What Businesses Can Do About Increasing Cybersecurity Risks Due to COVID-19

Posted on April 2, 2020 - by Justin Gratto - in Trends in InfoSec

I write this as I sit in self-isolation, as our company has issued a strict policy of work from home. Many other people now find themselves in the same position, stuck working from the couch, kitchen tables, or rarely used desks at home.

But while staying home can help keep us safe from the coronavirus, we need to be increasingly aware of attempts to weaponize COVID-19 panic to attack companies and individuals. There are tons of scam texts, emails, or phone calls claiming to offer relief funds or government assistance. Or apps that claim to track coronavirus in your area. This makes our families, friends, employees, customers, and companies all more vulnerable to fraud, ransomware, and malicious attacks. 

I want to share some of our insights about how we were able to quickly shift our company to remote work, as well as talk about a growing trend that is certain to put you and your business at risk during this time. 

Step 1. Update Your Asset Inventory

What devices do you have going home with employees? Where is your data stored and can you securely access it remotely? What assets do you need to protect to keep your business functional or restart it once operations open back up?

Knowing exactly what you have at all times, and who has possession of it, will make this work-from-home process so much easier for you from the get-go. When it comes time to issue a notice to send people home, you know what they have already, so they only need to sign for additional items such as monitors, keyboards and other peripherals. 

We had employees who needed to take desks, chairs, or monitors home from the office so they could work efficiently. Being able to give out supplies to make our team comfortable while working from home makes a huge difference as we settle into a new routine. Especially since so many people are feeling additional tension and stress about the coronavirus.  

Step 2. Come Up With A Plan For Accessing Any Internal Resources

Not all companies are cloud-based. Some are still operating and maintaining their own, on-premise infrastructure or contracting space in a data center to manage their own servers.

This poses some risks, like remote management of this infrastructure using weak credentials, deprecated or plain-text protocols, and encryption can occur. What we suggest is ensuring that an approved VPN is used for any employees accessing internal resources when implementing a work from home strategy. When planning a work from home strategy, consider the following questions:

  • Does our current VPN and remote access infrastructure support the capacity of potentially all of our employees using it at the same time?
  • For employees in rural neighborhoods with lower speeds, will the network speeds of our rural employees’ home internet be capable of a reduction by using a remote access service such as a VPN?
  • Do we have sufficient communication and collaboration tools to replace verbal, direct communication?

Step 3. Have A Remote Work Or Teleworking Policy That Addresses Risks And Communicate That Policy Clearly To All Employees

If you currently do not have a remote work policy, we are offering a customizable remote work policy as a bonus to our free account offering available here. A remote work policy and procedures at a minimum should address the following:

  • Issuance and return of devices, peripherals, and any storage medium
  • Secure use and storage of devices, peripherals, and storage medium with sensitive data. 
  • Network policy to include securing home wifi and LAN. 
  • Encryption policy to include securing devices, media, and sensitive data in transit and at rest.
  • Access controls, secure use of admin privileges and enforcement of multifactor authentication.
  • Policy and guidance on endpoint protection, keeping systems and antivirus/antimalware solutions up-to-date. 
  • Limiting and controlling the installation of software, software installation approval process and setting standards for what software is explicitly not allowed to be installed on company devices. 

Additionally, you may need to address the following:

  • Ensure local admin access on the device is restricted to only personnel whose roles require local admin privilege. 
  • If developing software, ensure that employees working remotely can adhere to the secure software development process and policy. You want to check that the change management process and policy is still being adhered to. Also, ensure that code reviews and testing are occurring as planned, with processes surrounding production and staging environments clearly defined and available. 

Watch the recorded webinars now.

The #1 Security Trend in 2020

In late 2019, I released a blog titled Top 5 Security Trends in 2020… before the “black swan” event we’ll all remember later on as the COVID-19 Pandemic. This emerged in the first 3 months of 2020, with the outbreak of COVID-19 and the responses from WHO and national governments. 

Scammers, malicious hackers, price gougers, and nation-state threat agents immediately started taking advantage of the attention to COVID-19 to profit from other people’s stress and anxiety about the virus. 

We’re seeing increases in phishing campaigns and attacks as these malicious actors are increasingly using the COVID-19 virus as a hook in their text, email, and fraudulent phone call campaigns. The Internet is already drowning in COVID-19 related malware and phishing scams

There’s a rise in malware that is introduced by applications claiming to track coronavirus or some similar functionality, which introduces some sort of malware or ransomware such as CovidLock. Zscaler recently released a CovidLock walkthrough to unlock an android device that has been affected by this ransomware. This ransomware is introduced by installing and granting permissions to an app called “Coronavirus Tracker.” 

To address this trend and avoid being the victim of these tactics used by criminal profiteers, we’re advising friends, family, and customers of the following:

  1. Only download applications that have been approved by your company on work devices.
  2. Do not install and grant permissions to applications that haven’t been vetted and approved by your company on a BYOD or work device. 
  3. Only download applications from legitimate app stores, such as Google Play and Apple App Store.
  4. Ensure when installing an app from a legitimate source that even a high rated app, has plenty of detailed, well-worded reviews from legitimate users of the app store. 
  5. Be cautious about downloading applications that may have fake reviews, especially from new companies or unknown developers. 

How We Made Transitioning to Remote Work Easier

By now many companies have all or most of their employees working from home. We had an easier transition to remote work and I hope some of this information will help others who have a more challenging transition and will take longer to adjust to remote work. 

Even before COVID-19 was in the picture, our company took appropriate steps to ensure security when we offered a flexible work from home policy for our employees. We initially implemented it because many people in our company have families. Kids get sick, dentist appointments happen, oil changes can’t be put off any longer, life happens. This openness with a flexible work-from-home policy and remote work readiness paid off tenfold for when we really needed it.  

We were prepared to react and act accordingly because we had conversations about the possibility of worst-case scenarios, part of planning for our business continuity and disaster recovery. We knew what we would need for everyone to work from home successfully or what would happen if our CTO was suddenly unavailable. 

In mid-March, we mobilized quickly, issuing workstation monitors, laptops, and peripherals. Each employee signed their equipment out from an asset signout sheet our CTO manifested from our asset inventory. We had the infrastructure for all our employees to work from home for months now. Our company is successfully into week three with all our employees working safely from home. 

We’re Here to Help

We’re now offering free webinars on business continuity and disaster recovery, remote work, and other information security topics. This is in addition to the free tools inside the Securicy platform that help with risk assessment, security awareness training, and creating plans for security and business continuity.

Join our free webinars and live Q&A sessions on disaster recovery, business continuity, information security, and remote work. Get answers to the top problems that you need to solve for your business now.

See the upcoming webinar schedule here!

Tags: business continuity planning / coronavirus / covid-19 / disaster recovery / information security / infosec /

About the author

Justin Gratto

Justin Gratto is a Canadian Army veteran, experienced information security professional, and the Senior Director of Product at Securicy. Justin is responsible for product ownership at Securicy, a SaaS platform that assists businesses through creating, implementing, and managing their information security and privacy compliance program. He is also involved in advisory service delivery, and holds the responsibility of Security and Privacy Officer at Securicy. When Justin isn’t performing his duties at Securicy, he likes to go on adventures to new places to visit, learn about, and taste different cultures. He is from Nova Scotia, Canada.

Related Articles

CIA Triad Infosec

3 Principles of Infosec: The CIA Triad
penetration testing as a service

What is Penetration Testing as a Service: The Benefits for SaaS Companies
Cloud storage vs. local storage

Cloud Storage vs. Local Storage: 19 Pros and Cons