As businesses reopen their offices and factories after the COVID-19 restrictions are eased, office managers will focus immediately on many critical matters:
- Protecting the health and safety of their employees
- Resuming suspended corporate operations and practices
- Adopting new practices to respond to the new work environment
After the obvious immediacy of health, safety, and core day-to-day operational concerns, cybersecurity concerns may be among the second group of issues to be addressed in depth. The usual dynamic balance between IT operational priorities and cybersecurity safeguards may be tested in an already challenging and stressful environment.
Possible Cybersecurity Concerns during Return to Work
Initial cybersecurity concerns will relate to the reopening of shuttered offices and factories, and to the resumed use of dormant computers and industrial control systems. Other concerns may involve companies’ collection of additional personal health information as part of the effort to protect their employee wellbeing.
As many companies will have a divided workforce, with some employees back in the office and others still working remotely, there will be cybersecurity concerns associated with this division. Additionally, vendors and other business partners, as well as customers, may well be in the same position with partially remote workforces.
10 Cybersecurity Issues Prevalent during COVID-19
Here are 10 cybersecurity concerns that may arise as organizations adapt to new ways of working:
- To protect the safety of people on the premises, companies may collect additional health and medical information from each employee who plans to enter an office or factory. Such information may be subject to different legal requirements from the rest of the employee’s HR records. Companies failing to comply with these requirements could face regulatory investigations, substantial fines, and breach of privacy lawsuits. Register for our upcoming webinar Increased Privacy Risk in a Post-COVID 19 World here.
- Office computer equipment may not have been regularly scanned for viruses, nor received all patches and updates necessary to eliminate cyber vulnerabilities discovered since offices were closed. Unpatched networks are prime targets for cyber thieves.
- Corporate VPNs may receive less attention than they did when all employees worked from home, but with many employees continuing to work remotely for a sustained period, it is important for companies to attend to the concerns raised by the Cybersecurity and Infrastructure Security Agency (CISA) in March 20201.
- In order to smooth the return to work transition, companies may not adequately vet the use within the corporate network security of employees’ personal devices that had been used while offices were closed and may now contain viruses or unsafe programs.
- The very human desire to make things less difficult for employees struggling toward normalcy may lead to the relaxation -- or non-implementation -- of cyber risk management practices widely perceived as protective but annoying to employees and a hindrance to workflows. For example, in order to facilitate remote work, many companies have increased the number of Remote Desktop Protocol (RDP) ports that they keep open without making sure that their security settings are adequate, using multi-factor authentication and shutting down extra open parts when they can. RDP attacks have grown substantially since the widespread onset of remote working.2
- Employees may send sensitive data to personal accounts on their home computers, as it is often easier to print documents on home printers from outside a corporate VPN.
- Employees may transfer work documents to unsecure USB thumb drives to facilitate occasional remote work.
- Employees still working remotely may take advantage of eased restrictions to work from coffee shops or other places with unsecured, public Wi-Fi.
- With some employees working in information-sensitive departments (such as HR and finance), working at the office while others work remotely, there may be a greater risk of employees being victimized by phishing emails requesting sensitive information than when such requests might otherwise have been made face-to-face.
- There may be less consistent practices for dealing with vendors and other third parties that also have split home/remote workforces.
Adapting to COVID-19’s “New Normal”
At this point, the cyber insurance issues relating to the COVID-19 pandemic seem not to have changed from what we have noted earlier.3-5 As businesses adapt their cybersecurity practices to address issues arising in connection with the return to work, they need to be alert to certain matters that could affect their insurance coverage.
For example, while few cyber insurance carriers require that an insured maintain a level of security at least as strong as what was described in the application for coverage, companies should check with their insurance brokers to make sure they don’t face that requirement. It will also be especially important in this environment for companies to ensure that all relevant stakeholders are appropriately involved in the cyber insurance process for both initial placements and renewals, as statements in the application regarding a company’s cybersecurity practices constitute representations that could compromise coverage if untrue when the policy period begins. Companies will also need to make sure that their public disclosures about their cybersecurity, whether on their websites or in SEC and other regulatory filings, are materially consistent with their practices.
Cybersecurity professionals are already accustomed to quickly adapting to cyber thieves’ changing methods. They can also now expect a sustained period of continuously adjusting their cybersecurity practices, and the balance between security and operational ease, to reflect the new ways that people will work. Talk to a Gallagher cyber specialist today, and learn more about how you can efficiently and effectively manage and transfer these increased risks.