We enjoy Jerry Bruckheimer movies. Living in one is another matter. COVID-19 has generated scenes that give us pause. An empty Times Square. A Los Angeles with moving traffic. A Washington eerie in its silence. Closed stores. Shuttered malls. But amid all that, the show must go on. Businesses need to operate. In a time of lockdown orders and a contagious virus, operation has increasingly meant remote work. Many organizations and employees who would never have considered telecommuting have embraced it as a lifeline.
The increased remote work has also expanded exposure to cyber attackers. Sensing their opportunities, attackers have used everything from “man in the middle” attacks to phishing emails about COVID-19. We have written about basic precautions, such as mandating the use of Virtual Private Networks (VPNs) that all companies need to be using to avoid being the low hanging fruit for attackers. With the benefit of experience, here are five steps you should take immediately to prepare your organization for an attack.
First, review your Incident Response Plan. There is a reason counsel stress incident response plans. They are the classic “it’s not only a good idea, it’s the law.” It prepares the organization by mental stress testing. And many regulators, ranging from OCR to the SEC to NYDFS require one. That said, many incident response plans are built on assumptions that no longer apply in COVID-19 times. For example, a key individual may be quarantined. Or the plan may require physical access to a facility that is out of bounds for one reason or another. Whatever the concern, the first step is review the plan. A review will yield assumptions that no longer hold true. At that point, the organization can develop workarounds.
Second, review expert guidance. Government agencies from DHS to CISA to NIST have been collating lessons learnt from the experiences of other organizations during the pandemic. These agencies regularly publish recommendations developed in light of these experiences on their websites. Business or IT leadership should be regularly reviewing these publications. To paraphrase Bismarck “Learn from the mistakes of others.” Moreover, your tax dollars have already paid for this expertise. So, for example, CISA discovered that the COVID-19 phishing emails were a new and effective ploy for attackers. Employees expect such emails. And react accordingly. Once warned, their response rates improved. A simple technique, but one that pays disproportionate dividends.
Third, have several ways to locate employees. Businesses are used to integrated communication systems. Internet accounts, internal networks, landlines, and even cell phones run off a single unitary core. While this can be efficient and cost-effective, it can also leave businesses vulnerable. An attack that cripples the core can make it impossible for employees to communicate with each other. Some redundancy is valuable here. The business should identify alternative modes of communication, such as landlines, or personal cell phones. Each employee should have a hard copy of a directory with these numbers. Communication may be slower this way. But this approach ensures that an attack does not cripple all internal communication.
Fourth, fix your vulnerabilities. All cyber systems have vulnerabilities. It is inevitable the same way any human body is subject to disease. Businesses are often aware of the most common issues. For example, when vendors release a software update, hackers analyze the update to identify the vulnerability it patches. Few businesses update regularly. An update requires taking the system offline. The down time means lost productivity. Lost productivity means lost profits. But at a time when so much work is being done remotely, such vulnerabilities can no longer be tolerated. In the regular course of business, an attack through an exploited vulnerability might be a nuisance. With the entire business running remotely however, such an attack can be near-fatal.
Finally, check your liabilities. It is ironic that the present pandemic comes at a time when cybersecurity and privacy have got the attention of regulators. The Department of Health and Human Services’ Office of Civil Rights has indicated that it will regulate lightly given the pandemic pressures. But other agencies – from the Federal Trade Commission to the Securities and Exchange Commission – have offered no such suggestion. Moreover, state regulators and legislators, perhaps spurred by California’s example in the California Consumer Privacy Act (CCPA), have been becoming active in consumer privacy. California itself may have followed the lead of the European Union’s General Data Privacy Regulation (GDPR). This patchwork of state, federal, and international regulators creates cybersecurity and privacy compliance issues for many businesses. And while regulators may be flexible given the strains on resources produced by the pandemic, none has suggested holding compliance issues in abeyance. In our experience, the day to day stresses can sometimes cause businesses to overlook compliance fundamentals. Build your IT around security and compliance. If it is intrinsic, it is less likely to be overlooked. Whether the work is performed in the office, or remotely.
Remote work is a gift. By enabling social distancing, it has saved lives during the crisis. And all datapoints suggest that it will grow in the years ahead. Businesses should prepare themselves accordingly.