Cybersecurity Threats Demand Companies Review Policies and Risk During Crisis

Cybersecurity is a daily concern for business owners of every size – but the wholesale shift to working from home because of the coronavirus will test how secure your company is as well as the behavior of your newly remote employees, experts say.

Every institution that has people online to work right now needs to step up its security, review its policies with workers, check on its disaster-response plan and look ahead to what might be coming next as cyber criminals step up their games going forward, cybersecurity officials agree.

“This probably won’t be the last time this (kind of quarantine) happens and you need to be better prepared next time,” said Jeffrey A. May, an attorney who specializes in cybersecurity at Kerr, Russell and Weber PLC in Detroit.

Data collected from a variety of organizations shows just how much remote work has increased since Michigan and the rest of the nation began the “Stay Home, Stay Safe” and related programs. For example, NordVPN Teams found that working hours have gone up by an average of three hours a day from 8 to 11 hours, and mass-remote working has pushed computer work up 94 percent among Americans as a whole.

All of this extra time at home and working remotely has had its positive sides, as more companies are likely to consider telecommuting for employees post-coronavirus quarantine. On the negative side, security breaches such as the ones during some Zoom meetings where people busted into what the participants thought was a private online group has caused alarms and rapid-fire fixes from the software companies.

“People tend not to use strong passwords. If a hacker is able to easily guess a password, they’re in. If people don’t have that second authentication, it’s that much easier for hackers to get in,” said Jessica Dore, principal in charge of technology risk management for Rehmann.

Disaster-response plans
Every business should have some sort of plan in place for cybersecurity. IT planners and lawyers knew this and most companies understood this, May said. Companies need to put better controls in place to avoid security risks. And no one can say they were shocked by the changes in remote work if they had a part of their security plan that considered what the business would do if its building were out of commission or destroyed – a common part of a cybersecurity risk or disaster-response plan, he noted.

“In the next few months, IT budgets for disaster planning will go up,” May predicted.

For the most part, the United States is better equipped in terms of technology for such a pandemic to send us home to work than it would have been 25 years ago or even more recent, noted Dr. Marcus Rogers, Professor/Exec Director of Cybersecurity Programs in the Computer & Information Technology department at Purdue Polytechnic, a part of Purdue University.

“We had dipped our toes into telecommuting, but never in this way,” Rogers said. “We’ve been pushed off of the end of the diving board and now we have to learn to swim.”

Cybersecurity starts with employee mindset, Rogers said. Your employees need to remember they are doing work that involves sensitive or secure documents, both physically and virtually. So having a security mindset will keep them from opening unsecure emails, wandering around cyber space or failing to put security guards on their laptops or smartphones.

Employers should review their computer and security policies with workers to ensure everyone knows what they should be doing right now, especially as networks tighten back up and people are getting used to working from home. If your company doesn’t have a document, you should check with a reputable source for such a template, he suggested.

Close it down
Next, companies should go through and lock down internally where employees can roam virtually when they are in your network. At first, IT might have opened up systems to get everyone online and working. But as life returns to this new normal, it’s time to review all of that and update.

“Does everyone need to be connected to certain systems, like databases and financials? You should lock down critical systems to only those who need them. It’s not sustainable long term to let everyone be a part of those systems,” Rogers said.

Employees working from home also need to put virus and other kinds of protection on their laptops and smartphones, especially if they use their personal devices to log into your computer network or check company email. That also is where they may use Zoom or Skype, so this is important because of the challenges some of these programs have experienced in the past month, Rogers said.

Another suggestion is to create multi-factor authentication for logging in, setting up tokens or one-time codes to ensure there are layers to go through to get into your networks, Rogers said. Cybersecurity attacks have increased since COVID-19 sent everyone home, and these attackers are opportunistic. They’ll look for holes in smaller companies so they can go up the chain and attack larger ones. Everyone needs to get their heads back in the game now that some of the original chaos has settled.

Finally, back up your systems so the information you cannot live without is protected. But also increase your security on these important files – companies that get hacked may see criminals going for those backups to learn everything they need to learn to put your company out of business. That information needs to be protected just as much as everything else, Rogers said.

The bottom line? People become forgetful. Talk to your employees often and remind them to pay attention to your security and risk, Rogers and Dore said.

“Organizations need to be training employees on things to watch for, not clicking on links in emails. If you think you’re getting something suspicious, don’t click on it,” Dore said.