CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy
View full biography
RISK MANAGEMENT: As coronavirus spreads, factor cybersecurity into remote-work policies
Over the past few weeks, we’ve seen individual businesses and entire industries swiftly – and sharply –curtail operations to slow the spread of the COVID-19 coronavirus. These efforts to limit contagion have upended global commerce and shifted operating models in ways that are intensifying IT risks, including cybersecurity.
In the wake of the coronavirus outbreak, many organizations are hastily shifting to a remote-work operating environment to accommodate scattered workforces. But most corporate processes, policies, and culture were not designed for a remote workforce, and that can introduce a raft of new risks to their information systems and data. Bad actors have developed new phishing campaigns based on coronavirus lures, preyed on distracted employees, and leveraged chaotic workplace conditions to slip through the cracks of cybersecurity defenses.
The World Health Organization (WHO), for instance, recently warned that scammers posing as WHO employees are sending phishing emails that encourage workers to open malware-bearing email attachments or links. Similarly, new email updates purportedly from the Centers for Disease Control and Prevention (CDC) prompt recipients to click a malicious link that lists new coronavirus cases in the recipient’s area.
Even more tempting are attacks that lure users with a live map of global coronavirus infections. Once users click the interactive map created by Johns Hopkins University, malware designed to steal credentials is installed on the user’s device, according to security site Krebs on Security.
If these threats have one thing in common, it’s this: They all rely on a persuasive combination of misinformation and fear to spur employees to action. Making matters worse, the 24/7 stream of information – and frequent misinformation – is highly distracting, creating a chaotic environment in which workers may be less vigilant about cybersecurity, even as cyberattacks intensify.
Government and private-sector organizations alike will need to address the risks associated with employees working from home during the pandemic. Hastily implemented remote-work policies can change business processes and increase threats in unanticipated ways. Increased remote connectivity, for example, expands the cyberattack surface by creating additional endpoints. These new endpoints may lack consistent security controls because businesses often initially prioritize functionality over security in times of crisis. To overcome gaps in remote-work safeguards, organizations will need to review current cybersecurity policies to make sure that the basics – strong password policies, secure file transfers, secure remote-access connectivity, and up-to-date incident-response plans – are in place and effective in a remote environment.
Compounding matters, staff may be asked to assume unfamiliar roles and responsibilities when other employees work from home or become sick. Cyber-risks can increase because employees are forced to wear multiple hats and may be unaware of security risks outside their traditional roles. Similarly, business executives are likely to be consumed with contingency management planning and may back-burner cybersecurity and privacy initiatives. Together, these factors can present the perfect opportunity for cybercriminals.
Planning an effective response to the coronavirus pandemic will require input from stakeholders across the organization. The first step will be to examine the existing business continuity and disaster recovery (BCDR) plans under the lens of a remote-work environment to make sure they are relevant and practical. The plan should carefully consider the controls and processes necessary to secure highly vulnerable remote workers.
Plans should be validated, tested, and, if necessary, adjusted before work begins. Consider, for instance, the use of virtual private networks (VPNs). VPNs are a foundational element of secure remote connectivity, and a significant increase in the number of users can degrade performance and potentially overwhelm IT help desks. IT will need to test the performance of the VPN based on volume and load capacity, and adjust bandwidth as needed.
An unexpected spike in remote workers also requires that organizations review business processes, in addition to technologies. For example, organizations should make sure that homebound workers can collaborate with others with the same ease and efficiency as on-site staff.
Establishing the right controls and processes to guide a remote-work program is as exigent as it is essential for many organizations today. Controls and processes to consider include:
- A risk-based assessment of technologies and processes to identify security gaps, particularly those related to remote access
- Enhanced network monitoring for early detection of anomalous activity
- Multifactor authentication
- Properly configured firewalls
- Anti-malware and intrusion-prevention software installed on all systems
- Patched and tested VPNs and other access tools
- Automated password-reset tools and requirements for complex passwords
- Updated incident-response plans that factor in workforce changes like a reduced on-site IT staff
- Frequent, up-to-date employee training on techniques like phishing and social engineering
- An ongoing plan to manage the cultural changes created by a large-scale remote-work program
In many cases, the pandemic is resuscitating an initiative that many organizations have put on hold: the shift to an operating model in which remote work plays a far greater role. The processes to implement this model during a global crisis will differ from implementation as part of a broader business strategy, of course. But one thing is certain: Mounting a rapid, effective response to the COVID-19 pandemic will be a monumental challenge. Businesses will need to carefully plan implementation of new workplace practices in ways that can boost efficiencies today and enable them to thrive in a remote-work culture of the future.
Bhavesh Vadhani, Principal, National Director, Cybersecurity, Technology Risk, and Privacy
703.847.4418
Related Services
This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. Neither CohnReznick LLP or its personnel provide legal advice to third parties. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its members, employees, and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.
On-Demand Webinar: Mitigating Coronavirus Disruption
Watch now
Coronavirus Resource Center
Explore insight collection
Related Insights
-
InsightCMMC compliance process: What to expect and five steps to takeBhavesh Vadhani, Daryouche BehboudiCohnReznick is sharing our accreditation journey to offer lessons learned and insights into what DoD contractors can expect on their journey to CMMC compliance. Learn more
-
InsightFinancial reporting: Account for the impacts of global conflictMatthew DerbaEven businesses not directly connected to Ukraine or Russia may see impacts to operations that will need to be clearly conveyed to stakeholders. Read more.
-
InsightSEC proposes new rules on public company cybersecurity incident reporting, risk management disclosuresBhavesh VadhaniPublic companies could face a tight new timeline for disclosing material incidents, plus mandates to detail how they manage cyber risk. Read more.
-
InsightNew law requires ‘critical infrastructure’ organizations to report cybersecurity incidents, ransomware paymentsBhavesh Vadhani, Daryouche Behboudi, Deborah NitkaThe Cyber Incident Reporting for Critical Infrastructure Act requires certain entities to report attacks within 72 hours, ransomware payments within 24.