During the current pandemic, IT departments across businesses are facing completely new challenges, with entire workforces being sent home to work remotely. Companies must now maintain the security of their systems, software, and data outside the centralized, well-controlled corporate network, while also meeting data protection law requirements on appropriate technical and organisational cyber protections. Employees are using individual links to connect to networks, while IT departments struggle with rapid and unplanned scaling-up of infrastructure.
New and untested features, along with suboptimal controls, are being used to ensure business operations. An understanding of the cyber risks inherent in the new network arrangements is still emerging. Suspicious cyber domains purportedly relating to COVID-19, selling fake cures or circulating malware, have proliferated at an alarming rate.
Government entities and companies are now developing protective measures against these threats, involving new tools, awareness, and training. Companies are providing employees with laptops, mobile phones, and other necessary equipment to secure virtual-private-network (VPN) connections so that employees can work remotely securely. Employers also provide employees with an array of other technical features to secure their networks. This includes patch and configuration management for relevant systems, multifactor identification and secure-access management, on-premise application security for remote access, device virtualisation, capacity and security monitoring, and contingency resources (to limit the effects of failures and breakdowns).
Employees need to be informed of the special technical features enabling secure remote operations and trained as needed in their use. The importance of security in working remotely needs to be stressed, while the VPN should be made mandatory. Employers must provide guidelines on a host of related topics, restricting the use of private devices, recommending particular software applications, supplying adequate password protection, as well as formulating instructions for protecting hardware and hard copies of documents.
Education is of paramount necessity. Employees should be educated about the rising level of coronavirus-related cyber threats, including potential responses and incident handling. Employers should be working to ensure that risk-averse behaviour becomes the norm in these extra-normal times. Experience has shown that messages on data protection and compliance are best transmitted in ongoing communication efforts rather than in time-limited campaigns.
In general, employers are responsible for providing an adequate support environment, including training in potential security risks and the secure use of the new remote tools. Ready access to support channels should also be provided as needed.
Employees without an adequate technical setup at home will have to be provided with one. Those unfamiliar with working from home or communicating through video applications might require some basic guidance. Everyone will have to be made aware of what should happen in case of a breach, including reporting lines to use and actions to be taken.
When a crisis arises, it will increase workloads on IT and cybersecurity departments. Companies might need to address capacity constraints in these areas and also introduce measures to safeguard the well-being of employees. One way to do this is to add specialists where needed or for specific high-demand periods. By reducing demand to sustainable levels, IT and cyber staffers will breathe easier and protect the organisation and its technology better. Most if not all regulators are aware of the strains that the COVID-19 crisis is putting on organisations.
Companies are making a number of adjustments to ensure a balanced approach to data privacy and health protection in the COVID-19 context. According to McKinsey report, these three actions will be most productive of deliberate decision making on data privacy and cybersecurity during the COVID-19 dislocations.