Cybersecurity in the time of coronavirus

Businesses globally are implementing business models involving far more remote workers than ever anticipated. IT and management teams are working hard to facilitate this. In the rush to keep businesses working, there is a significant risk that security will not be properly thought through.

Good business cybersecurity practices, under any circumstances, should consider the following:

• Is the technology and infrastructure deployed secured against malicious actors, outside and inside the organisation?
• Do all company employees, subcontractors and relevant third parties have clear instructions and guidance on how to conduct their work in a secure manner?
• Do any of the security measures in place block employees from conducting their work efficiently?

With the right level of security, your business will be well placed to fend off cybersecurity threats. Too little, you are vulnerable. Too much security, applied in the wrong ways, employees will feel stifled and start finding workarounds, ultimately leaving the business vulnerable.

Key security advice when building remote capacity
Here are some key areas to consider when planning or deploying remote working capabilities.

Securing devices
Remote workers need laptops, mobile phones, tablets or other devices to work. Many companies are issuing additional equipment to allow workers to remain fully effective. But be aware of the following:

Have effective asset management in place. Know what devices have access to your network and data, plan for any changes, and block or remove obsolete equipment from your network before it becomes a weak point in your security.
All company devices should be encrypted, protecting data if they are lost or stolen:

• Use BitLocker or a suitable third-party solution for Windows device
• Make sure encryption is active on Apple devices (it normally is!)
• Make sure appropriate encryption is in place on other mobile devices.

If employees can use personal devices, consider whether corporate data is appropriately secured. Mobile device management solutions may allow you to secure data on these devices, or you may need to restrict what employees are allowed to access in the first place.

Don’t forget equipment still in the office! Is there sufficient physical security at your sites to protect servers, desktops and other parts of your network from malicious actors?

Don’t forget the other parts of day-to-day security preparation. Strong passwords, secured and appropriate local administrator accounts, and control over applications and services on your network are as important as ever.

Securing your networks
If endpoints and servers are both appropriately secured, make sure they can connect. Access to networks should be easy for legitimate users but blocked (or at least very difficult) for everyone else. Consider:

Method of connection
Well-configured VPN clients on all employee devices allow secure access to the network through a private tunnel. Other secure access solutions will be available for particular use cases. If employees need open internet access, are they connecting to a particular external firewall, or a well-managed cloud service like Office 365? Try to limit exposure of additional network areas to the internet and its many threats.

Restricting access
Many types of connections can be configured to further secure against malicious actors. If using a cloud service like Office 365, consider restricting access where possible to particular devices, particular IP ranges, or to particular types of connections. Firewalls and other services will offer similar options to manage access rules. Consider restrictions inside your network too; preventing connections or user accounts from going beyond certain areas will reduce the risk from one unsecure employee or unforeseen vulnerability.

Strong authentication
Strong password policies and multi-factor authentication require enforcing. Multi-factor authentication should be used as much as is practical.

Think of everything
Consider all the different ways a network can be accessed. How are employees accessing mailboxes from mobile devices? Do employees need to connect to operational technology such as factory equipment (and is it safe to let them)? How is remote desktop access into your network structured?

Securing employee connections
The network may be thoroughly secured at your end, but that data has to come from somewhere. As employees are based outside your secure environment, it is often up to them to make sure they are acting appropriately. Providing them with suitable guidance can help:

Setting up home wifi
Help employees with simple advice. Basics like changing network name and access and administrator credentials are key. Employees should also ensure appropriate network encryption is in place, remote access is disabled, and that the software is kept up to date.

Accessing other networks
Consider providing guidance about (not) using public wifi, about how network names can be spoofed, and how man-in-the-middle attacks can be launched on public wifi networks. Don’t forget to mention the other risks related to Bluetooth connections and simple over-the-shoulder spying.

Communications channels
Make it clear that work emails should be confined to work accounts, and which messaging services are acceptable. By providing clear solutions, you can effectively monitor for any potential threats, inappropriate data movement and other business purposes.

Watch out for coronavirus phishing
The Covid-19 outbreak represents an opportunity for malicious actors, from simple scammers to government-backed hacker groups. Individuals and businesses worldwide are being targeted by phishing campaigns designed to play on fear of the virus and of the lack of reliable information on the outbreak. Extra vigilance should be exercised. Warning your employees about this will reduce the threat to them and to you.

Informing your employees
Clear and effective communication is one of the most important steps to take. Without clear information, employees will make mistakes or assume you don’t have a plan and start taking (potentially unsecure or counterproductive) measures of their own.

Clearly inform employees about what devices they can use, what services they can access and how they should do so. Keep them up to date on changes.

Information needs to be delivered in clear and simple language, using an appropriate method and at an appropriate time. The guidance or policy should be clearly backed by the senior leadership of the organisation, to ensure that it has the authority and clarity needed to convince employees to follow the advice given.

Make sure sufficient information is provided to third parties, including any customers who need to access your network. They need to know how to contact you, how to access relevant services and infrastructure, and what is expected from them in terms of their own security.

Planning for the worst
Any cybersecurity professional knows that no one is ever absolutely safe from a malicious attack. Combining the increased exposure from remote working with the confusion and short deadlines of responding to the changing coronavirus situation only increases that risk.

If you have effective cyber incident response, crisis management and/or business recovery plans in place, it is important to review them in light of your new operating environment.

If you don’t have these plans in place, you likely don’t have time to build them right now, but it is important to at least consider the basics. Do you know where your key data is stored? What services are key to your business’s survival? Do you have backup communication channels, independent of your network? Do you have similarly separated, and regularly updated, data backups?

Contributed by John Coletti, chief underwriting officer and head of North America cyber and technology for AXA XL, a division of AXA, and Aaron Aanenson, director of cybersecurity at S-RM