Combating cyber risks in the time of COVID-19 remote work

As the COVID-19 pandemic continues to spread across the country, states have instituted strong virus mitigation measures such as shutting down the physical operations of businesses deemed “non-essential” and issuing stay-at-home orders for all residents.

This has forced millions of Americans to begin working remotely and left companies scrambling to find new technologies that would allow them to work efficiently and collaboratively. But as remote employees adapt their workflows to stay connected through video conferencing and messaging tools, these platforms have received heightened scrutiny on the privacy and security exposures for the organizations using them.

In addition, the pandemic has provided cybercriminals with an opportunity to seize on widespread uncertainty and has resulted in phishing attacks that could lead to ransomware infections, business email compromise or compromise of information that may be protected under state, federal and international privacy laws.

Employers must remain vigilant in assessing and mitigating potential cybersecurity risks that could jeopardize their businesses. To ensure business operations maintain appropriate standards of security during this period of remote work, companies should consider the following steps.

Read the fine print

Business and IT leaders must perform their due diligence and audit the security measures of platforms they are considering purchasing. Before making a commitment, companies must understand how communications through a platform are encrypted, how data could be shared with third parties and other key details for protecting the privacy of individual users and the organization as a whole.

Remember that the cheapest option is not necessarily the best option, as spending money on a more expensive platform upfront could end up saving the organization from significant costs associated with a potential breach caused by security deficiencies of a cheaper option.

Customize settings

After a company has made an informed decision and chosen to invest in a platform, it is crucial for IT to customize settings appropriately, rather than assuming the default settings are suitable. On the organizational level, this can include decisions like removing recording options, enabling screen sharing only by the host, requiring passwords to access meetings and unchecking defaults that allow information to be collected while using the platform. Administrators must be aware of the settings available and keep up with ongoing changes to the platform in order to ensure optimal security.

For individual meetings and webinars, precautions, like utilizing a “waiting room” feature or requiring attendees to register in advance before receiving a meeting code or link, can reduce potential unwanted intrusions like “Zoombombing.”

Educate employees

As mentioned, cybercriminals have devised numerous phishing scams to target businesses and their employees using tactics specific to COVID-19. One example of a phishing email may be an offer of “too good to be true deals” on masks, medical equipment or hand sanitizer. Another example is using live map websites that show the spread of the virus as a way to spread malware. Especially while employees are isolated at home, they should understand best practices to avoid these types of scams, whether they come through email or phone, that can threaten both their personal privacy and important company data.

For phishing emails, employees should ask themselves these questions, among others:

1. Is the email expected?
2. Does the sender’s email address look right?
3. Does the body of the email seem legitimate?
4. By using the hover feature, do the links point where they should?

Employers who have already instituted a cybersecurity training curriculum are in a better position but should strongly consider providing a refresher in light of these new challenges. Companies that do not have a mandatory training plan in place should immediately take action to implement one.

Prepare for an incident

Even when following best practices in cybersecurity, it is important for companies to know what to do in the event of a cyber attack. Every company should have a cyber incident response plan in place that details the steps to take when an event happens, and pre-assign roles and responsibilities as things escalate quickly. This plan should be updated regularly and work in lockstep with a cyber insurance policy, which can provide necessary financial protection, should an unfortunate incident occur.

Cyber insurance can cover the costs associated with an attack, including first- and third-party expenses, such as business interruption, ransom payments, forensic investigations, and costs to restore, recollect and recover data. Working with an insurance broker can help all stakeholders across IT, management, legal and communications understand what the policy entails and how it will respond.

As we all work to navigate the “new normal” of remote work, companies must act as catalysts for their employees to work productively from home, while maintaining the cybersecurity standards upheld by leadership to combat potential risks. In the same way that cooperation is required to effectively mitigate the spread of COVID-19 in the workplace, the entire organization should be engaged in conversations about safeguarding data and privacy to protect employees, clients, and the organization as a whole.

For more coverage like this on working remotely, visit our Instant Insights page, “Work-from-home: Risks and opportunities.”

Nicholas M. Cushmore (ncushmore@grahamco.com) and Margaux Weinraub (mweinraub@grahamco.com) are vice president and cyber account manager at Graham Company, respectively. The views expressed here are the authors’ own.

Related:

• Adopting working privacy protections on company devices
• How to heed privacy law in the midst of a pandemic
• Emerging cyber risks in a connected world