As cybersecurity conferences worldwide cancel events, the impact of the coronavirus (COVID-19) on the industry comes close to home. At least two people who attended the annual RSA cybersecurity conference were officially diagnosed with the virus, with one placed in a medically induced coma. Compounding this industry impact, many companies have started initiating new “work from home” requirements for nonessential employees, including Apple and Google.
While companies brace for the coming changes that COVID-19 seems to be bringing, cybersecurity and compliance professionals find themselves struggling to balance workforce, member and data security. With this in mind, organizations should consider the following business continuity planning and cybersecurity strategies as they create their coronavirus preparedness plans.
What are the current governmental directives regarding COVID-19?
In late February 2020, the Centers for Disease Control (CDC) released its “Interim Guidance for Businesses and Employers.” This reads in part:
Important Considerations for Creating an Infectious Disease Outbreak Response Plan
All employers should be ready to implement strategies to protect their workforce from COVID-19 while ensuring continuity of operations. During a COVID-19 outbreak, all sick employees should stay home and away from the workplace, respiratory etiquette and hand hygiene should be encouraged, and routine cleaning of commonly touched surfaces should be performed regularly.
- Ensure the plan is flexible and involve your employees in developing and reviewing your plan.
- Conduct a focused discussion or exercise using your plan, to find out ahead of time whether the plan has gaps or problems that need to be corrected.
- Share your plan with employees and explain what human resources policies, workplace and leave flexibilities, and pay and benefits will be available to them.
The Occupational Safety and Health Administration (OSHA) and Health and Human Services (HHS) issued a joint guidance of their own which stated, in part:
- Employers should explore whether they can establish policies and practices, such as flexible worksites (e.g., telecommuting) and flexible work hours (e.g., staggered shifts), to increase the physical distance among employees and between employees and others
Although many companies already allow employees to work remotely, many others require employees to remain on-site when handling sensitive information. Unfortunately, those employees and organizations may not be able to control the required quarantine of sick individuals or may need to work remotely as part of physical distancing requirements for preventing the spread of COVID-19.
This means that companies need to start preparing new business continuity and security models now in order to limit business disruption.
Review your business impact analysis for cybersecurity controls
When people think about business impact analysis (BIA) and cybersecurity, they normally consider the potential impact of an organization’s essential functions being taken down by a malicious actor. While this remains true in terms of business continuity during an outbreak, the risks also shift.
Some considerations to include might be:
- Availability of critical IT staff
- Workforce member home wireless security
- Use of Virtual Public Networks (VPN)
- Enforcement of encryption processes
- Managing user access to applications with multi-factor authentication
- Monitoring user and entity behavior analytics (UEBA)
- Limiting user access according to the principle of least privilege
Understanding how your BIA changes from “security event” to “outbreak event” is the first step to preparedness. For example: from a security event perspective, you probably already consider things like VPN or user access. However, if you had a limited number of people working from home, your risk was low. As you scale your outbreak business continuity planning, you increase the attack surface, which increases the risk and requires you to rethink the strategy.
The availability of critical IT staff is an entirely new concern in many ways. You may currently have enough staff to cover the day-to-day and occasional vacations. However, you now need to assess whether you have enough qualified staff to manage a long-term illness that impacts your functionality.
Shore up your user access program
If your organization is lagging on managing user access, now is the time to start focusing on that. Workforce members in an office may limit excess access use when in an on-site setting. However, in an off-site setting, they no longer have anyone potentially looking over their shoulder to see what they’re doing. Moreover, most users who compromise data with excess access do so accidentally.
In terms of your user access governance, you need to be more aware of the following:
- Users’ role definitions
- Password policies
- Limit access to different networks, applications, and cloud services across the IT ecosystem
- Incorporating context, such as access time and geographic location, into access policies
- Limit superuser access if they work remotely
- Reviewing whether tools can set timebound access across the entire organization and infrastructure to “simulate” an average workday
- Incorporating UEBA into your security program
From a cybersecurity and privacy perspective, most organizations likely have some version of these controls in place. However, with more remote employees, you need to determine whether the controls adequately limit access according to the principle of least privilege.
For example, long-time employees may have historical access gained as they moved within the company. This is the time to review all access entitlements and remove unnecessary privileges. Although companies know this is a best practice, many lack the capacity for reviewing this regularly.
