June 18, 2020
Securing Your Now-More-Virtual IT Environment
Whether your organization has long been working remotely, or you have transitioned to a virtual office environment as a result of the COVID-19 pandemic, you should evaluate your cybersecurity defenses and strategy to support the new work environment.
Most organizations have settled into a new routine. Some of these new routines are more painful than others, especially since some employees’ roles have been expanded to include what was previously multiple team members’ responsibilities or if manual processes have required clunky work-arounds.
Even for organizations with remote work capabilities established prior to the pandemic, the rush to support the entire workforce to work remotely may have raised the opportunity for items to be missed.
The focus was naturally on whether the solution worked, but is it secure? Was enough scrutiny put on the selection and configuration? Does the solution meet the organization’s stated security requirements?
We believe the following action plan should be considered to address your cybersecurity risks:
- Management should start with an analysis of what has changed since the transition to wide-scale remote work.
- A risk assessment and plan of action should then be established. This will demonstrate due diligence, to provide a clear answer on when an issue was identified and that the organization did not defer taking action.
- A cybersecurity assessment will help identify those changes and potential gaps at each layer of defense. For example, most organizations assume an unsecure wifi connection, and Virtual Private Network (VPN) with multifactor authentication is a common access strategy. VPN establishes a secure, encrypted connection between your device and a private server; however, endpoint security is still a risk. Personal devices may be used, and not be updated with the latest security patches. Also, each member of a household may have multiple devices, gaming systems, smart speakers, etc., expanding the digital footprint. Phishing and ransomware attacks are on the rise, requiring preventative and detective controls.
- Policies and procedures should be reviewed to ensure they sufficiently address remote work, asset management, use of personal devices, authentication, encryption, data handling, privacy, and monitoring. Security awareness and training should also be updated to remind users of their responsibilities and tools available to them.
- Compliance with privacy laws, including HIPAA, should be evaluated in light of team members working from home in shared spaces, printing documents, collaborating with third parties, and discussing confidential information on calls. Sensitive data that is accessed and shared must be controlled and auditable. File download and sharing must be secured. Also, changes in third party access controls and physical security should be assessed, including detailed review of SOC reports for updates related to changes due to the coronavirus impacts.
- Have business processes like accounts payable changed as a result of the new work locations? Some organizations had manual approval processes that now need to be performed electronically. What risks do these process changes introduce, and are they effectively mitigated?
- Now that Business Continuity and Disaster Recovery Plans have been exercised, organizations should perform post-mortem analysis to identify lessons learned, perform root cause analysis, and update their plans. Critical dependencies of personnel, third-party service providers, technology, and physical locations should be analyzed, along with the sufficiency of communication plans.
Just as we have settled into a new routine, states are starting to relax coronavirus restrictions. The question of when to reopen offices and how to do that safely is top of mind. Do people need to come back to the office? Do they want to, and are they able to return? The new normal will most likely be a hybrid approach. Management must be ready to support a remote team long term. Policies and procedures should be established to ensure security awareness and compliance. Management must be equipped with the tools to support monitoring and deliverable management to measure productivity, and also maintain the firm culture and employee morale during this stressful time.