As organizations struggle to meet the challenges of the COVID–19 pandemic, they should be clear–eyed in evaluating the cyber risks facing them. In the rush to implement widespread remote working, IT teams are being stretched thin. Anxious for accurate information as the crisis unfolds, end–users—including boards and senior executives—are under stress and distracted, making them ripe targets for phishing emails. Meanwhile, the dramatic expansion of remote working creates a sprawling data footprint and opens networks to scores of poorly secured access points. This results in more opportunities for external attackers to penetrate systems and greater risk that data will be inadvertently or intentionally compromised by insiders.

Faced with increased risk, only those organizations that take a holistic view of their people, processes, and technology will have any chance of obviating that risk. The response is not exclusively the domain of IT teams, but requires enterprise–wide support and adoption by compliance, legal, and human resources professionals.

What follows are recommendations for addressing the most pressing cyber risks arising from the COVID–19 pandemic.

IT Teams: Attenuated Bandwidth

Providing remote–working resources to even a modestly sized workforce is time–consuming and challenging and is what many IT teams have been forced to do in a hurry. This strains their attention, heightening the risk that threats will go undetected and incident response time will increase. With gatekeepers overwhelmed, intruders see opportunity.

Making matters worse, pre–pandemic user risk awareness—never optimal—has been rendered moot by dramatically changed usage patterns. Even before the crisis, detecting anomalous behavior that might signal an intrusion was challenging. Now that many businesses are operating from out–of–office locations, the detection instruments employed by network defenders are out of tune. Information security teams—assuming they were on task in the first place—are wasting time responding to false indicators of malicious activity.

COVID–19 Phishing

Attackers and scammers are seizing this opportunity: they know that exploiting trusted users is a time–tested way of bypassing an organization’s safeguards and penetrating its defenses. Malicious actors are taking advantage of workers distracted by the crisis, abusing their trust and desire to be responsive, as well as their fear of the current crisis.

Cyber thieves are crafting phishing emails tailored to COVID–19. These emails take the form of public health alerts, employment updates, file shares, appeals for support for high–risk groups, or offers of financial assistance. Lurking within are attachments loaded with malware designed to steal information. Others contain links redirecting users to websites that infect their computers with malicious code. In one notable case, a website with a map that purported to track COVID–19 infections contained information–stealing malware.

Preying on the public’s fear and desire for information, these phishing scams override normal skepticism, leaving users vulnerable to attack.

Weak Links and the Enemy Within

Increased reliance on remote access and a dispersed workforce triggers concern about both external attacks and insider threats.

With employees using their home networks for work, the security of the system is only as good as its weakest link. To a network intruder, this is a gift: an opportunity to launch attacks that exploit default or weak credentials, unpatched applications, or stale firmware. The prevalence of lightly secured home–networked devices increases the risks exponentially.

Opportunity also knocks for trusted insiders inclined to misappropriate data for personal gain. Widespread remote working results in “data sprawl” as business is conducted on more devices, over more networks, and in more physical locations. Remote working—for all its advantages—reduces the accountability and supervision present in an office environment, creating more opportunities for exfiltration or unauthorized sharing of sensitive data. Further, as the economic shock forces companies to furlough staff, reduce salaries, and defer compensation, employees may act on grievances and retaliate. Any response to a security incident or allegation will likely be hampered—if not frustrated entirely—by a lack of access, permissions, tools, or logs needed to conduct an effective forensic investigation.

The Response

To respond to the challenges described above, senior management must enact and support an effective mitigation plan across the organization.

People

• Educate employees about the heightened risks in the current environment and their role in securing company and personal systems.
• Survey remote workers about their home networks and end–point devices to identify risks.
• Remind employees about communications security and workspace security procedures.
• Train employees on the proper use of virtual private networks and the reduction of data sprawl.
• Test user behavior with customized phishing exercises.

Process and Governance

• Update incident response plans and cyber threat simulations to account for widespread remote working and dispersion of data.
• Ensure agreements are in place that allow for data collection from devices and accounts used for remote work and permit sharing such data with law enforcement.
• Implement policies to restrict work–related use of personal devices and accounts, network–attached storage devices, and other external storage devices.

Technology

• Increase resources to IT teams to support greater workloads, increased detection and response activities, and security risk assessment efforts that are adapted to expanded remote working.
• Furnish computers—preferably virtual desktops—and network hardware to support remote work as opposed to allowing employees to use personal devices and accounts as substitutes.
• Strengthen the connections between remote–working staff and the IT colleagues who support them in order to encourage reporting of malicious activity and accelerate responses.
• Enable and expand the use of multi–factor authentication for virtual private networks and other critical systems. Where multi–factor authentication is not an option, require the use of complex passwords and disallow their reuse.
• Implement disk encryption and end–point detection/response tools on laptop computers used for remote work.
• Deploy mobile device management applications on phones and tablets used by the remote workforce.
• Review activity logging practices and increase logging in critical areas (e.g., virtual private networks, remote desktop protocol, user authentication, email, and video conferencing accounts) to improve detection and response capabilities.

Conclusion

The COVID–19 pandemic has brought seismic change to the way we work, change that may outlast the crisis. Indeed, the current workplace, with its significantly increased cyber risks, may become standard. Businesses should move swiftly to adapt to this reality through thoughtful planning and disciplined employee engagement. Those that fail to do so risk becoming additional victims of the pandemic.