Social distancing and mandated closures have shifted entire companies, school districts, universities, and government agencies to remote work, putting tremendous strain on existing technology infrastructures and support systems. Even the most prepared organizations that have advanced IT security and control capabilities have never encountered anything like the current level of crisis.
Cyber criminals are exploiting stressed out organizations and employees by targeting individuals with cleverly worded emails that appear to come from an official agency such as the CDC – or even their own company. These emails contain malware attachments that infect computers and confiscate personal information. Cyber criminals also are extorting organizations with ransomware demanding payment to maintain business continuity throughout the crisis and beyond.
At the same time, risks from cloud services, videoconferencing platforms, streaming services, utilities, and other critical infrastructure providers are increasing as heavy demand taxes their systems.
Other vulnerable IT targets include:
- Third parties. Your vendors and other third-party suppliers have all of your own IT vulnerabilities – which can be amplified by their own cash-flow problems or supply-chain challenges. Given the interconnectivity of supply chains and seamless digital collaboration with vendors, take a close look at where your weak links are. Medium and smaller suppliers may be particularly vulnerable as they often lack sophisticated security capabilities. And always maintain continued visibility into your vendors’ status to understand if they have heightened security risk. (Read: Coronavirus and Third-Party Risk: Don’t Let Your Vendors Bring You Down)
- Unsecured devices. Under high-stress scenarios, exceptions to security standards are more likely to be made. Allowing the use of personal devices and home Wi-Fi networks for work-related activities, for instance, provides significantly less protection than in a typical office environment. And websites routinely blocked by corporate networks may be accessible when working remotely. Shore up security with multifactor identification, strong password requirements, firewalls, VPNs, and the like. (This guide from NIST provides considerations and recommendations for securing remote access.)
- Employees. Even conscientious workers may unintentionally add risk by moving data onto unsecured computers and personal devices. Potential exposure of sensitive information increases legal and reputational risks when computers are not appropriately secured and monitored – especially if that continues undetected. Proactively communicate the risks of handling confidential information when working remotely to help avoid those mistakes. (Read: Seven Strategies for Managing HR Risk Amid the Coronavirus Crisis)
- IT support. Simply providing laptop support to a far-flung workforce is stretching the resources of many IT teams. A remote workforce also makes it harder to identify threats or execute a quick response if a cyber incident does happen. And what if COVID-19 strikes the IT team? Establish and test a backup plan if only a portion of staff is able to work because of illness.
As the economic repercussions of the coronavirus deepen, organizations that need to let people go also will want to be mindful of increased IT risk from disgruntled employees, who often are given the news remotely.
In these unprecedented times, technology is the lifeline of continued business operation. Now is the time to test and retest your system security against new and aggressive cyberattacks. Are you doing everything possible to minimize your IT risk during this pandemic – and beyond?
For more on dealing with the coronavirus crisis, check out..