This week, the World Health Organization called for "aggressive" action in Southeast Asia to combat the fast-spreading COVID-19 disease. As governments in the region impose measures like the closure of all business premises – other than those selling daily necessities or providing essential services like water and electricity, or issue advisories on social distancing measures at the workplace, we are experiencing a level of social and economic upheaval that is unprecedented in modern times.
Companies are facing sudden and profound challenges as they seek ways to quickly support nationwide directives for employees to vacate offices and work from home instead. For IT and HR teams of most organizations, maintaining cybersecurity in the face of this office exodus presents significant risks.
Challenges of implementing the work-from-home experiment
Globally, 50 percent of employees are telecommuting for at least half of the work week*. However, COVID-19 has triggered more – if not all – organizations to immediately embrace remote working arrangements. Apart from the pressure this puts on IT teams, network architectures and perhaps even equipment suppliers, there are real cybersecurity challenges organizations need to consider. HR’s expertise in engaging with employees and demonstrating the importance of protecting business-critical information is also crucial.
Here are six key factors that can help IT and HR implement remote worker cybersecurity:
- Making sure that the current cybersecurity policy incorporates remote working: Strong security policies may already exist, but it is important to review them and ensure that they are adequate as your organization transitions to having more people suddenly working from home than in the office. Security policies need to encompass remote working access management, the use of personal devices, and updated data privacy considerations for employee access to documents and other information. It is also essential to factor in an increase in the use of “shadow IT”. All of this should of course be included and communicated as a part of HR’s broader set of corporate procedures and guidelines for employees.
- Planning for a surge of BYOD (bring your own device) devices connecting to your organization: Employees working from home may use their personal laptops or smartphones to carry out their respective job functions, especially if the organization has a limited number of company-owned devices to issue on short notice. Personal devices will need to have the same level of security as a company-owned device. IT and HR must therefore consider the privacy implications of employee-owned devices connecting to a business network.
- Sensitive data being accessed via unsafe Wi-Fi networks: Employees working from home may access sensitive business data through home Wi-Fi networks that do not have the same level of cybersecurity controls that are being used in traditional offices. More connectivity will be happening from remote locations, which will require greater focus on data privacy, and proactively hunting for threat actor intrusions from a greater number of entry points.
- Cybersecurity hygiene and visibility more critical than ever before: It is not unusual for personal devices to have poor cybersecurity hygiene. Employees working from home can result in an organization losing visibility over devices and how they have been configured, patched and even secured.
- Continued education is crucial, as coronavirus-themed cyber-attacks escalate: The WHO and the Cyber Security Agency of Singapore (CSA), for instance, have already warned about malicious cyber activities like phishing and scam campaigns leveraging the COVID-19 situation. Being best equipped to understand the people issues that inhibit effective organizational change, HR must step in and help IT facilitate continuous end-user education and communication. In addition, companies must ensure that remote workers can quickly contact IT for advice and consider employing more stringent email security measures.
- Crisis management and incident response plans must be executable by a remote workforce: A cyber incident that occurs when an organization is already operating outside of normal conditions has a greater potential to spiral out of control. Effective remote collaboration tools – including out-of-band conference bridges, messaging platforms and productivity applications – can allow a dispersed team to create a “virtual war room” from which to manage incident response efforts. If your organization’s plans rely on physical access or flying in technicians for specific tasks like replacing compromised machines, it may be prudent to explore alternate methods or locally based resources.
During this period, IT will no doubt be turning to scalable cloud-native security architecture and advanced endpoint protection solutions that can be deployed and operationalised with no boots on ground, to facilitate the provision of computing resources that support more remote workers and managed threat hunting across every device. At CrowdStrike, we are doing our part to help organizations cope, by introducing two cost-free programs that address the challenges from a spike in the use of managed and unmanaged devices.
With that said, maintaining strong cybersecurity requires coordinated action across the three fronts of people, process, and technology. HR, in close collaboration with IT, can help employees – wherever they are – navigate technology and digest updated policies, thereby converting them into partners in securing the organization. The COVID-19 crisis is likely to be with us for a while, with companies and their employees being forced to make hard choices and adapt quickly. Enabling a remote workforce is one of such decisions and while there are undoubtedly risks involved in accomplishing this at speed and scale, the security of the organization’s networks, devices & data should not be amongst them.
* International Workplace Group. The IWG Global Workspace Survey