How to Fight Off Cyberattacks in an Age of Remote WorkingChief Privacy Officer at King & Spalding Chairman and CEO of LEVICK
With tens of millions of people working remotely in the wake of the COVID-19 pandemic, the cybersecurity weaknesses of the remote work ecosystem have become apparent. Criminals and nation-state actors have been presented with an exponential growth in access points to pressure and penetrate corporate systems, and the scramble to secure systems from a menagerie of devices, networks and enterprise networks leaves many companies vulnerable to attack, theft or exploitation.
The FBI has stated that cyberattacks have drastically increased this spring; ransomware, malware, general email scams and malicious phishing expeditions abound. Some cybercriminals have even taken to providing fraudulent COVID-19 resources via apps or other downloads to target both individual and corporate systems. While these assaults have happened in an astonishing variety of industries and against a diverse array of targets, areas hit hardest by COVID-19 are the most vulnerable. These crimes can be extremely profitable, often lack sophistication to execute certain techniques, require a remarkably low financial commitment and are difficult to attribute to any particular parties.
Considering this combination, it becomes clear that this threat will be a persistent one. As corporations build out the interoperability of their corporate systems with personal technology — via either increased compatibility with personal mobile devices or other methods of accessing company databases through home computing networks — the probability of inadvertently introducing vulnerabilities into corporate systems increases. The ability to rapidly identify vulnerabilities and detect breaches will become paramount to the successful operation of any company.
Remote Working Drives Up Cyber Risk
The longer this remote work period persists, the more sophisticated and targeted the actions of criminals and bad actors will become. Considering these technical vulnerabilities in conjunction with the increased ease of exploiting human vulnerabilities (i.e., it is more difficult to exert direct control over how employees use their computer systems in a remote work environment), it is critically important to increase vigilance in adopting and maintaining proper cybersecurity hygiene.
Despite the increased risks and the uncertainty of security protocols constructed on an ad hoc basis, working remotely is a mandatory aspect of life for tens of millions of Americans. Corporations must find a way to protect the safety and security of both their employees and the public writ large by ensuring that remote work systems are secure enough to operate for as long as needed until a significant portion of the American workforce can return to work safely. This effort requires vigilance, flexibility and a keen awareness of the threat landscape, and corporations that can create and foster a secure working environment now will be far better situated to protect themselves from cybersecurity threats in a post-COVID working environment.
The nature of the newly established remote work ecosystem means that cybercriminals have more access points and security vulnerabilities to exploit than ever before.
Review Your Data Logs
A starting point for any organization must be a thorough review of data storage: storage hardware, storage methods and access control. As myriad new devices are granted access to corporate systems, the need for careful curation of access lists and data logs recording the time and manner of access grows. Monitoring and controlling access will allow organizations to reintegrate the vulnerable and potentially compromised assets that have been out of their direct control for extended periods of time.
Institutions also need to assess their cybersecurity insurance policies to ensure adequate coverage, as well as seek to mitigate their third-party and supply-chain vendor risks. Increased use of remote work technologies and outside support systems will also require corporations to revisit and revise their risk management programs for supply chains. As the web of contact with outside systems and vendors grows, existing cybersecurity procedures may also need to be overhauled. These may include incident response plans, remote work and employee privacy policies, data privacy and security training materials, bring-your-own-device (BYOD) rules, data/record retention schedules, information security and acceptable use policies and email and messaging standards.
Importance of Internal Messaging
Given the radical nature of the changes that are likely to take place, communication and education efforts are a necessary pillar of a successful transition. A combination of intensive contingency planning and aggressive outreach to employees, vendors, suppliers and stakeholders is recommended. Employees who have been working from home need to make their shared platforms, devices and databases less vulnerable to attack. It’s not just the organization’s cybersecurity that’s at risk, but the privacy interests of the individual at stake in maintaining their personal and financial security from criminals and other bad actors.
Internal messaging related to cybersecurity must be clear, compelling and consistent — whether in writing, in person, online, in a virtual training session or in a video. After employees receive training, each should be required to pass a test to ensure they understand their new cybersecurity responsibilities. An ongoing return-to-work task force should be established, with input from a variety of institutional stakeholders, from communication and human resources to the general counsel’s office and information technology. The communications elements of all cyber-crisis response plans must be thoroughly overhauled to reflect current exigencies, then incorporated into drills and tabletop exercises that engage everyone in the organization.
An Unpredictable Future
Supply-chain constituencies also need to be built out and tested in conjunction with the latest cybersecurity procedures. Once an organization’s internal priorities have been addressed, it can begin reaching out to assure local and industry media, elected officials and community leaders that it is thoroughly committed to identifying and mitigating cybersecurity assaults in this unpredictable and evolving environment.
The nature of the newly established remote work ecosystem means that cybercriminals have more access points and security vulnerabilities to exploit than ever before. To adequately address these emerging threats, corporations and institutional stakeholders must bring to bear a suite of innovative methods and tools to prevent compromise when possible and mitigate damage when necessary. While cybercriminal activity is inevitable — and emerging national security paradigms result in more sophisticated attacks than in the past — organizations that use this opportunity to implement strong, secure and flexible cybersecurity practices will find themselves on solid footing to face the known threats of today and the unknown threats of the post-COVID world.