The Challenge of Pandemics and Information Security

The Coronavirus (COVID-19) outbreak has transformed organizations large and small in ways yet to be fully realized.  It has created challenges that many have not prepared for in both government and private organizations.  Beyond the huge financial burden of the economic shutdown, the impact of rapidly deploying and supporting an organization-wide remote workforce to the security of Information Technology is huge.

Business Continuity

If your organization had previously worked through a comprehensive Business Continuity Plan (BCP) and were practiced and prepared, your jobs were a bit easier in these last few weeks.  Adoption of cloud-based platforms for operational computing and support of a mobile workforce using laptops and other supported devices also aids in rapid deployment of their BCP.  However, if you are like most organizations that had not prepared, it has been a mad scramble to implement systems and solutions to support the majority of the company workforce working remotely. 

Groups that were not prepared had to deal with how to provide access to the corporate information resources for employees who do not typically work remotely.  Those users most likely had desktop computers at the office and don’t have access to nor were setup for mobile devices. Companies scrambling to prepare may have inadvertently put themselves at risk.

Did your company:

• Have the physical resources on hand to deploy a secure corporate endpoint for your users to use?
• Allow remote users access in a secure manner?
• Make rapid changes to your security systems and sacrifice exposing your information systems to unwanted access?
• Setup multi-factor authentication (MFA) for remote access to your network from the outside?
• Allow remote users access to your network using their personal devices that are potentially insecure or already compromised?

These are just a few of the many issues that needed to be addressed by IT and IS staffs during this unprecedented shutdown of physical facilities practically world-wide.  Doing any of them in an ad-hoc manner exposes the company to much higher risks of breach.  These are going to be tough financial times in which there will be organizations that may not survive.  Companies without a tested BCP in this current climate are at risk of a breach, exposure of corporate data, and unintended access to internal systems, which will certainly make the ability to survive even tougher.

Business Continuity Steps You Can Take Now

Here are some current things that should be done now while we are in this state of flux:

• PRIORITY #1: Backup your systems and ensure they are current, and that backup files are isolated from your production network.
• Ensure all endpoints have current protections in place and are active.
• Make sure endpoints and server Operating Systems are patched and up to date.
• Train or reinforce your employees on safe computing practices. 
  • Note: There is a huge rise in phishing emails using the COVID-19 Virus as a lure, as well as compromised websites that are touting the latest information on COVID-19, such as maps and statistics.
  • Make sure their networks, in particular WiFi routers, are secure using strong passwords and secure WPA2 protocols, and routers are not using default passwords.
  • Highly discourage use of public WiFi system.
• Monitor your network closely for any malicious activities.
• Do not expose direct access to RDP or other insecure remote access applications to the Internet directly.
• Make sure users connect to the network from a secure connection with a multi-factor authentication.
• Make regular communications available to the remote workforce on status of the company and its resources and reinforce safe computing practices.

After the dust settles, if you don’t have a formalized Business Continuity Plan, use the lessons learned from this pandemic to build your Business Continuity Plan.  There are many reasons that a good BCP is needed.  From a facilities standpoint, your building(s) may become unavailable due to a pandemic (who would have thought?), civil strife, martial law, natural disasters, fire, or other reasons.  All situations should be considered and evaluated for the risk of the organization.

Most importantly, once you have your BCP, test it regularly in tabletop exercises to review the effectiveness and increase your preparedness for when a situation occurs.

The COVID-19 pandemic is one of the toughest scenarios conceivable as the scale of the impact is unprecedented and hopefully another to this scale will not happen for a very long time.  Hoping everyone is safe and healthy foremost, but also that recovery is quick.

Be safe and stay healthy!

If you’d like more information or to discuss your organization’s Business Continuity Plan, please contact us at Connect@CompliancePoint.com.