COVID-19 has been the global story of 2020 and promises to dominate 2021 as well. The pandemic, which began almost exactly one year ago, has touched virtually every corner of the globe and has precipitated dramatic changes in how people do business. In particular, the need to follow social distancing rules drove companies into quickly adopting remote work. According to a recent survey of IT security professionals, more than 99 percent of organizations transitioned to remote work in response to COVID-19. Yet, only one in three described their shift as smooth. Three in five said cloud infrastructure was more important now than a year ago. One in three attributed this shift in cloud infrastructure importance to COVID-19. The cloud has become the new reality of the work environment to facilitate telecommuting and remote work. While cloud deployment was not new to the overwhelming majority of organizations, there was nowhere near the attention it has received now to accommodate the dramatic shift in work patterns. But the move to remote work during the COVID-19 pandemic has also exacerbated a number of IT cybersecurity risks.
1. Impersonation of senior executives
Thanks to the remote work model, employees now interact with their colleagues almost exclusively via phone, email, and the cloud. There will likely not be much difficulty recognizing an authentic email or call from a colleague you interact with daily. However, determining the identity of a caller becomes harder when it is not someone you engage with regularly.
It can be a particularly dicey moment for an employee when communication comes from an individual purporting to be the CEO, CFO, or other senior executives. There is anxiety about doubting a message from someone at such a senior-level, given the potential repercussions such as getting fired for insubordination. Cybercriminals know this and will impersonate top decision-makers in the hope of extracting sensitive information or initiating fraudulent transactions. The risk is higher now because employees are no longer in the same physical workspace.
To avoid falling into this trap, staff should be sensitized on the need to stick to laid down procedures. They should report any irregular or suspicious communication, including following escalation and incident management processes as needed.
2. Vulnerability of remote connections
COVID-19 lockdowns often came swiftly and not with much forewarning — and the cybersecurity risks quickly followed. Organizations had to scramble to transition their entire operations into a remote work model.
In the early days of this shift, the emphasis was on ensuring continued operations. As employees tried to quickly settle into the new way of working, they had to rely on network infrastructure that is not within their organization’s control. From home WiFi to public WiFi to mobile broadband, staff has to use connections that are not configured, tested, and monitored by their company’s IT security team.
With that comes the risk of communication interception and deliberate disruption. An attacker could, for instance, create a mobile hotspot at a café and give it a name that makes it appear as the official one provided by the café.
Organizations have to ensure remote connectivity is just as secure as an on-premises connection. This could be achieved by requiring the use of a virtual private network (VPN) as well as enforcing multifactor authentication (MFA).
3. Use of personal devices for work and personal use of company devices
In many organizations, the majority of employees use desktop computers. Laptops and tablets are often the preserve of persons whose job has a significant element of mobility. Given the speed with which organizations had to move the bulk of their employees to remote working, it was often not financially or operationally possible to give all employees company-owned laptops and tablets.
This resulted in businesses adopting a bring-your-own-device (BOYD) policy for everyone else in order to ensure minimal disruption to operations. Personal devices may not have the level of security that company-issued ones possess. There is the risk of malware finding its way into the company’s network and servers through email attachments and malicious links.
But even where employees are issued with company devices for home use, there is the risk of such devices being employed for personal use. This increases the risk of malware infection.
To keep these risks at a minimum, businesses must ensure any device, whether personal- or business-owned connecting to the company’s network meets a certain minimum level of protection. They must also remind employees that they have to exercise responsible use when on the company network irrespective of whether it is via a personal- or business-owned gadget.
4. Stressed or anxious employees
The COVID-19 pandemic precipitated one of the largest waves of job losses in modern history. Unemployment in the United States soared to over 15 percent, rendering millions jobless in a matter of weeks. A similar scenario played out in the European Union and other parts of the world.
Such economic upheaval raised stress and anxiety among employees as they worried about their employment stability, career trajectory, and financial future. It didn’t help that the cost of treating a severe COVID-19 infection could wipe out the years-long savings of many workers.
During the COVID-19 pandemic, stressed employees are a cybersecurity risk. They can be lured by cybercriminals into handing over corporate data. They may be tempted to commit fraud themselves as a means of getting a financial windfall just in case they lose their jobs in the future. Since they are out of sight, it may not always be apparent to managers that a particular employee is battling anxiety.
Organizations have to maintain open lines of communication with staff to pick any early signs of stress and take appropriate remedial action before this becomes a conduit for data or financial loss.
5. Loss of confidentiality
Our loved ones are privy to some of our deepest personal secrets. That does not mean, though, that they should know the confidential information you are entrusted with at work. Unfortunately, with remote work, organizations no longer have control over the physical space their staff are in. It is possible that an employee could be working in a room where they are regularly interrupted or surrounded by their partners, children, friends, and acquaintances. It is in this environment that sensitive data could make its way into the wrong hands.
Often, the person seeing the confidential information does not necessarily have ill intent. However, they may accidentally mention it to a third party who would then employ the information for nefarious purposes. Even when it is not used for fraud or industrial espionage, the data leak may simply be a cause of embarrassment for the affected customer or party. It may also be a violation of privacy laws.
Staff must be encouraged to adopt good privacy practices like working from separate rooms, using privacy screens, wearing headsets, and avoiding the display of confidential information on their screen.
Cybersecurity in the age of COVID-19
COVID-19 has changed the world forever, and cybersecurity is no exception. Cybersecurity systems and technical controls are critical but not the only key toward ensuring adequate protection of customer data. Organizations must strive to empower their workers but work within a Zero Trust model that interrogates connections, requests, and transactions for authenticity.
Featured image: Shutterstock