How should organizations conduct operations during a pandemic? How should organizations secure their IT assets during a pandemic? For big multinational companies, they have their respective Business Continuity Plans (BCP) that assist them in times like lockdowns, quarantines, or any disruptions to normal business activities. However, a lot of companies were caught off-guard and they were not able to smoothly transition to the “quarantine mode.”
How organizations are affected by COVID-19
According to an April 2020 report from Accenture about the effects of COVID-19 to organizations, there are significant impacts on system resilience and business continuity from the perspective of technology. On a survey that they conducted in 2019 on system resilience, only 10% of the 8,300 respondents answered that their technology is resilient. They summarized the effects on IT based on the following: business continuity risks, a surge in transaction volumes, workforce productivity challenges, and security risks.
Common cybersecurity issues faced
Phishing, scams, malware, access to malicious/bogus sites unknowingly are the common cybersecurity issues that organizations faced during the pandemic. Attacks on NASA have been reported consistently since the spread of COVID-19. Local banks like BPI, have issued a memo warning customers of phishing attacks that spoof BPI online platforms. Google reported that there were 18 million malware detected in a week that are related to COVID-19. Trend Micro also reported a surge in COVID-19 themed attacks ranging from spam, malware, and malicious domains. Worse, unscrupulous individuals host COVID-19 case trackers and fill it with malware so visitors will be infected as they visit.
The following are the major cybersecurity issues organizations face:
- Increased number of phishing and malware attacks that use COVID-19 as bait or theme.
- There is an increase in cybersecurity risks because employees are in their homes which IT has a hard time managing. On the other end, support on the company networks will also be lessened because of reduced IT staffing.
- Remote work/Work from home security issues.
Cybersecurity defense against attacks
SANS has created the SANS Security Awareness Deployment Guide that is very useful for organizations and employees during this time of reduced IT staff and work from home for a lot of employees. It contains all the materials that organizations will need such as templates, fact sheets, posters, and messaging for employees. It even has short learning videos that are very informative covering wide topics on social engineering, securing your home, and working remotely.
It is alarming to note as well that a lot of big multinational companies mentioned in the introduction whose technology and security maturity are both at the top of the line still suffer a lot of cybersecurity attacks such as phishing and malware. They have the best industry-grade anti-malware with a lot of advanced features, encryption in the hard drive level, and other security tools. But as we say in security, the technology is just as strong as the weakest link, which is the people. We have to emphasize the need for a consistent and periodic Security Awareness for employees especially now that the IT/Security team has a limited view of the organization’s assets.
It is also important that the IT/Security team should be accessible not only for support but for security incidents. Attacks can be well-planned and it can target certain people in the organization. Reporting the information about security incidents will help IT/Security team to respond promptly and make important communication to the stakeholders to prevent others from being victimized.
There also has to be clear guidelines/policies for employees. Remote work is a different and new environment that may need further and detailed guidance. For example, should users be allowed to connect to public Wi-Fi? Or are they only allowed to access their home network? If they are only allowed to use their home network, what necessary configurations should be done? A clear policy/guideline will be very helpful.
Management support is also of utmost importance. Quick and immediate approval of policies/guidelines is necessary for this volatile time. Budget is also a key element especially when you need to procure additional security software licenses. Management can provide both approval and budget.
The following are some of the security issues that need to be discussed with employees to take note of:
Social Engineering – Phishing, spear phishing, vishing, CEO fraud, and USB drop are some of the non-technical attacks that can target your organization. Employees must be trained on how to spot these attacks and report them immediately to the IT/Security team. Usual ways to spot these attacks include a strong sense of urgency, pressuring you to violate a policy, generic e-mail, brief message, and use of personal e-mail.
Passwords – Since the use of passwords is the most common type of authentication, certain best practices have to be observed so that attackers will have a hard time to access your account. The use of passphrases, unique passwords for different accounts, password managers (see LastPass and KeePass), and the use of multi-factor authentication (MFA) (see Google Auth and LastPass Authenticator) are the best practices to build a layered-defense for your passwords.
Updated Systems – From your router to your laptops, mobile devices all the way to the applications, you need to ensure that they are always up-to-date. A lot of successful attacks leverage the exploitation of vulnerable systems, those that are not updated. You need to enable Automatic Updating.
Backups – Another important practice is to back up your files routinely. The usual expectation of the IT/Security team is that worst-case scenarios will happen such as your workstation will be infected by ransomware or that the device will be lost. Aside from wanting to wipe out the contents of the device, you want to retrieve the information in it. That’s where backups play a vital role.
VPN – In some organizations, confidential company data must remain in the trusted network (company network). But since a lot of employees are working from home, a secured way of getting access to company data stored internally is through a Virtual Private Network (VPN).
Device Misuse – Another important practice is to maintain the use of company-issued devices for work use only. A lot of malware nowadays comes from social networking platforms through third-party ads, hoax, etc. It is important to remove that risk by not using it for personal use. At the same time, company resources should not be accessed on a personal device. It may be accidentally shared or retained unknowingly. Lastly, children/relatives/guests should not be allowed to use company-issued devices.
The new normal in the time of pandemic forces business to take drastic and rapid changes in its day-to-day operations. While initially, the move of a lot of organizations is to relax security so that business continuity will not be hindered, it is important that security mechanisms must be restored, reconfigured, and recalibrated so that it will fit the current setup of the organization.
Here is the slide deck on Securing the Organization’s Assets Amidst COVID-19 v1.0. Feel free to use it to help inform more people on how to secure their respective organizations.