The coronavirus disease 2019 (Covid-19) pandemic has resulted in significant disruption, and presents unexpected challenges for organizations of all sizes and sectors across the world. As we have seen, the spread of Covid-19 throughout communities is quickly changing how people live and work and how businesses operate.
In a world that now requires isolation, people and organizations have shifted a great deal of activity into the digital realm. The rate at which we have been relying on digital tools to connect and work these past few weeks is unprecedented. Employees and students are staying home, using videoconferencing services, collaboration platforms and other digital tools to do business and schoolwork. In their free time, they are going online to shop, read, chat, play and stream.
As many businesses continue to implement skeletal or “work from home” arrangements to mitigate the impact of Covid-19, the number of cyber risks to organizations rises. According to the Australian Cyber Security Center, the dramatic increase in people working from home—many of them for the first time—and the increasing use of online systems to manage social distancing creates opportunities for cyber criminals.
Cybercriminals have been ramping up their tactics to take advantage of those who may have inadequate or naïve security controls. As phishing, ransomware and social engineering attacks appear, many companies have opened up new vulnerabilities in their sudden switch to home working.
Employees may be using unfamiliar apps and bypassing controls in order to work effectively. The more that homebound employees struggle to access data and systems, the more they will attempt to use risky workarounds. Employees working from their personal or new unsecured computers could also create easy entry points to company systems. Staff are also relying more on email to exchange documents and information. Without adequate protection, organizations may lose the confidentiality and integrity of their data.
As a result, chief information officers (CIOs) during this coronavirus outbreak are facing a great challenge: playing a central role in navigating the crisis, even as their companies grapple with the implications. Moreover, CIOs need to balance two priorities at this time: protecting their organization against new cyber threats and maintaining business continuity. The overarching challenge is to protect the company while enabling operations to go on without interruption, but addressing these diverse and sometimes competing needs is not easy.
Therefore, CIOs must act swiftly to manage cyber risks in a pragmatic way. Remaining vigilant and ensuring sound cyber security practices is imperative. Businesses should pause and consider incorporating the following strategies in order to effectively mitigate cyber risks during these critical times:
Activate your business continuity strategy. Invoke a holistic business continuity plan (BCP) and clearly define standard operating procedures (SOPs) for employees working from home. Define SOPs for employees using their company-specific communication channels, such as Microsoft Teams or Skype. Pull together quick guidance, short training or knowledge sharing sessions for employees who may not be familiar with remote working.
Secure your IT assets. Enable authentications and patches, update solutions to ensure security and advise employees during the work from home period. In addition, promptly update your company’s antivirus, malware protection, data leakage prevention, mobile device management and other solutions. Inform employees about relevant antivirus or malware updates required to secure their home networks. Prioritize patching high-risk company applications that are used extensively during the quarantine period and ensure that cloud systems have been appropriately secured.
Prepare a cyber attack defense model. Stay up to date on various cyber attacks. With inputs from online cyber security feeds, include such news and information in your organization’s cyber threat intelligence in order to identify trends and emerging risks or threats, as well as to provide timely warnings.
Heighten staff awareness around cyber security. Help employees understand the risks. Employees working from home must still exercise good judgement to maintain information security. Focus on what to do rather than what not to do. Explain the benefits, such as security and productivity of using approved messaging, file transfer and document management tools to do their jobs. Remind employees about good basic security, such as strong passwords, not using open public WiFi, and not clicking on anything that looks vaguely suspicious. Reinforce to staff that home computers are not to be used for work or client data. Identify and monitor high-risk user groups. Some users, such as those working with confidential data, pose more risk than others. High-risk users should be identified and monitored for behavior that can indicate security breaches.
Sustain good procurement practices. Fast-track procurement that is intended to close security gaps; however, the procurement process should still follow standard due diligence. The need for certain security and information technology (IT) tools may seem urgent, but poor vendor selection or hasty deployment could do more harm than good.
Confirm the security of third parties. Nearly every company uses contractors and offsite vendors, and most integrate IT systems and share data with third parties. Should any third party fail to demonstrate adequate security controls and procedures, consider limiting or even suspending their connectivity until they remedy their weaknesses.
Stay updated on all regulatory and technical developments. Regulators are tightening controls and formulating new guidelines to tackle the growing number and complexity of cyber attacks. Stay updated on changes to data privacy and protection, to cyber laws and regulations, as well as to evolving risks and technical developments.
The Covid-19 pandemic is not just a world health emergency; it is an economic one, too. However, the information security of businesses big and small does not have to be an unintended casualty. By taking practical steps in focusing, testing, monitoring and balancing cyber risks, CIOs can fulfill their responsibility of upholding their organization’s security and maintaining business continuity. Businesses that are able to manage digital risks while providing stability will likely come out on top.
Third Librea is the head of the Advisory Services division of P&A Grant Thornton. P&A Grant Thornton is one of the leading audit, tax, advisory and outsourcing firms in the Philippines, with 23 partners and more than 900 staff members. We’d like to hear from you! Tweet us: @PAGrantThornton, like us on Facebook: P&A Grant Thornton, and email your comments to firstname.lastname@example.org or email@example.com. For more information, visit our website: www.grantthornton.com.ph.
As published in The Manila Times, dated 22 April 2020