Millions of workers around the world have shifted from offices to working from home since the COVID-19 outbreak. Here, Joshua Burch, FTI’s Head of Cybersecurity in EMEIA, offers timely advice for businesses to help mitigate the increased risk of a cyber breach that comes with that shift.
he sudden surge in remote working, while a practical solution to the acute circumstances caused by the COVID-19 pandemic, is causing challenges for information security teams. The flood of employees logging in to company networks from afar opens the door wider for malicious threat actors to breach company cyber defenses through home computers and devices.
Further, unsecured home networks leave companies with less control than they had in the pre-COVID days. It’s now more difficult to remotely issue periodic security updates for employees, a noticeable difference from just a few months ago when the majority of work took place at a centralised location.
Companies can protect critical assets whilst best serving their remote work forces by identifying and addressing the following four key cybersecurity gaps.
1. Cybersecurity is everyone’s responsibility.
It’s every employee’s responsibility to keep his or her company secure. One way to do this is by keeping an eye out for phishing attacks. These attacks can come in a variety of ways — emails seemingly sent by a colleague that request personal information are perhaps the most familiar. Employees should confirm with the sender through another channel to determine the authenticity of an email before disclosing any revealing information. They should also report suspect emails with their security teams.
Companies, in turn, need to set up protocols for employees to follow to mitigate the risk of falling victim to a cyber attack. For instance, they should ensure that employees are using virtual private networks (VPN) and two-factor authentication (2FA) whenever possible. Companies should also use their internal communication channels to disseminate protocol information that outlines the responsibilities of each employee, further building a culture of security.
2. Examine the external threat landscape.
We are seeing a change in the priorities of advanced persistent threat (APT) groups that are driven by monetary gain and are causing mass disruption across networks around the world. Industries that previously would not have been targets are now finding themselves in the crosshairs of threat actors. Geo-political tensions and nation-state activity are also influencing the types of attack organisations are suffering.
According to leading global intelligence agencies such as the National Cyber Security Centre (NCSC), some of the threats include:
- Cyber scams via remote desktop attacks and fraudulent wire transfers (business email compromise)
- Infiltrating videoconferencing apps to eavesdrop on conversations
- Cyber criminals posing as health officials to obtain personal information
- Emails fabricated to be from legitimate government agencies
- Malware campaigns using COVID-19 themes
Further, the nature and sophistication of these attacks are always evolving. APT groups are developing artificial intelligence (AI) programs that can mimic a user’s behavior to steal sensitive information from their personal devices. The cyber threat landscape was rapidly changing prior to the COVID-19 outbreak, and the sudden shift to remote work environments has further sped up this evolution. Organisations across the globe need to reexamine their cyber risk profiles, understand current threat vectors and determine how these threats have evolved since the pandemic.
3. Review your exposure to third-party suppliers.
Your organisation might be secure, but is your supply chain?
Most organisations use third-party suppliers for handling business and network operations. They allow businesses to cut costs and increase efficiencies, but these relationships can also leave companies exposed to increased cyber risk. If a third-party supplier falls victim to a data breach, the organisation’s clients could be exposed as well due to their digital connections.
Companies that use third-party suppliers can evaluate their corresponding level of exposure by following these steps:
- Determine the specific duties that are being outsourced and get a clear view of what data and confidential information between your company and the supplier is being shared.
- Conduct a supplier risk assessment. Understand what cybersecurity assessments and practices the supplier has in place and ask for any documentation that shows the results.
- Ask the supplier what kinds of employee training protocols they have in place.
- Review contracts with suppliers to confirm all security measures are being followed. In the event they are not, create a service-level agreement that gives you the right to audit the supplier’s compliance with your security policies.
- Re-quantify your risk: Are your thresholds still fit for purpose in this COVID-19 world or do they need to be updated to account for new threats?
4. Don’t lose sight of the bigger picture.
In these times of reduced revenues and constrained budgets, companies need to ensure ample investment and resources are assigned to their cybersecurity defenses. One way to deal with the current situation is to redeploy key IT staff, focusing their efforts on essential activities and cyber risk management.
Large-scale transformational projects and IT investments — and enabling organisations to utilise emerging technology like 5G and AI — should also be kept on track as much as possible. New technology will continue to develop, and organisations must ensure they are well positioned to emerge when this time of crisis is over.
With so many workers dispersed across the world, companies must reassess their cybersecurity resilience. How quickly could you get operations back up and running post-incident without any in-person interactions? As businesses and workers continue to adjust to a new way of life working remotely, it’s up to companies to ensure that all safety protocols are established and enforced; all weaknesses are identified and bolstered; and all employees are promoting a culture of cybersecurity.