COVID-19: How to protect your people and your business
Responding to the potential impact of Coronavirus is top of many businesses’ minds. It has created concerns and uncertainty for many of us on a personal level and, at a business level, it has called into question the operational stability of our organisations: should employees be unable to leave their homes, can businesses cope with the cultural, technological and process changes that are seemingly inevitable?
As the world struggles to contain the coronavirus and businesses prepare for the potential impact to their operations, technology can bring solutions, but it also brings an increased threat which needs focus to help safeguard your people and your business.
Social engineeringIssues or events that trigger emotional distress or curiosity are key topics for cybercriminals to use in creating so-called ‘social engineering’ campaigns. A social engineering campaign is an act through a social mechanism ‒ be it email, phone calls, text messages, etc. ‒ that is designed to manipulate the victim into performing an action, such as clicking on a link, opening an attachment, or disclosing information. For these types of attacks to be successful, they must trigger an emotional response with the target. The coronavirus scare pandemic is the perfect mechanism for cyber criminals to leverage and trigger that emotional response.
So what should you do to help protect your people and your business?Remind your employees to be cautious of emails with links or attachments that reference the coronavirus or status thereof. The following scenarios are examples of how the virus could be leveraged to manipulate your employees:
Remind your employees that when receiving any messages that reference the virus to Pause, Inspect, and Think (PIT) before acting. Remind and encourage them to control their emotions and not to let their fear or curiosity drive their response. It is critical that you also have someone who the employees can reach out to and contact if they have questions about the communication and want to confirm its legitimacy. If you have standard methods of communicating significant issues, such as posting the information to your intranet, remind employees of these methods.
- An email from a spoofed news outlet claiming a cure has been found or a pandemic has been declared. A link is supplied to access an article for the victim to click to read the additional details. While the act of clicking alone may sound benign, that is enough for the cyber criminals to infect your systems, steal data, or hold you hostage with ransomware.
- An email claiming to be from Human Resources with an updated ‘work from home’ policy in response to the virus. The memo is provided in an attachment that needs to be opened. The act of clicking on the attachment and opening the document could be enough in itself to compromise your systems.
- A message from a fraudulent charity soliciting donations to find a cure or help those impacted. As in any time of crisis, people will try to create fraudulent schemes to steal money.
Remote workersMany businesses are encouraging/requiring people to work from home. Conferences are being cancelled and meetings are moving online. Many businesses have a business continuity plan, but a lot of businesses still don’t. For those that have a plan, remote access strategies will be put to the test. For those that don’t, the urgency to create one will be pushed to the forefront and defined quickly. If you haven’t already defined and verified your remote access solution, be sure to factor in security. While you certainly need to operate, you don’t want to expose the business to the risk of being compromised or to trigger an inadvertent data breach. For example, allowing employees to take copies of data on removable drives may result in data loss should the drive be misplaced.
The following should be considered as part of your strategy:
- If your employees access sensitive data, they should be provided with a company-controlled secure laptop, inclusive of encrypted hard drives. While ideally everyone will have a laptop to work remotely, that may not be a financial reality or a necessity. If you need to prioritise, focus on the high-risk employees based on the sensitivity of the data they need to access.
- Any remote access or cloud-based application should use multi-factor authentication, to validate the user’s identity. This is particularly important if you need to put emergency measures in place, such as remote desktop software to allow employees to use their own equipment.
- If you have the resources, offer to have your IT department perform a security check on your employees’ home devices if the ultimate decision is that they need to work from home using their own equipment.
- Try to limit the options for employees to save data out of secured locations to their own devices. The capabilities will depend on the solution you implement.
- Ensure you establish and communicate clear expectations of the work-from-home strategy. While you may not be able to implement the ideal set of technical controls to manage risk, you can ensure your employees play their role and know how to work efficiently and securely when not in the office. Empower them with the knowledge of the risk so they know how to manage it.
- If possible, review and update your access policies, giving people access to only what they need. Employing this approach of ‘least-privilege’ reduces the scope of risk should accounts be compromised.
- Once the crisis begins to subside, communicate to employees that any data saved to non-standard locations during the course of the crisis be securely returned to the company and removed or destroyed from those other locations.
Going forwardThis is without question a challenging time, however there are technical solutions and standard practices to help protect your people and your business.
Our approach to assisting clients is based on a model, this maps your current position and proposes measures to focus on your priorities, whether around Cyber Security, Fraud Prevention, Data Analytics or Process Automation.
Part of our mission to provide “value-added” services is only possible if we can ensure your success in the process. We strive to be your trusted advisor not only through the good times, but also through the more challenging.