From one day to another, millions of employees are working from home. Probably only a few companies were prepared for this – a risk for information and IT security. What immediate measures can help, and what does the crisis teach us for the future?
In many companies, remote work has been the exception to the rule. The coronavirus pandemic has turned this world upside down. Suddenly, many employees are working from their homes, which causes special risks regarding information and IT security. Let’s focus on four common problems, and how companies can handle them:
1. Private hardware
It is nearly impossible to equip hundreds to thousands of employees with company laptops at the same time. Since the quarantine lockdowns in many countries, employees have been making do with their own equipment. Companies cannot technically control whether such devices are safe or not, neither the software nor private WLAN.
Immediate action: In the best case, IT creates secure accesses, e.g. by providing virtual desktops or secure VPN connections. Even if this process is already established in the company, it will require time and resources that may have to be purchased from a provider.
For the future: Companies should consider whether the investment in additional hardware will pay off in the long term – this also includes labor costs for system hardening: IT specialists must set up the devices to meet the organization’s security standards. Alternatively, virtual workstations could also be a long-term solution. Furthermore, it is advisable to review the company’s IT processes: Would it be able to react more quickly in the event of another crisis?
Remote workers rely on technical improvisation more often than IT security experts would wish. For example, in order to print out documents, many employees will transfer files via USB sticks or private e-mail. Another security trap are internal online conferencing solutions which break down at peak times – making users switch to insecure free tools.
Immediate action: Individual employees can be authorized to connect their private printers to the company system themselves – approval is given by the IT Security department after a quick, pragmatic review. If possible, the company will also expand its relevant IT infrastructure in the short term so that it can withstand an increased number of remote users.
For the future: One of the things to consider is making remote access crisis-proof: Does it make sense to upgrade the infrastructure (in-house) or rather rely on flexible external services? Security criteria must be defined for the second variant in particular, depending on industry standards.
3. New threats arising during the crisis
During the pandemic, potentially new gateways for cyber criminals appear, such as virus or phishing attacks by e-mail or SMS. For example, a fake message from a parcel service, claiming that orders will no longer be delivered personally, and asking the recipient to follow a link which leads to malware. Another risk factor is free conferencing tools: Anyone tapping dial-in data can sneak into confidential conversations.
Immediate measures: Companies should use their internal channels (intranet, e-mail) to remind IT users of existing rules of conduct, adding current examples. To draw attention to current risks, a test phishing campaign might be a good idea, showing how many colleagues are being deceived. Such findings help to rise security awareness in the workforce.
For the future: It is particularly important to increase protection in turbulent times. As far as possible, IT security projects should continue, e.g. penetration tests. Another important aspect is Data Leakage Prevention, which works in the other direction: If your company has established a Security Operations Center (SOC), these specialists could set up new use cases to monitor data flows from the company.
4. IT emergency operations
Alike other employees, many IT specialists work from home during the pandemic. But not every IT problem can be solved by remote access: just think about malfunctions in the data center.
Immediate measures: Companies need a quick response plan in case of an emergency: How do IT staff get into the building? Who provides the necessary equipment, such as face masks and disinfectants, so that colleagues can protect themselves from infection? Will employees receive a hazard pay?
For the future: Once the crisis is over, the pandemic emergency plans must be put to the test. Companies can use good practices from all over the world as a basis for that.
Despite all efforts to maintain control during the crisis: This is a time for pragmatic decisions. Corporate management, CISOs and IT security managers must find the right balance between cyber security and productive work in the core business.
2021 Grosse-Hornke Private Consult