitive business information can end up on a CD that gets misplaced. There are number of possible security mishaps.

Imagine you recently became GDPR compliant. At a cost of more than $100,000 for 74% of organizations, according to a CPO Magazine article. If you don’t protect personal information at your worker’s homes, you might still be facing a GDPR fine. According to the UK Information Commissioner’s Office, a company in England was fined $340,000 for leaving documents with personal information unlocked,

To reduce this risk, it’s important to store files in a centralized location. A secure cloud is the best location. If the information stays in your cloud, it’s much less likely to end up somewhere it shouldn’t be.

Bio-based authentication and encrypting mobile devices prevents others from reading and using the information on a stolen or lost device.
Pandemic Recommendation #4: Encrypt Data

When more employees work from home, it’s more likely that their devices will be lost or stolen. Encrypting these devices prevents others from reading and using the information on a stolen or lost device. Full disk encryption on personal computers, phones, and tablets is a good method. It will encrypt all storage on the employee’s device. Or at least create an encrypted partition to store sensitive data.

Advanced Encryption Standard (AES) is a good encryption standard to use. The US Government uses AES to keep classified data secure, according to an article in TechRadar.

Even if an employee’s computer is encrypted, there are security risks. The data may not be encrypted when it’s in transport. If an employee has full-disk encryption, the data will not be encrypted in transit. Ensure that data is encrypted before transit. This way anyone who intercepts the data cannot do anything with it. Another good strategy is to set up a secure protocol like Transport Security Layer (TLS).

Technology can go a long way to keep your data secure, but security is essentially a people business. Most breaches occur when people make mistakes. There is no substitute for educating your team. Train and retrain them on the fundamentals. Establishing standards for shutting down each day is a good idea.