Another difficulty might be reviewing the context applied to your access controls. While most organizations try to discourage employees from accessing mission-critical applications from the local public Wi-Fi, they often lack the ability to enforce those policies. Employees working from home during the outbreak may not stay quarantined the entire time, which means that you need to be protecting access.
Finally, credential theft becomes an even bigger concern. If your employees’ home Wi-Fi is not secure, your organization faces a greater risk of man-in-the-middle, SQL and cross-site scripting attacks. All of these act as ways that a remote employee can place your organization’s entire IT ecosystem at risk of a data breach.
Create a strategy for securing unstructured data
Even in a traditional on-site setting, emails and collaboration platforms present an unstructured data sharing risk. However, working together in a remote setting means also reviewing additional collaborative tools for privacy and security risks.
When preparing your business continuity plan, you might want to think about:
- Types of sensitive information that need to be secured
- Locations that store, transmit, and collect sensitive unstructured data
- Email and data encryption controls
- Cloud services “share with a link” settings
- Web application data governance controls
- Direct messaging application data governance
Two primary concerns with a remote workforce that are often overlooked in on-site work environments are direct messaging applications and email. While a quick verbal question/answer between two on-site employees poses no data access risk, shifting that to a remote working model changes how people interact.
In an on-site location, for example, employees can stand up and find a peer who can answer a question. In fact, according to 2018 research done by The Economist, face-to-face meetings were still used by the majority of respondents across all age demographics, although millennials and Generation Xers were more likely than baby boomers to use email and instant messaging on a daily basis. Moving to a near-complete remote workforce increases the security concerns arising from the types of information people share on messaging platforms such as Slack and Microsoft Teams.
In order to protect data security and privacy, organizations need to consider how the rise of email and messaging applications will impact the types of information shared across these platforms. Instead of simply providing a customer name verbally, this PII may be in the body of an email or message that brings with it a different security concern.
Review security patch update procedures for all devices and applications
Most organizations consider 30 days an acceptable security patch update timeframe. However, with more users working remotely, you might need to consider adjusting this as part of your business continuity and remote workforce planning processes.
For example, some considerations include:
- Enforcing security updates for employee-owned devices
- Updating video-conferencing applications
- Reviewing additional remote-workforce mission-critical applications
Along with monitoring the information contained within emails and messages, organizations also need to consider how often they update these applications. While a messaging platform may not have been considered a high-risk application prior to the outbreak, it may become a mission-critical application as workers stay out of the office.
Additionally, organizations need to ensure that they monitor their video-conferencing applications. As remote workers use technology like WebEx, Skype or Google Hangouts to make calls, the security of these applications becomes a cybersecurity risk mitigation imperative. In January 2020, a flaw in Cisco Webex meant that a remote attacker did not need to be authenticated, even in password-protected meetings. Cybercriminals will be more likely to try to find additional vulnerabilities across these platforms as workers need to connect from remote locations as part of the COVID-19 mitigation response.
As part of your business continuity planning and cybersecurity initiative, you should be reviewing the current security update patching cadence and re-assess whether the processes in place need to be amended as part of your response.
The struggle is real — and may have long-term ramifications
COVID-19 has been officially classed as a pandemic, and the virus’s impact on business operations will likely be long-term. Traditional business models are being tested. Whether your organization traditionally provided remote work opportunities or attempted to preserve on-site employment as a requirement, you may need to rethink your processes after the COVID-19 threat subsides.
Both cybersecurity and business continuity planning require a proactive approach for optimum effectiveness. Whether you need to allow your workforce members to do their jobs remotely today or not is no longer the question. Short-term mitigation strategies may work in the interim, but if employees seek to continue remote employment once the danger passes, you will need to be prepared for a potential operational shift.
The better way to view your cybersecurity and business continuity planning is to see it as a long-term solution to an already existing problem and work to proactively reduce continued risks — both to protect worker health and data.
- Two People Who Attended Cyber Event Contract Coronavirus, Bloomberg
- Google advises all employees in North America, Europe, the Middle East, and Africa work from home due to coronavirus, The Verge
- Interim Guidance for Businesses and Employers, CDC
- Guidance on Preparing Workforces for COVID-19, OSHA
- Communication barriers in the modern workplace, The Economist
- Cisco Patches High-Severity Webex Vulnerability For Third Time, ThreatPost