Where possible, they should confirm whether personal devices have adequate anti-malware capabilities installed and enabled. If not, they should work with the employee and their corporate endpoint protection platform vendor to ensure the device is protected as soon as possible.
Other mechanisms such as software-token based multifactor authentication will also be useful to ensure only authorized personnel have access to corporate applications and information remotely.
On a strategic level, make sure someone from the security team is part of the crisis management working group to provide guidance on security concerns and business-risk-appropriate advice.
Focus Area 3: Reinforce the need for remote workers to remain vigilant to socially engineered attacks
The reality is that employees will have more distractions than usual, whether it’s having kids at home, worrying about family or concerns about their own health. They’re also operating in a different environment, and might not be as vigilant about security during a time where cybercriminals will exploit the chaos.
Make sure you reach out to senior leaders with examples of target phishing attacks, and alert employees to the escalating cyberthreat environment. Remind them that they must remain focused and hypervigilant to suspicious activities.
If appropriate, send out reminders every two weeks and remind them of the location of pertinent documents such as remote and mobile working policies, as well as where they can access security awareness training material if they want a refresher. Further, clearly communicate who to contact and what to do if employees suspect a cyberattack.
Focus Area 4: Ensure security monitoring capabilities are tuned to have visibility of the expanded operating environment
The sudden relocation of much of the workforce (including security and risk management teams) to remote locations creates the potential for cybersecurity teams to miss events.
Ensure that your monitoring tools and capabilities are providing maximum visibility. Check that internal security monitoring capabilities and log management rule sets enable full visibility. If using managed security services providers, check in to make sure they are adapting their monitoring and logs in a manner that makes sense for the new operating landscape.
Focus Area 5: Engage with security services vendors to evaluate impacts to the security supply chain
The changes in the security landscape won’t just come from your own organization. Be aware of what your partners and supply chain are actively doing with regard to security that will affect your organization.
Confirm how they will be securing collected data and information from the business. Remember that each of these organizations has their own people to worry about and their own business concerns. Ask questions about where third-party organizations might fail to deliver on promised security services.
Focus Area 6: Account for cyberphysical systems security challenges
COVID-19 is stressing many pieces of the economy, from hospitals and healthcare to delivery services and logistics. This extends cybersecurity concerns to cyberphysical challenges, especially given the increase in automated services and systems.
For example, a robot in a hospital will help reduce the human workload, but must also be deployed safely. In the legal world, firms are asking employees to disable smart speakers and voice assistants. Security and risk teams should focus on ensuring foundational CPS/OT security hygiene practices such as asset discovery and network segmentation, and evaluating the risk of fixing a vulnerability against the risk, likelihood and impact of an attack to prioritize scarce resource deployments.
Focus Area 7: Don’t forget employee information and privacy
Organizations may collect employee information that relates directly to the COVID-19 pandemic. For example, organizations might want to record when an employee visits a risk area or is home with an illness.
First, all this information is subject to laws and industry rules. Beyond that, organizations should seek to collect the least amount of information possible, ensure it is factual and store it in a secure manner. This information should be disclosed only when required by law and within the organization only on a need-to-know basis.