Cybersecurity Risks During the COVID-19 Pandemic
Tuesday, April 21, 2020
The Patton Boggs law firm has offered the following guidance on measures that businesses can take in mitigating cybersecurity risks. Those include:
- Reminding employees that phishing attacks are rising rapidly; consider rolling out refresher training on how to detect phishing attacks other forms of social engineering and the organization’s procedures for responding to and reporting them.
- Reminding employees of the requirements of your information security, data handling, BYOD (bring your own device), data classification, data destruction, and other relevant policies, and the types of information that they need to continue to safeguard even when working remotely. Sensitive information, such as personnel records and financial information, stored on or sent to or from remote devices should be subject to heightened safeguards, such as the encryption of data in transit and at rest on the device and on any removable media used by the device.
- Reminding employees (if applicable) that they are required to use the company’s virtual private network (VPN) when working and accessing company information to ensure that internet traffic is encrypted, especially if connected to a public Wi-Fi network. As more companies rely on VPNs, hackers are identifying and taking advantage of vulnerabilities. See the US Department of Homeland Security’s alert here.
- Reviewing incident response plans to ensure that the plan’s provisions are still practicable when the organization’s incident response team is working remotely. You should ensure that the protocols around incident response are clear, that incidents continue to be appropriately flagged and escalated, and that the incident response team can communicate effectively and efficiently. In order to do so, consider using communication techniques that operate outside of regular company communication methods (so-called “off-band” communication methods). Such off-band communication techniques should not be specified in your incident response plan, however, in the event cybercriminals obtain a copy of the plan.
- Of course, not all organizations will have adopted the types of dedicated policies and trainings referenced above. So this would be a good time for organizations to review the policies they have to determine whether they adequately address security requirements for remotely accessing company systems. If no such policies address this issue, then we highly encourage communicating to employees some basic guidelines for remotely accessing company systems and using personal devices for company business, even if not in the form of a formal policy.
- Ensuring that your organization has installed all relevant security patches. These patches address known security vulnerabilities and failure to install patches allows cybercriminals to exploit such vulnerabilities to gain access to company systems.
- If your organization hasn’t implemented multi-factor authentication, you should strongly consider doing so. Although this may be a larger IT project than is currently feasible, it will ensure greater security of the organization’s systems when implemented.