Date: March 26, 2020

With hundreds of millions of workers advised or required to stay at home, employers and employees are left with no other alternative but to work remotely. The sudden emergence of the COVID-19 virus pandemic has resulted in a virtual stampede into remote computing, or “remoting”. Businesses should understand that now, more than ever, they must address not only the logistics of remoting, but also grapple with an issue joined at the hip with remoting: cybersecurity.

Social distancing and working from home has, for now, become the new normal. While keeping employees productive and companies in business, however, migrating to operating away from the watchful eyes of information technology and cybersecurity staff could leave firms even more vulnerable to technology-related issues and a variety compromises.

Companies rushing to deploy remoting capabilities are either expanding their computing capabilities into the “red zone” (think auto RPMs) or deploying ad-hoc or home-grown patchwork solutions to keep information – and revenues – flowing. Cybercriminals have not been asleep at the wheel, and taking active measures to benefit both from companies that in their rush to stay in business, either do not have, or have not yet adapted their cybersecurity infrastructure to protect what is their most valuable asset (other than employees) – their data.

Current Corporate COVID-19 Related Cyber Threats

Remote Computing – In the rush to remoting, companies are permitting, and in some instances even requiring, employees to use non-corporate-owned computing devices to conduct everyday business, including home computers, laptops, phones and other mobile devices, commonly known as “bring your own device” or “BYOD”. Some organizations do already run a pre-existing secure BYOD program using mobile device management programs (MDMs) that, in the event of a real or suspected compromise, permit them to “brick” or disable either an entire mobile device, or any corporate information resident on that device. Permitting or requiring the use of these devices without instituting protective measure such as MDMs and associated policy monitoring and enforcement may be expedient in the rush to ramp up employee utilization under current circumstances, but it also immediately injects a much higher degree of cyber-risk, in both nature and scope, into a companies’ everyday functions. Even where BYOD devices have MDM protection installed, there is no guarantee that information from even a protected device will be effectively shielded from threats from malware resident on that device, or from email attachments and seemingly trustworthy links.

Employee use of any BYOD introduces a high degree of risk that those devices are not well-protected. Even with the ability to use so-called “secure cloud computing” the security of BYOD will be largely unknown to the company, and these unknown unknowns (these concerns are the ones that keep cybersecurity professionals awake at night) abound:

  • Are these devices encrypted?
  • Is the BYOD password enabled?
  • Is the BYOD password of sufficient complexity and strength?
  • Who is permitted/authorized to use BYOD? (e.g., significant others/children)
  • Are they been updated?
  • Are they been patched?
  • Do they have anti-malware programs installed?
  • Are they using an older, insecure operating system (think Windows 7)?
  • Do these devices have unauthorized or suspicious programs installed that may harbor malware?
  • Does company’s insurance policy or cyberinsurance policy provide business continuity/disaster recovery coverage for a COVID-19 type pandemic, especially if it has been compromised by a BYOD?

It bears repeating that even where cloud computing is utilized, the risk of malware attacks is heightened by the use of BYOD.

This heightens the risk of compromise and theft of corporate assets, including cash through fraudulent funds transfers. Added to this toxic mix of threats are the costs from theft of intellectual property, potential civil liability and regulatory penalty for data breaches and identity compromises. These concerns are amplified for companies that use/store sensitive personal information — banking, financial, personal, health care and employment information and records.

COVID-19 Social Engineering – Cybercriminal and threat actors are already taking advantage of the COVID-19 pandemic and engineering their fraud schemes to take advantage of the fear, uncertainty and doubt that inevitably exists in these circumstances. Social engineering, in particular COVID-19-related phishing, involves the sending of fraudulent messaging, advice, offers and cautions, (e.g., public “advisories”, health “alerts”, offers for commodities in short supply, and miracle treatments or cures) to employees – clicking on these links or opening attachments exposes even protected networks to malware. These phishing attacks are on the rise, and can result in compromised email accounts, risk of impersonated emails and fraudulent wire transfers or other unauthorized funds or asset transfers

COVID-19 Corporate Preventive Medicine

Well-crafted social engineering campaigns sidestep technological anti-fraud measures such as firewalls and VPNs because they are aimed at the trusted source – a company’s employees – and management. You can help protect your business from the technology related risks associated with COVID-19 by strengthening management and employee oversight in keeping systems secure. Listed below is a partial list of items every business should consider implementing, or at a minimum, addressing:

  • Increased frequency and auditing of company IT assets and asset use, including network, workstation, and mobile device patch and update management.
  • Review and conduct risk assessments for cloud based cybersecurity protections.
  • Revise and business continuity and disaster recovery policies to make appropriate accommodations for potential pandemic-type events such as COVID-19.
    • Business continuity and disaster recovery contingency plans should be in place and expanded to include remote, air-gapped (not connected to your network when not in use) backups — they should already be in place, and periodically tested.
    • Conduct “tabletop” exercises to test policy effectiveness.
  • Revise cybersecurity policies to address pandemic-type events – e.g., make your cybersecurity infrastructure defensible.
  • Conduct a realistic risk assessment when considering permitting employee BYOD, or alternatively, assign “emergency” mobile devices to employees that are secure (encrypted and managed by corporate mobile device management programs).
    • What are the costs for these devices compared with potential risk of financial loss?
  • Check your insurance policies to ascertain whether business losses arising from COVID-19 related cybersecurity issues are covered – or if they are excluded through some sort of Force Majeure provision.
    • Businesses shuttered as a result of COVID-18 issues – will they have insurable losses for business interruption resulting from pandemic events?
    • Will insurance permit or prohibit use of employee BYOD? If so, are there coverage pre-conditions imposed and are they complied with?
    • Could an anti-concurrent causation clause in insurance policies be applicable?
  • Perhaps most significant, train (and keep training) employees to practice “safe computing” – never click on links within emails or open attachments which have not been requested or are from someone you don’t know. Some people are still using Windows 7, which is no longer supported (meaning no security updates) without a separate (and costly) agreement with Microsoft. Remoting should be prohibited on those devices. Moreover, proper monitoring and enforcing update and patch management even for those using the latest operating systems and software is difficult and resource-intensive at best, and illusory at worst. Security and misconfiguration risks exist even when using a secure, cloud-based solutions, irrespective whether using IAAS (infrastructure as a service). PAAS (platform as a service) or SAAS (software as a service).
  • Where essential employees do not have broadband at home, it may be prudent to provide them with mobile hotspots, particularly where sensitive proprietary, financial, personal or even health related information is in use. While this is a more expensive route for an organization, the productivity loss over even a short period of time, together with enhanced security, will far outstrip the sunk cost for the service, and be exponentially cheaper than defending a data security incident like an exfiltration or ransomware attack.

COVID-19 Corporate Bottom Line

We’re operating in a technology environment that, to date, has only been theorized, at least in the civilian realm. Expect the unexpected.