Managing Risk in a Pandemic: Novel Today, Standard Practices Tomorrow

COVID-19, a novel coronavirus, has come as a shock to many across the globe, changing practically every aspect of our functioning daily lives.

On top of rapidly changing business conditions, executives also need to consider how to manage cyber risk caused by the following situations:

• Lack of a secure virtual private network (VPN) that employees can log into so they can access corporate email and data. And even if the company has one, it may not be designed to scale for all employees.
• Absence of secure company equipment that employees can use to work from home. As a result, they end up potentially using unprotected home computers they may share with their children and other family members to conduct business— introducing risk to the whole corporate network.
• A lack of relevant policies and/or procedures outlining how to protect emails, discs and other storage devices, whether at rest or in transit through encryption.
• Inadequate or nonexistent social engineering training that alerts staff to the dangers of phishing emails embedded with links or attachments containing malware, viruses or other ways hackers can access their company networks.
• Holding conference calls and virtual meetings that reuse access codes, with employees logging in while on nonsecure connections.
• Nonsecure remote access methods that expose corporate data to additional risks.

This state of confusion is the perfect breeding ground for bad actors to take advantage of weaknesses and find opportunities to launch attacks against unprotected networks and data systems.

Corporate leaders should act now to keep company data safe and educate their staff during this crisis. They also should focus on making long-term plans for data protection and remote work requirements for their employees under current and future circumstances.

For a reliable source of guidance on these matters, TalaTek points to the following National Institute of Standards and Technology (NIST) special publications:

• NIST SP 800-124, Rev 2 Guidelines for Managing the Security of Mobile Devices in the Enterprise
• NIST SP 800-46 Rev. 2 Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security

In summary, NIST cybersecurity experts recommend these teleworking security tips:

• Establish teleworking policies and educate staff about following them.
• Protect your computer communications from eavesdropping. If you use WiFi, set up your network securely. Specifically look to see if it is using “WPA2” or “WPA3” security and create a hard-to-guess password.
• If your organization has a VPN (virtual private network), use that on your telework device for stronger protection. If not, consider using your own VPN—you can find numerous providers online.
• If you’re using your own computer or mobile device (something not issued by your organization) for telework, make sure you’ve enabled basic security features, such as encryption, a PIN, and fingerprint or facial ID feature.
• Keep your computers and mobile devices patched and updated. Most provide an option to check and install updates automatically. Enabling that option can be a good idea if you don’t want to check for updates periodically.
• If you’re seeing unusual or suspicious activity on your computer, mobile device, or home network, report it to your organization’s help desk or security operations center.

And videoconferencing tools are receiving tremendous attention. Be sure to follow the best ways to manage a secure virtual meeting:

• Establish corporate policies for virtual meeting security and educate staff about following them.
• Limit reuse of access codes, as you’ve probably shared them with former employees or past clients, to prevent uninvited eavesdroppers. 
• For sensitive topics, use one-time PINs or meeting identifier codes, and consider multi-factor authentication for staff to use when they log in.
• Use a waiting room for participants who log in before a meeting starts, and only allow the host to start a meeting. 
• Use a tone when attendees log in and ask new attendees to identify themselves.
• If available, use a dashboard to monitor attendees, and identify all generic attendees.
• Don’t record the meeting unless it’s necessary. 
• If it’s a web meeting (with video), remind participants not to share sensitive information.

The upside to today’s work situation? Corporate leaders can use this current crisis as an opportunity to re-evaluate their risk management policies and procedures for a remote workforce. What’s novel today is likely to be standard tomorrow.