At the moment, cyber security may be far down your list of priorities. As concern about the public health impact of coronavirus (COVID-19) grows, there have been a number of reactions, both at the state and individual level. Whole regions in China, Italy and other countries have been quarantined, and flights to and from certain destinations cancelled. A large number of people in the UK have started ‘panic buying’ essentials, with supermarkets forced to enact contingency plans to deal with the unprecedented demand.
While businesses adapt to daily shifts in volatile markets, many also face the challenge of overhauling how their staff can go about their jobs. With widespread office closures has come a large scale shift to remote working in the industries where this is possible.
But while remote working allows some businesses to continue to function, it also poses a significant challenge to security teams. Some of the challenges are due to the nature of remote working itself. But others are a result of the unique nature of the coronavirus outbreak, as organisations are forced to respond in real time and cyber criminals look to make the best of an unfortunate and difficult situation.
What are the risks generally?
Broadly speaking, remote working exposes an organisation to a number of novel risks, even at the best of times. As the National Cyber Security Centre (NCSC) note in their 10 Steps guidance: “Mobile working and remote system access offers great business benefits but exposes new risks that need to be managed.”
As pointed out in a Financial Times report in December 2019, what makes remote working a challenge for security teams is that it increases the size of your attack surface. That is, the culmination of all the networks and computer systems you use for work. Loss of company devices, the loss of sensitive information (including personal information) and the loss of credentials (including user names and passwords) are among the new risks which must be mitigated.
With remote workers using personal networks and, potentially, personal devices to conduct company activities, the likelihood of a security incident increases. This is because, in addition to bringing more networks and devices ‘in scope’, these personal networks and devices are not necessarily as well protected as their company counterparts. This leaves them more vulnerable to cyber attacks (e.g. they may lack protection against malicious software).
According to James Bradley, Global Head of Security Standards at Experian, managing the risk associated with the use of personal devices is a difficult task: “One of the most important things is education. All users, and particularly privileged users like administrators, need to be aware of the dangers of using their own devices, or otherwise attempting to bypass their company’s security controls.
By leveraging a ”secure together” team mentality the right behaviours can still be pushed into all areas of the “remote business” and form the basis of an effective strategy coupled with technical safeguards.
Even within the new remote working landscape necessitated by the COVID-19 pandemic, responsibilities for information security must be maintained. Failure to follow company policies and procedures, even with the backdrop of unprecedented, disruptive global events, can still lead to the undesirable consequences of non-compliance, like a data breach or loss of service.”
What are the risks unique to the outbreak?
In many respects, the pandemic exacerbates the pre-existing issues brought about by remote working. Employees unaccustomed to working from home may not have proper equipment set up. As they turn to personal devices to do their jobs, they could expose their organisation to some of the risks mentioned above.
But as policy experts at the World Economic Forum (WEF) have pointed out, there are three cyber security risks specific to our current situation.
First – due to the global nature of the pandemic, we are more dependent than ever on digital infrastructure. “Businesses and public-sector organizations are increasingly offering or enforcing “work from home” policies, and social interactions are rapidly becoming confined to video calls, social media posts and chat programmes. Many governments are disseminating information via digital means.” This means that any outage as a result of a cyber attack could have devastating consequences.
Second – cyber criminals will look to exploit the fear and uncertainty caused by the crisis via social engineering. Indeed, this is already happening. On the 3rd March, MalwareHunterTeam discovered malware attacking those looking for maps detailing the spread of coronavirus.
Furthermore, it seems as if state actors may also be getting on the act.
Dmitri Alperovitch, co-founder and former Chief Technology Officer of cyber security company CrowdStrike, and member of the Apomatix Advisory Board, points out that ” security researchers have found evidence of more sophisticated, possibly state sponsored, hackers sending COVID-19 phishing emails with malicious document attachments. This kind of activity has been seen against all sorts of targets”
Third – more time online could lead to riskier behaviour. With so many people confined to their homes, the time they spend online will increase dramatically. Already there have been outages and service disruptions. The EU have gone as far as urging Netflix to stop showing content in high definition to reduce some of the strain.
As the WEF notes “inadvertently risky Internet behaviour increases with more time spent online. For example, users could fall for “free” access to obscure websites or pirated shows, opening the door to likely malware and attacks”.
How can the risks be managed?
Organisations should adopt a variety of measures to protect their data and devices when employees are working remotely. Some of these will depend on your specific context (e.g. whether you can afford to offer all employees company laptops).
You may also want to consider implementing a broader cyber security framework that also covers remote working (e.g. ISO 27001).
While not exhaustive, some of the most important measures include:
– Create a remote working policy: Your organisation should draft a policy to mitigate the specific risks you face. The policy should outline the controls in place to protect the organisation along with the procedures all users (and privileged users) must follow.
– Educate users: All users should be trained on the use of their mobile device, together with training on their specific responsibilities.
– Monitor and audit remote working controls: Your organisation may need to consider an increased level of monitoring (e.g. on remote connections and the systems being accessed) to help reduce the risk of any security incidents. Furthermore, if remote working is part of business as usual, all associated controls should be audited by your internal audit team as part of their assurance activities.