Advice for African risk managers on keeping safe through the Covid-19 pandemic

South African risk managers have been warned that businesses face an upturn in the threat of social unrest and crime as the country remains locked down to cope with Covid-19.

The Institute of Risk Management South Africa has highlighted two of the most significant risks to have emerged from this pandemic – the potential of social unrest and a likely increase in crime.

However, it told members there is an “opportunity for professionals and business leaders to personally play a significant role in managing these risks”. It is raising money for those who are struggling to find food – and who would be among those most likely to turn to crime.

Meanwhile, one of the biggest risks for employees working from home is cybercrime. For risk managers, it has become a much harder risk to manage with staff scattered and working in very different environments.

Jacques van Wyk, CEO of JGL Forensic Services, warned: “When routines get upset to this degree, security is often an early casualty. Make sure your employees understand, and are prepared for, the additional security challenges of remote work during the current emergency.

“Working from home will undoubtedly help to keep your employees safe, but in turn could put your confidential company information at risk.”

Among the risks are

  • Sensitive documents: Sensitive documents are taken home where the level of security and care is, understandably, not the main focus
  • Home security: Access to company laptops and other devices, as well as documents, is easier
  • Unsecured networks: Using unsecured networks, such as public Wi-Fi networks or a home wireless network, makes it easy for malicious parties to access confidential information
  • Financial transactions: In an office environment, it is easier to enforce and ensure compliance to authorisation and processing of payments; as companies scramble to put temporary processes in place to minimise business process, realising the same level of security, control and oversight becomes exponentially more difficult
  • Using personal devices for work: An employee’s personal laptop or computer is unlikely to have the same level of antivirus software or security setups as office-based computers
  • Legal considerations in using personal devices for work: If your company does not have a clearly defined policy governing the use of personal devices for work purposes, then you have no recourse if the device (and any information or data) is lost or compromised
  • Poor communication: Effective communication can be compromised when employees work remotely
  • Scams targeting remote workers: There will be an increase in malicious campaigns, such as targeting workers working from home via emails and man-in-the-middle attacks
  • Ignoring basic physical security practices in public places: Confidential information could be inadvertently exposed if your employees talk loudly while working in public places, expose their laptop screens in public places or leave their devices unattended
  • Devices are lost or stolen: There is always a possibility that devices are damaged, lost or stolen.

Mr van Wyk said ways to minimise the risks include:

  • Strong passwords: Ensure all accounts are secured with strong passwords
  • Disk encryption: Ensure all devices use full disk encryption
  • Two-factor authentication: Even if accounts have strong passwords, two-factor authentication and verification is excellent additional protection
  • Use a virtual private network (VPN): VPN plays an important role in improving your online privacy by encrypting all your internet traffic so that it is unreadable to anyone who intercepts it
  • Set up firewalls: Firewalls act as a defence mechanism, preventing threats from entering your system
  • Use antivirus software: Although a firewall can help, antivirus software should be the next line of defence; all devices used for remote work should have legal and up-to-date antivirus software installed
  • Use approved software (whitelist): Never download suspicious, unauthorised or illegal software onto your devices
  • Use cloud applications: Using web-based cloud solutions gives better control over data and information; it also means you can regulate employees’ access where required
  • Secure the home router: Changing the router’s password often makes the network less vulnerable
  • Install updates regularly: Updates include patches for security vulnerabilities
  • Do daily data backups: Data can be lost in several ways, so all important files should be backed up regularly
  • Virtual solutions: The use of electronic signatures and virtual approval workflows will enhance security
  • Verify: Make use of teleconferencing technology (such as Skype, Zoom and similar) to ensure financial transactions actually come from a legitimate, senior member of staff before approval
  • Look out for phishing emails and sites: Make sure staff check email addresses for any spelling errors and poor grammar in the subject line and body; hover over links to see the URL and do not click on links or open attachments unless completely sure
  • Use encrypted communication: To communicate sensitive information to other employees, make sure staff use mainstream messaging services that come with end-to-end encryption, such as WhatsApp, Signal and Telegram
  • Lock your device: If they have to work in a public space, keep the device secure with password locking
  • Strict security policies: Strict securities policies should be in place to protect the company and should be followed by employees at all times; any breaches must be reported immediately to limit any loss of information; define a clear procedure to follow in case of a security breach
  • Transparency is non-negotiable: Remote employees working with confidential company data must immediately report an incident to their superiors
  • Ensure adequate IT support: In case of IT-related problems or support, have IT support staff available to assist – either telephonically or via remote login.