In response to the COVID-19 pandemic, also known as coronavirus, many work forces are operating remotely to keep their employees safe.
However, an increase in people utilizing a work-from-home environment has led to a rise in cybersecurity risks.
Below is an overview of the risks your organization could face, in addition to action items and next steps to take.
Most enterprise IT networks were designed to be accessed from within the safety of the network, not from the internet. The adaptations most organizations have made, such as virtual private networks (VPNs), aren’t well-suited to long-term remote access by a large number of employees.
The record number of employees working remotely has led to an increased reliance on VPNs.
Many devices that normally wouldn’t leave the corporate environment are now more exposed to the internet, making it simpler for attackers to identify easy targets. Also, vulnerable systems that were exposed, but only used minimally, are utilized more—making those targets even more apparent.
Business continuity and disaster recovery planning can be challenging and costly, but developing and testing plans creates opportunities to prepare for intricate logistics that hamper responses to real-world emergencies. Organizations that haven’t regularly tested or practiced contingency operations are struggling to adapt to the large-scale disruption of COVID-19.
The likelihood of a malicious cyberattack during a major disruptive event is higher given both recent ransomware and distributed denial-of-service (DDoS) trends and the increased exposure of systems while employees work remotely.
The impact of an attack can also be greater because response and recovery time tends to lag when employees are scattered across multiple locations—and organizations are more reliant on IT systems when work is remote. Many organizations are still reliant on physical access to fix configuration issues as well, so quarantine or shelter-in-place policies limiting IT teams’ access to servers and network devices further delays incident response and troubleshooting efforts.
In terms of risk management, this means all factors of risk have risen:
- The likelihood of an attack increases because of the increased exposure of systems and devices.
- The impact of an attack increases due to the difficulty in maintaining operations and recovering under the combination of conditions.
- The value of the systems potentially impacted increases as they become central to all operations.
Types of Fraud Risk
The fear and concern about the pandemic and economic conditions could push people to turn toward any source of information to stay informed. This is actively being exploited by attackers.
Below are two common types of social engineering fraud that will likely increase during the COVID-19 pandemic.
While working remotely, your employees anticipate digital communications and instructions from decision makers. A scenario like the COVID-19 pandemic makes it less likely that people will recognize malicious attempts at manipulation because they’re already anticipating deviations from normal procedures.
For example, an employee could receive an email that appears to be from your organization’s CFO. During a time of crisis, the employee isn’t likely to identify the phishing attempt.
Instead, they’ll see the CFO’s name, read that payment needs to go to a new vendor as part of the organization’s continuity plan, and complete an unauthorized money transfer.
System User Fraud
When you increase the use of your digital resources to interact with customers, other businesses, and third-party vendors, you create greater opportunity for attackers to impersonate system users.
Your employees may be focused on helping your customers during this unprecedented time, and willing to overlook or bypass identity verification or authentication features. However, skilled attackers understand most people want to help others and can exploit that courtesy. Kindness can be abused by these attackers in very subtle ways.
During the COVID-19 pandemic, more people could accept assumptions based on environmental inputs. For example, customer service representatives who hear a distressed voice or a crying baby in the background might be willing to provide assistance without following all identity verification steps.
An employee’s innate willingness to help, the mandates of their position, the effects of remote work on business processes, and the emotional impact of the ongoing pandemic and economic disruption create a nexus for fraud. People are more willing to accept what they’re being told rather than to adhere to security policies and procedures.
It’s important to take action with all the parties interacting with your organization, including the following:
- Re-assess the risk of using and offering mobile financial services, internet banking, third-party service providers, and corporate account takeover with special emphasis on identity validation procedures. The intent of this assessment should be to confirm whether the risk is effectively mitigated to an acceptable level.
- Educate employees on the increased risk and give them clear guidance on how to alert management to a suspected incident.
- Engage and educate customers on potential risks.
- Provide access to educational third-party resources to help employees and customers understand the risks to their account information and privacy.
- Engage IT and managed service providers to evaluate methods of identifying suspicious and malicious activity.
From a compliance and regulatory standpoint, your organization should consider the following:
- Document your updated risk assessment.
- Increase the frequency of internal audit checks.
- Consider shifting resources temporarily to validate the highest risk issues based on the updated risk assessment.
- Include key discussion points about cybersecurity in meeting minutes.
- Document the review and update of contingency plan items, such as funding sources and account takeover procedures.
In addition to the action items outlined above, there are steps each level of your organization can take.
Keep your organization informed of risk and fraud opportunities to create space to make decisions and help mitigate those outcomes.
Define Communication Channels
Clearly define primary and secondary channels of communication throughout your entire management structure. You want your employees to know the specific methods and people your organization will use to share information about COVID-19 and how your organization’s responding.
Clearly defined communications channels could:
- Reduce the likelihood that an attacker successfully impersonates decision makers or injects themselves in the communication process
- Keep people informed and reduce the likelihood they’ll seek information or updates from disreputable or malicious sources
Provide Organizational Support
Keep in mind, employees likely face issues at home and are more distracted at this time. They’re less likely to recognize suspicious activity and engage with customers in ways that uphold the organization’s values and expectations.
Work with management, human resources (HR), and key team members with informal authority to identify and preclude issues with employees.
Employees that feel organizational support are more engaged, and engaged employees are more likely to support the organization’s interest and recognize discrepancies and risks, such as phishing emails or suspicious activity.
Maintain Third-Party Relationships
Identify the critical points of contact for vendors and third-party relationships to facilitate communication channels and increase cooperative efforts to maintain security.
Then, work with management to closely monitor contract performance and adherence to mutually agreed upon terms, such as data security and breach notification conditions.
It’s key for managers to work and stay connected with their teams to manage technology risk. Managers should devote their resources and skills to the task of empowering their teams by:
- Creating decision space for executive-decision makers
- Providing concise, accurate, relevant, and timely information to their teams
- Offering support where and when it’s needed
Engage and Communicate
Updates to teams should be given frequently to provide course corrections and guidance on:
- Changes to processes or procedures
- Instruction and communication delivery
- Scope of their decision-making and authority
Connect with team members one-on-one to emphasize communication channels, identify potential issues and concerns, and act as facilitator between employees and the organization.
During uncertain times, many people will only open up about concerns and fears in a one-on-one setting. Connecting with people individually is critical to know how your team is doing in order to present a realistic, accurate picture to executives.
Collaborate with External Contacts
Establish touchpoints with:
- Key partners
- Other external contacts
These updates provide a recurring channel for any unexpected issues and questions and help serve as an effective method to manage expectations.
There are many steps each individual employee can take to protect themselves and the organization from cybersecurity risk:
- Be skeptical of emails, links, attachments, and unsolicited or unexpected phone calls.
- Don’t install unauthorized software or suspicious apps.
- Don’t click links in unexpected emails, text messages, or messages in other apps.
- Don’t allow others to use your corporate computer or accounts.
- Don’t permit unknown or insecure devices to connect to the same network—wireless or otherwise—as your corporate devices.
- Follow policy and process for validating customer identity.
- Don’t share or change information without approval.
- Don’t bypass policy or process.
We’re Here to Help
If you have any questions or concerns about cybersecurity risks, please reach out to your Moss Adams professional.
For regulatory updates, strategies to help cope with subsequent risk, and possible steps to bolster your workforce and organization, please see the following resources: