You have invoked your business continuity plan and it is working. Thanks to your IT team, your employees have the technology they need to work from home and to do it securely. You are tracking statements and guidance from key government resources. Your networks are segmented, your software are updated, and your systems are hardened.
But when it comes to mitigating cyber-risk, there is more to do. As the coronavirus (COVID-19) forces rapid changes in how we work, something that has not changed is that your biggest cyber-risks usually come from your people, not your technology.
While IT and business leadership take the lead on changing our idea of the workplace and ensuring business continuity, legal and compliance professionals can protect their companies by revisiting and reinforcing non-technical cyber-risk controls, starting with these steps.
Step One: Identify Key Existing Cyber-Risk Controls. To start, it is important to identify the handful of non-technical controls that are most important in mitigating the likeliest sources of cyber-risk.
Across industries and companies of different sizes, the most significant cyber-threats usually are (1) data breaches, (2) ransomware, and (3) business email compromise (or “BEC”) scams (which we discussed in a prior post here).
The most common root causes of each of these risks are a small number of predictable human errors: clicking malicious links in email or opening attachments with malware; failing to detect that a message is from a spoofed sender; improper disclosure of login credentials; and unwitting authorization of fraudulent wire transfers or other financial transactions.
Because companies use a variety of methods to address these risks, mapping your controls is a critical first step in making sure you are doing enough. For example, spoofed emails can be addressed through automated flags or checkboxes that highlight the external email address before an employee communicates with it. Malicious links and attachments may be mitigated through warnings and other signals that warn users each time they click an external link or open an attachment from an external source. Compromised login credentials may be mitigated through strict rules for the use and recovery of usernames and passwords. And unauthorized financial transfers may be mitigated through internal accounting controls that target these threats specifically, such as maker-checker, call-back, or other confirmation procedures.
Step Two: Assess How These Controls Function in Remote and Mobile Environments. Once you identify these controls, the next step is to confirm that they function properly when some or all of your personnel are working remotely or on mobile devices.
For example, do your flags and checkbox-based controls function as well outside the physical office environment? Do warnings about potentially malicious links and attachments appear on mobile devices (including phones and tablets), company-issued laptops, and home computers? Are username and password recovery procedures prepared for the likely spike in requests as the workforce transitions to telework and employees have to use remote access systems they might not use often? And, will financial or accounting controls—including call-back procedures and maker-checker transfer processes—function effectively even if your (or your counterparties’) personnel are not in their usual physical locations and are not answering the phones on their desks?
To the extent any day-to-day cyber-risk controls would not function well in a remote-work context, companies should carefully consider whether and how those controls should be modified based on practical necessity. As importantly, companies should take the time to generate contemporaneous documentation regarding the nature and expected duration of any changes or exceptions made.
Step Three: Reinforce The Importance of Cyber-Risk Controls and Company Cybersecurity Policies. Now that you have identified your key controls and confirmed (or taken the steps needed to ensure) they will work remotely, take the time to remind employees that those controls exist and that they must adhere to them.
Consider conducting targeted, supplemental employee cybersecurity trainings to reinforce existing cyber-risk policies and procedures and educate employees about any differences in the work-at-home environment. Companies can use the opportunity to remind employees about the strong likelihood that bad actors will try to take advantage of intense public attention on the coronavirus and the markets to trick them into clicking on phishing emails that they might otherwise have detected. We already see news reports of coronavirus-themed phishing messages and malware or other attacks targeted at response efforts. By ensuring that security protocols are not lost among the overwhelming news about the coronavirus and personal safety protocols, employees will be better equipped to identify risks and make appropriate decisions when faced with a potential cyber threat.
Because threat actors often rely on social engineering (meaning they rely on tricking or pressuring individuals to violate security controls), consider how best to emphasize the importance of strict adherence to cyber-risk controls. For instance, businesses may want to issue specific warnings to employees that malicious third parties may attempt to pose as senior authority figures at the company and try to convince them to sidestep technical controls. Companies should make clear that employees will not face negative consequences for adhering to company controls and procedures, and may face repercussions for failing to adhere to defined security protocols.
Because it is impossible to anticipate every threat or social engineering strategy, companies also may consider implementing a clear process for reporting any actual or suspected cybersecurity issues or concerns. For instance, it may be helpful to provide employees with a designated point of contact or email address to whom any questions related to these issues should be addressed.
By preparing your people—not just your IT systems—for cybersecurity risks, your company will be better able to ward off threats and remain secure in this time of uncertainty and change.