As we make adjustments to flatten the curve and slow the spread of COVID-19, we’re changing our behaviors in the workplace. We’re all washing our hands more frequently. We’re practicing social distancing. As much as we can, we’re working from home.
Our responses to COVID-19 are important, but how do our changed behaviors affect security at work? What security issues or problems can result from our behaviors regarding COVID-19 (or any pandemic)? As we try to protect our people, how do we plan for security issues?
COVID-19 is a “novel” virus, meaning that it is a virus not seen before. However, it does not have to be a “novel” security problem. What resources do we already have in place for this situation? What plans, policies, and procedures can we adapt from the responses to other security issues?
Bring Your Own Device (BYOD)
Opportunities to work differently are in everyone’s back pocket. With smart phones, tablets, and laptops, today’s employees can work many more places than just their desks.
Some of us are fortunate enough to be able to work from home, even if in a limited capacity. When that work occurs on personal devices, how can it affect the security of company electronic data?
- Employees may not have effective antivirus software, firewalls, or other specialized security software installed on their devices.
- Employees often work at outside Wi-Fi locations that are not secure and are vulnerable to attack by others.
- Devices used by employees can be stolen, lost, or damaged.
- Employees may be using certain software systems that are not compatible.
- Employees can take pictures or videos of information that may be proprietary to the company.
- It is harder to protect sensitive data on a personal device. Who else has access to the device and protected data?
What parts of your security program require active participation by a person? What systems or technologies require active monitoring or constant maintenance? How will those processes be affected if security staff are not available due to illness or quarantine?
Because of COVID-19, some security personnel may have difficulty in reporting for duty. Businesses need to take into account that some employees are not going to do their jobs. It happens in public safety, military, and other essential service areas when the person is no longer able to function as trained. They may freeze up, refuse to act, perform incompetently, or act in total disregard of the processes and procedures in place.
From a security perspective, it may involve the guard force or other staff designated with security tasks. They may opt not to investigate a suspicious person and risk close physical contact. They may ignore an alarm because it’s just not worth it to them. Despite being highly trained and equipped with personal protective equipment (PPE), it will happen.
We see this in hurricanes, snowstorms, and other weather-related emergencies. Although not the same, some of the core principles and planning activities may be useful. Read more about standing alone here.
Phishing scams are already commonplace and cost billions of dollars in losses annually. With more employees working remotely, companies should remind employees to be even more vigilant when responding to “urgent” requests that appear to come from a co-worker.
One simple strategy is to remember “when in doubt, pick up the phone and call the sender of the email.” With that said, do employees even know how to reach the appropriate people from home? If it is an executive, the answer is probably “No.” In short, if you receive unsolicited emails or text messages asking for you to send money, click on a link, enter your account credentials or provide any personal information, ignore it, pick up the phone, and call.
As security professionals, we often receive quite a few “warnings”, cautionary tales, or similar information via email. Other than emails about COVID-19, subjects have included information about cell phones, warnings about dangerous household products, stories about terrorist activities, and scams involving money. Any email that states “forward this to everyone you know” should be more closely evaluated.
Before forwarding the email, check the validity of the story. In this case, the Centers for Disease Control and Prevention and the World Health Organization are probably the two more reputable sources.
When this incident passes and life returns to normal, use what you’ve learned to better prepare for the next time. What worked well? What didn’t work? How can we improve? What have we learned? Once you have that, capture it. Write it down and get buy-in from stakeholders. Memories are short. If we don’t quickly use the lessons learned to better protect our most valuable assets, then it wouldn’t be the first time that history repeated itself.