It’s an elementary principle of risk management that you should design systems to withstand not just the best possible circumstances, but also the worst. It’s why structures are designed to withstand storms or earthquakes, not just days when Mother Earth is feeling kind. It’s why auto companies design car frames to hold up during an accident, not just to sit pretty in a garage. And it’s why organizations design — or at least should design — their information security protocols to withstand a breakdown in the usual flows of data and information.
As the head of information security for a technology company with more than a thousand (now mostly-remote) employees, the COVID-19 pandemic has been — among other adjectives — an educational experience. And while it hasn’t been completely smooth sailing, I believe one of the reasons we were able to transition so quickly to remote work with relatively few hiccups is that we established practices to withstand precisely this type of scenario long before the virus swept through our community.
That being said, it makes complete sense to me why IT teams with fewer resources than ours are being truly tested by the pandemic. This is why I’d like to share a few of the strategies that have helped us successfully make the transition to all-remote work. To that end, here are a few of our organization’s key principles that ensure security remains tight even during crises like this one.
Educate and inform your users
As an IT person in the time of COVID, think about how much you’ve learned about your profession in the past month alone — about encryption, about networking, about collaboration software and about how unintuitive human behavior can often be under stress. Now, recognize that your users might know even less than you knew before this whole crisis started about keeping information secure.
Most employees have no idea about the myriad of threats to information security that arise when they’re working at home. But most of them, you’ll find, are eager to help in any way they can. Leverage this good will by educating users about information security. Just this morning, for instance, I found myself drafting an email to employees reminding them to update and patch their applications and operating systems on their personal devices. I explained that software developers are constantly releasing new versions to fix bugs or neutralize threats, and that updating your applications is an easy, effective step that anyone can take to keep their data secure.
Memos like this are critical not only in educating users about specific security topics, but also in keeping the topic of security as a priority during conditions precisely when people are most likely to overlook it.
One other topic of cybersecurity education that’s particularly important during COVID is making sure work environments are private. Many of us have made impromptu workspaces in our homes, surrounded by family and roommates likewise going about their own activities. Under these conditions, it’s important to ask yourself: Who can hear my conversations? Who can see my screen? Where do I take my calls? To be clear, the security risk here isn’t so much that your family is going to steal trade secrets. However, imagine you’re on a call of a sensitive nature, where the topic of discussion is something that could impact the stock price of a company. Now, imagine you’re taking that call in the same room as your kid who’s in a Call of Duty lobby with 150 other individuals. Similarly, imagine that a spouse lets slip to a friend or colleague something they saw you reading, without knowing that the document was intended for employees’ eyes only.
In this way, people in one’s very own home can compromise the security of one’s data or information without even knowing it. It is important that IT teams take care to remind their users to be always cognizant of their surroundings — even in the places that we tend to think are safest.
Reevaluate your company’s business continuity and disaster recovery programs
Okay, it’s obviously too late to develop a business continuity plan to ensure uninterrupted mission-critical activities through the COVID-19 pandemic. By now, every business that had a business continuity plan in place before this all started — around 27 percent of businesses admit they had none at all — has received some concrete, empirical feedback regarding its effectiveness. If it worked, it worked; if it didn’t — well, hopefully, they’ve adjusted their company protocols for dealing with a deadly, virulent virus.
But what about future pandemics? Or all the other crisis scenarios that we know are possible? After all, if there’s anything this crisis has taught us, it’s that governments and businesses need to be prepared for all the near-doomsday scenarios scientists tell us have a significant chance of occurring in our lifetimes — even if it’s not particularly fun to think about them.
While it might be morbid to contemplate, everything from natural disasters to public health crises to war and famine should be on the table when planning for business continuity and disaster recovery. With businesses finally settling into the new, post-COVID-19 normal, now is the perfect time for business leaders to take a thorough look at their business continuity and disaster recovery plans. Because if all we’ve learned from this crisis is how to transition quickly to a 100 percent remote workforce, or how to get personal protective equipment to workers on the front line, then we haven’t understood the real lesson of the coronavirus pandemic: we need to be prepared for things that no other generation before us might have ever seen or experienced.
Turn on multi-factor for anything that offers it
Security is tough enough when employees are at the office. But when they’re working from home, you have all the usual difficulties plus the additional risk that whoever is accessing files or apps isn’t who they say they are. At least when people are in the office, IT can trace activities to a specific machine at a specific location in the building and verify identity with their own two eyes. When your workforce is entirely remote, it can be nearly impossible to tell whether an employee account has been compromised.
As we all know, there are too many ways to count that an employee’s accounts or devices can be hacked. Perhaps their machine was stolen and they’re too embarrassed to tell IT. Or maybe they accidentally supplied their credentials to a hacker directly as the victim of a phishing attack. Either way, remote work can make it far easier for bad actors to get into your critical systems.
That’s where multi-factor authentication (MFA) comes into play. MFA makes access to systems or devices conditional on being able to produce further proof that the user is who they say they are. The second factor that we’re most familiar with are text messages or emails, but those aren’t the only sources of confirmation companies can use. Geographic location, IP addresses, biometrics (e.g., a thumb print) and pins can all be used as additional factors to authenticate the identity of your users.
The most secure approach, of course, would be to require a combination of something you know, something you have, and something you are, making it exponentially more difficult for hackers to fake the identity of one of your employees. The trade-off, of course, is usability: requiring more factors for authentication can make it more difficult for your own employees to access their accounts. Ultimately, which factors you choose to use will depend on what industry you’re in and the unique security threats to your business.
Everyone knows these are hard times for businesses, and hard times usually mean slashing budgets across the board. However, now is not the time to pull back on something as essential as security. Sure, it might make your company’s bottom line look a little bit better to reduce your expenditures or lay off staff, but the risks of overlooking security are formidable. When you consider that the average cost of a data breach is nearly $4 million and more than half of businesses fold within six months of a major incident, it’s clear that the real cost businesses can’t afford right now is to cut back on security.