COVID-19 Toolbox Checkup: Meeting New Data Security Risks
The global pandemic has brought both tragedy and unprecedented change in our personal lives. But our professional lives have also been dramatically transformed. It’s as if we’re using an entirely new operating system. It’s called the remote workforce. And as if 2020 weren’t challenging enough, IT security managers are suffering their own pandemic symptoms—more headaches than ever as cybercriminals become even more inventive and our systems more vulnerable, due in part to the advent of the Work-From-Home phenomenon. According to research out of Stanford University, an extraordinary 42% of employees are now working from home full time. That number is unlikely to decrease. Coronavirus infection rates are surging nationwide. And employers are recognizing—and reaping—the financial benefits of remote business operations.
How are you meeting the data security demands of a profoundly altered business landscape? If you’re feeling like you’ve lost a degree of control, not only are you not alone, but your observation is right on target. The control IT security professionals have relinquished by force of circumstances is now in the hands of umpteen more employees. That creates a new world of imperatives, not the least of which is re-educating employees on best security practices for these radically different times.
Back to Basics #1: Sharing Devices
Everyone’s work and life balance have taken on a new meaning since the global pandemic drove so many workers out of the office and into their own kitchens, dens, and other make-shift at home offices. It’s not just the workaholics among us anymore who have difficulty separating our personal and professional concerns. This is a simple but serious concern for IT security professionals. Some employers are taking advantage of the cost savings associated with allowing workers to use their personal devices to do their jobs without considering the security price. We hope your company isn’t one of them, but an estimated 56% of workers use personal devices for professional purposes at least some of the time.
But the problem isn’t as simple as equipping employees with company-owned devices. A ten-year-old may not register the difference between mom’s personal Dell and her work Dell. A parent’s computer is sometimes where kids connect to social media, do their homework, and nowadays attend remote classes. Children, sadly, are not fit to understand the seriousness of maintaining internet security. Even if you have equipped your remote workforce with enterprise-owned laptops and a VPN connection, it’s essential that children and employees understand the risks of sharing devices and that you regulate the personal use of any equipment you provide remote workers. Even the most conscientious employees may have unwittingly relaxed their standards as the line between home life and work-life grows ever blurrier.
Back to Basics #2: Password Hygiene
According to Verizon’s 2019 Data Breach report, 80% of hacking-related breaches can be traced back to passwords. That number is virtually unchanged since 2017, despite the nation’s growing awareness of cybersecurity threats. Data demonstrates that poor habits around passwords are difficult to break.
It’s incumbent upon IT security leaders to lead the password protection charge. While many are using the best enterprise password managers available to generate and protect professional passwords, employees’ personal password hygiene can undermine those efforts. The coronavirus has put the kabosh on employee training programs across the board as employers grapple with what appear to be more pressing issues. But the costs of a data breach can devastate a business’s bottom line. Just ask Equifax, Yahoo, Target, and a host of other household-name companies. A refresher course on password hygiene may be in order for your company’s workforce. And because it’s always possible that an employee will use a personal device to do company business, employers may want to encourage—or even pay for—them to make use of personal data security products, from robust anti-virus software to identity theft protection.
You may want to retrain on other practices that enhance cybersecurity. Some of the simplest reminders you can offer include:
- Lock your device when you walk away from it
- Installing new updates immediately
- Eschew downloads from unverified sources
- Learn to recognize phishing schemes and other scams—some newly invented to target the growing remote workforce
Call in the SWOT Team
The pandemic has been, for many IT security professionals, trial by fire. Faced suddenly with protecting a workforce from a deadly disease and, in many cases, mandatory building closures, few organizations had the time to plan strategically for managing a largely remote workforce. The time to act was now. But nine months into the crisis, we have a much better handle on what we’re facing. What’s more, all signs point to the current work-from-home trend becoming a permanent reality. It’s time to take a more considered approach and develop a long-term strategy.
SWOT analysis is a versatile and straightforward tool you’re probably familiar with. Pull it out of the box. Be honest and get granular. Look inward and outward. Need some inspiration? Here are just a few of the technology capabilities you should evaluate as you proceed with your analysis.
Your Primary Infrastructure
Does your current IT infrastructure make it easy to scale up? Your employees aren’t the only ones who may be straining your resources. Your customers are more likely to want to engage with you digitally now. It’s important to evaluate your communications platforms to be sure they’re capable of bearing the increased load, of course. But scaling up is one thing. Scaling up safely is another. What steps are you taking to ensure you’re not taking on greater risk along with greater customer contact?
Your E-Commerce Solution
Have you recently launched an e-commerce platform? The global pandemic has transformed thousands of businesses into online “retailers” for the first time. But accepting credit card payments comes with legal responsibilities. Make sure you’re aware of and complying with all of the Payment Credit Industry (PCI) provisions that apply to your business. Regulations vary depending on the size of your business, but any business that accepts credit cards is subject to some standards. If like many businesses, you’re suddenly processing more credit card payments than ever before, you may have stepped up a level and be expected to adhere to more rigorous data protection protocols.
Your Information Gateways
Under the new work-from-home norm, you’ve likely granted both general access and additional permissions to many employees. Are you providing them with remote access to your servers in the safest way possible? If you’re providing remote access to your employees through a basic virtual private network, IT security threats may be more serious than you think. VPNs are widely misunderstood and certainly not a panacea. It may be time to look at a more robust remote access solution to reduce your potential exposure to cross-site scripting, SQL injection, and DDoS attacks that can cripple your business.
Your Vendors and Affiliates
Are your technology partners actively supporting your cybersecurity goals? How have they upgraded their services to meet the new demands the pandemic has created for your business? Your internet service provider, your web hosting service, and any software-as-a-service (SaaS) products you use deserve scrutiny as part of this examination. Many businesses run on such products as Salesforce and Slack. Employees use them as automatically as they grab that first cup of coffee in the morning. Retraining employees on the safest ways to use these products is a good idea, too.
Your Tech Support Team
And you thought they were busy before? Suddenly they’re supporting an organization that’s operating in a whole new way. They have more installations to troubleshoot. More hands to hold as workers adapt to working at home. New applications to manage. Be sure you’re staffed adequately to meet the growing tech support needs of your workforce. You may need a few more shoulders to bear the burden.
Say It Loud, Clear, and Often
A strategy that remains the property of the management team that created it is bound to fail. Organizational leaders have a vital role to play in ensuring employee buy-in to any plan they formulate. Team members must understand the what’s-in-it-for-me reasoning behind your data security initiatives. They need specific directions on how they can—and must—contribute to strategic execution. Nowadays, while working from home, it’s not as easy to get everyone up to speed with changes as it once was in the office. Thankfully, with light research and some apps, you’ll find fun ways to show your team the importance of web security and team build as well.