During the current pandemic, IT departments across businesses are facing completely new challenges, with entire workforces being sent home to work remotely. Companies must now maintain the security of their systems, software, and data outside the centralized, well-controlled corporate network, while also meeting data protection law requirements on appropriate technical and organisational cyber protections. Employees are using individual links to connect to networks, while IT departments struggle with rapid and unplanned scaling-up of infrastructure. 

New and untested features, along with suboptimal controls, are being used to ensure business operations. An understanding of the cyber risks inherent in the new network arrangements is still emerging. Suspicious cyber domains purportedly relating to COVID-19, selling fake cures or circulating malware, have proliferated at an alarming rate. 

Government entities and companies are now developing protective measures against these threats, involving new tools, awareness, and training. Companies are providing employees with laptops, mobile phones, and other necessary equipment to secure virtual-private-network (VPN) connections so that employees can work remotely securely. Employers also provide employees with an array of other technical features to secure their networks. This includes patch and configuration management for relevant systems, multifactor identification and secure-access management, on-premise application security for remote access, device virtualisation, capacity and security monitoring, and contingency resources (to limit the effects of failures and breakdowns).  

See also: How To Create A Sustainable Cybersecurity Culture

Employees should be in control and well-informed  

Employees need to be informed of the special technical features enabling secure remote operations and trained as needed in their use. The importance of security in working remotely needs to be stressed, while the VPN should be made mandatory. Employers must provide guidelines on a host of related topics, restricting the use of private devices, recommending particular software applications, supplying adequate password protection, as well as formulating instructions for protecting hardware and hard copies of documents. 

Education is of paramount necessity. Employees should be educated about the rising level of coronavirus-related cyber threats, including potential responses and incident handling. Employers should be working to ensure that risk-averse behaviour becomes the norm in these extra-normal times. Experience has shown that messages on data protection and compliance are best transmitted in ongoing communication efforts rather than in time-limited campaigns.

In general, employers are responsible for providing an adequate support environment, including training in potential security risks and the secure use of the new remote tools. Ready access to support channels should also be provided as needed. 

Equipment should be readily used + a help

Employees without an adequate technical setup at home will have to be provided with one. Those unfamiliar with working from home or communicating through video applications might require some basic guidance. Everyone will have to be made aware of what should happen in case of a breach, including reporting lines to use and actions to be taken. 

When a crisis arises, it will increase workloads on IT and cybersecurity departments. Companies might need to address capacity constraints in these areas and also introduce measures to safeguard the well-being of employees. One way to do this is to add specialists where needed or for specific high-demand periods. By reducing demand to sustainable levels, IT and cyber staffers will breathe easier and protect the organisation and its technology better. Most if not all regulators are aware of the strains that the COVID-19 crisis is putting on organisations. 

Conclusion: three productive actions  

Companies are making a number of adjustments to ensure a balanced approach to data privacy and health protection in the COVID-19 context. According to McKinsey report, these three actions will be most productive of deliberate decision making on data privacy and cybersecurity during the COVID-19 dislocations. 

• Include a data-privacy leader in the organisation’s COVID-19 response team to ensure early evaluation and discussion of possible measures affecting data privacy. This leader should also be charged with making any necessary tradeoffs between privacy and public-health needs, designing regional variations as required.
• Provide IT departments with the resources needed to support employees working securely from home. Likely companies will have to expand their network and video conferencing capacity with vendor-supplied services. These should match internal security standards without exceeding bandwidth limitations. 
• Establish dedicated support and training in risks and mitigating measures for remote working, including clear ongoing communications. This work should include focused efforts with appropriate vendors to find possible security gaps and to develop solutions for closing them. Taking these actions will help enable clear direction and guidance on health and privacy measures, and go a long way to stabilizing operations for the duration. 

Read also: Protecting Employees’ Data Privacy: Q&A with Thomas Matecki, Founder and CEO at Emotional Vector Analytics