Editor’s note: This is a guest post by Brian Von Kraus, CEO and Founder of FireWatch Solutions.
COVID-19 was declared a national emergency in March 2020 and federal agencies were required to begin utilizing telework whenever possible. Many private organizations followed suit and transitioned to a telework model completely or reduced the number of employees working in their offices. As a result, the use of online communication platforms, cloud computing, and video conferencing increased dramatically.
Credit: New York Times, Ella Koeze and Nathaniel Popper, April 7, 2020
For those organizations that transitioned to remote work environments, a new challenge presented itself: employees were now accessing company information across unsecured internet channels, sharing potentially sensitive data over video, email, messaging (e.g., Gchat, Slack, etc.), text, or voice. The risk of exposure to various cyber attacks increased exponentially and security managers had to quickly adapt policies and expand their protective efforts to ensure their protocols, procedures, and systems covered an entire staff of teleworkers.
Human factors became the biggest liability, as compliance to cybersecurity protocols was much harder to supervise and monitor in the remote working environment.
The organizations that effectively navigated the initial COVID-19 challenge of switching to remote work did so through a combination of technological solutions, innovative protocols, monitoring tools, and proactive leadership.
The new cybersecurity risks inherent in the remote work environment are varied and evolving. Many firms couldn’t afford to equip every employee with a company computer, so a lot of employees had to transition to using personal computers. Much of the cybersecurity work that occurred, often unnoticed, behind the scenes in a traditional office by the majority of the staff now had to be adapted to telework, and a lot of the measures had to be shifted to employees and away from the IT staff.
For example, employees now had to ensure all their software and patches were up to date, including non-company related software that might create vulnerabilities bleeding over to company data. Password managers had to be used and continually updated according to company policies. Employees had to adapt their communication with other employees to unsecured channels, like social media.
Data storage was another issue: if an organization used cloud storage, many employees synced their files to their home computer to make them easier to locate and use, which created a risk of data loss, theft, or exposure to ransomware. Targeted phishing attacks that provided fake COVID-19 resources often drew employees into malware-laden sites.
Various actors ranging from individual hackers, criminal organizations, rival companies, and state actors all contributed to the cyber risk profile. Industrial espionage through electronic communication or targeting newly unemployed people also increased to take advantage of the COVID-19 churn. A few industries that were specifically targeted include:
Source: Stratfor, Scott Stewart 14 April 2020
One incredibly common concern was with video teleconferencing, specifically with Zoom and some security issues they experienced early on in the COVID-19 pandemic. Hackers were intruding on video meetings and gaining access to the teleconference platform to steal video logs or transcripts.
Ultimately, we may never know just how big of an issue this was early on in the pandemic; reports on cyber incidents may be skewed, as many organizations sought to minimize news of cyber attacks to preserve their reputation and brand strength.
Cybersecurity Measures For Secure Remote Work
All of this led most organizations to face one of two challenges: adapting and expanding their existing protocols to a remote work environment or creating a new cybersecurity policy from scratch to address the increased risk.
The companies with existing compliance standards were in the best position to adapt or build their cybersecurity program. The companies already compliant in NIST, SOC 2, ISO 27001, and other structured regulatory frameworks were able to use them as a guideline to steer their security efforts and ultimately faced fewer risks than the businesses that had not adopted any kind of compliance program.
On the other hand, a company starting from scratch may not have the capacity to adhere completely to these standards or adapt them to the unique situation businesses find themselves in today.
Leadership teams can use them as a framework to prioritize resource allocation and to develop viable protocols. Adherence to formalized information security standards created by organizations like NIST and ISO ensures an effective remote work environment that protects sensitive information of both employees and the organization. If your organization is struggling to keep your data safe during this pandemic, you may want to consider how you can be more prepared for an event like this in the future.
The biggest challenge in a remote work environment is compliance. Information security requirements are often cumbersome, and that burden is magnified in a remote work environment with employees working from personal laptops and/or mobile devices, especially if they are at home with their spouse, children, or sick relatives that they’re responsible for caring for.
Tools such as Hyperproof can help you streamline your company’s efforts to monitor compliance, expend less energy and fewer resources on compliance management, and reallocate that bandwidth to leadership during times like these.
The new remote work environment presents many challenges to a company’s information security program. However, by using the right technology to protect and manage information security protocols, and by adhering to cybersecurity procedures, your company can effectively navigate the unique risk landscape created by the COVID-19 pandemic. The organizations that most effectively navigated this difficult situation recognized the critical importance of the human factors of leadership.
Brian von Kraus is the CEO and founder of FireWatch Solutions, a company that provides security support services to the non-profit sector. Brian served for 15 years in the Marine Corps in various infantry, reconnaissance, and special operations billets. He conducted multiple deployments to include several combat tours to Iraq and Afghanistan. He served as a platoon commander, company commander, officer in charge of the Special Training Branch, and battalion operations officer.
After retiring in 2015, he worked as the Security Director for Nuru International, a non-profit organization dedicated to ending extreme poverty in remote, rural communities in Africa. He helped the firm protect its projects in Kenya and Ethiopia and develop a new project in the conflict region of northeast Nigeria. While at Nuru, he saw a greater need for security support to the non-profit sector and started his own company, FireWatch Solutions to “protect those who do good.” His work has continually brought him to many regions in Africa. FireWatch provides bespoke security services to clients working in high-risk regions of the world.
Brian received a BA in Philosophy from Boston College, an MBA from UCLA Anderson, and is currently enrolled in a Masters of Information and Cybersecurity program at UC Berkeley.