Using cybersecurity lessons learned from COVID-19 to advance your remote-work program
Although it has been hailed as the “future of work” for years, this pandemic has made working remotely the new norm. A recent report from Publicis Sapient found that among the 47% of employees who were working from home, 90% said they want to continue doing so, to some extent, after the pandemic subsides.
The specific needs for a flexible, secure remote-work program are just one of many lessons learned over the past months. Such a program must address the intensified cybersecurity risks associated with remote work, as well as the spike in cyberattacks amid the business disruption due to COVID-19. Once a back-burner issue, a robust remote-work program has become the No. 1 priority for post-pandemic business transformation and success.
Here are some of the key challenges we’ve seen over the past months that businesses should be aware of and address when building or strengthening their remote-work program.
Phishing attempts skyrocket
Today’s adversaries have crafted a raft of new phishing schemes with coronavirus lures designed to prey on distracted, anxious employees and disrupt COVID-19 recovery operations.
Case in point: IBM recently announced that it had discovered a multifaceted attack on organizations involved in the storage and transportation of the COVID-19 vaccines, which must be stored at extreme cold temperatures. The adversary impersonated an executive from a biomedical company and sent phishing emails under his name to personnel of companies associated with the cold chain system known as Gavi, the Vaccine Alliance’s Cold Chain Equipment Optimization Platform (CCEOP) program. IBM believes the phishing campaign may have been designed to steal credentials that unlock access to corporate networks, an increasingly frequent motive. When the discovery was reported in December, it was not yet known if the phishing campaign had resulted in a data breach.
It’s not just multinational businesses that are at risk. In one study several months into the pandemic, companies of all sizes reported having been hit with an average 1,185 phishing attacks every month. More than half (53%) of IT and cybersecurity respondents said phishing had increased during the pandemic, and 30% said phishing schemes had become more successful.
Phishing schemes succeed because employees are having to deal with increased email communications, in part as a consequence of working remotely, and are easily distracted by operational changes and personal situations. Compounding matters, the 24/7 firehose of information, and frequent misinformation, can contribute to a chaotic environment in which workers are less vigilant about cybersecurity, even as cyberattacks intensify.
However, with concerns around cybersecurity with remote workforces, the onus is on organizations to ensure adequate support is provided to secure the business environment. Organizations have learned that it’s critical to train employees on how to recognize email phishing attacks, and whom to notify. Many businesses educate workers by frequently transmitting mock phishing emails to employees. The response analysis should identify how many recipients open them and how many click the would-be malicious links or files, and workers should be notified whether they successfully dodged a theoretical threat.
Increased need for training and awareness
The surge in cyberthreats and business disruptions due to the pandemic has helped prove the criticality of overall cybersecurity training and awareness programs. Many organizations now recognize the need to provide training on a continual basis, rather than annually or quarterly, as threats and technologies rapidly evolve.
With a large part of the workforce at home, however, it is challenging to create an effective, all-virtual training program. Businesses should consider supplementing traditional training with interactive methods using engaging platforms. They could, for example, send instant-message alerts warning of potential threats, or adopt gamification. It’s also critical to train employees on responding to suspicious emails and activities and reporting such incidents to the right authority.
As many IT leaders have discovered, remote employees may also need general technology training and support. Those who are using a newly provisioned laptop or a virtual desktop environment for the first time may require assistance in setting up and using the new equipment.
The evolving remote-work environment
Given the rapid shift to remote work, it seems likely that implementation wasn’t based on a holistic and consistently planned strategy. Another likelihood: Processes and technologies were rapidly deployed without proper cybersecurity safeguards.
The rapid shift and evolving remote work landscape lead to the creation of new cybersecurity vulnerabilities and responsibilities. Consider, for instance, that adding personal equipment like laptops and smartphones to the corporate network creates new endpoints that can be infiltrated. These endpoints must be protected, but they may lack consistent security controls due to a rapid rollout. A unified plan is needed to safeguard the endpoints and networks across the organization.
Organizations have learned over the past months that people are at the heart of a successful remote-work program. They have also realized that not all employees receive formal training on how to secure a remote work environment. Beyond understanding cybersecurity risks, newly remote workers may not understand basics like virtual private networks (VPNs) as well as how to productively use new collaboration and communications tools. This will require a certain amount of additional IT support.
What’s more, remote-work needs have spurred organizations to adopt additional cloud services and business applications. Those who have done so should review the cloud configuration and make sure that the cloud applications are integrated across the enterprise. It’s also important to analyze such cloud applications and the vendors if they are subject to regulatory compliance processes.
A word of warning: Make sure that remote employees don’t set up cloud services without IT approval. This approach, known as shadow IT, is risky because the applications are not managed by IT and may not adhere to appropriate security controls.
Be prepared: Frameworks and funding
Developing a remote-work program that’s tailored to your specific business needs will first require a thorough assessment of your talent, process, and technology domains. This assessment can help you establish a remote-work framework that balances individual needs with a business model that is fully remote or on site, or a hybrid of the two.
Not all organizations have a cybersecurity framework, however. If yours does not, now is a good time to establish one that incorporates the new controls and processes necessary to secure a transformed workplace. The exercise of building a framework can help your company uncover unknown vulnerabilities and design a risk-based, fully integrated security program. It can also help you determine the technology components, processes, and governance needs required for a unified remote-work program.
It has been challenging for many organizations to gauge the funding necessary to update security and mobilize effective remote-work capabilities. A security framework that encompasses all the requirements for a remote-work program can help justify investments.
Finally, if there’s one overarching lesson learned from COVID-19, it’s that organizations must be better prepared for future disruptions. Now is a good time to carefully review your disaster recovery and business continuity processes and plans. This assessment should focus on remote-work environments to help make sure the plans adequately address the risks and requirements of your new workplace model.
Toward a successful remote model for 2021
To say that 2020 was a difficult year would be an understatement. Fortunately, many organizations have addressed operational and financial challenges on the fly and are using lessons learned to plan for 2021, with the goal of implementing effective remote-workplace practices that can enable them to thrive in a permanent remote-work culture of the future.
Coronavirus Resource Center
InsightSEC proposes new rules on public company cybersecurity incident reporting, risk management disclosuresBhavesh VadhaniPublic companies could face a tight new timeline for disclosing material incidents, plus mandates to detail how they manage cyber risk. Read more.
InsightNew law requires ‘critical infrastructure’ organizations to report cybersecurity incidents, ransomware paymentsBhavesh Vadhani, Daryouche Behboudi, Deborah NitkaThe Cyber Incident Reporting for Critical Infrastructure Act requires certain entities to report attacks within 72 hours, ransomware payments within 24.
InsightFuture of cannabis – Cannabis Quarterly insights, Q1 2022Read our team’s perspectives on taxation, data strategy, and data privacy (including California’s CPRA) in CohnReznick’s CannaQuarterly newsletter.
InsightSEC proposes cybersecurity rules, incident disclosure for investment funds and advisorsIn addition to strengthening threat management, information protection, and other key areas, the SEC aims to boost board oversight. Read more.
InsightProtect your organization against nation-state cyberattacksAmid federal warnings to boost cybersecurity vigilance, take these steps to understand your capabilities and implement further safeguards.