When the Spanish flu pandemic happened more than a hundred years ago, the modern concepts of computing and cyber-security didn’t exist.
Fast forward to today. The coronavirus pandemic has accelerated a remote working culture that started when high-speed internet became available at home and in coffee shops. It’s now obvious that many more jobs can be done remotely than previously thought. COVID-19 also accelerated distance learning and telehealth services. Compliance policies written for the workplace, the classroom, and the doctor’s office will need to be rewritten to reflect this new remote reality. What follows are five ways any organization can improve its cyber-security compliance.
1. Don’t take the bait
Phishing remains a popular—and effective—technique for attackers. It is an attempt to steal credentials and obtain sensitive information, often by an e-mail message containing a link to a seemingly legitimate Website. Phishing is the top threat action used in cyber-security breaches, according to Verizon’s 2020 Data Breach Investigations Report. To combat phishing, employees should know how official communications will be sent, treat unknown e-mails and links as suspicious, and have an easy way to alert their IT security team.
2. Improve cyber-security training
Most cyber-security training revolves around workplace use, with passing mention of security best practices while on business travel. Remote work opens the door to risks posed by unknown Wi-Fi networks, shared workspaces, wireless printers, and similar technologies not vetted by IT security. Cyber-security training should include best practices for remote work, covering: working environment, router security, use of a virtual private network (VPN), oversharing screens during online meetings, personal use of company computers, and IT support.
3. Secure collaboration tools
Collaboration tools, such as online meeting services, are now the norm for remote teams to communicate. Recent headlines have shown they can have security gaps if not configured properly. Meeting organizers should use built-in security features, such as waiting rooms, password protection, and other settings to control participants’ capabilities (e.g., printing, participant lists, document sharing, recording). Participants should not share meeting links publicly or with people who don’t have a need to know. Virtual meeting software should be regularly updated to the current version or have auto-update enabled. Finally, employees should only accept meeting invites from expected and trusted sources.
4. Embrace distance learning and telemedicine
Education and healthcare changed dramatically when millions of students across the country found themselves suddenly unable to go to school and millions of patients could not see their doctors or receive the healthcare they needed. Both schools and hospitals have been prime targets for ransomware—where cyber-attackers encrypt or lock down a victim’s files/networks and demand a ransom to restore access—a threat only enhanced by COVID-19. To combat this, schools and hospitals should update their cyber-security risk assessment to encompass distance learning and telemedicine tools, as well as provide enhanced cyber-security training for educators and healthcare professionals.
5. Adopt the NIST cyber-security framework
Improve cyber maturity by adopting the National Institutes of Standards and Technology (NIST) Cybersecurity Framework as a guide for building a strong cyber-security foundation. It provides exhaustive guidance around five steps, or functions—Identify, Protect, Detect, Respond & Recover—that could help transform an organization’s cyber-security risk management posture from reactive to proactive. Beyond a response to COVID-19, adopting the NIST Cybersecurity Framework will demonstrate to customers and regulators that an organization takes cyber-security seriously.
COVID-19 is a wake-up call to the world that economies must adapt quickly to survive and prosper. It brought into sharp relief our dependence on technology and its vulnerabilities. Continued vigilance is the ultimate lesson.
David Kessler is the Public Sector Counsel for Verizon, a well-known cyber-security thought leader and the recent recipient of Compliance Week’s “Excellence in Compliance: Cyber-Security” award for 2020.