Remote working: How to ensure information security and IT continuity during COVID-19

The unscheduled and immediate mass transition to remote working as a result of COVID-19 has created new IT continuity and security challenges for organisations. Beyond the business uncertainties and rise in disinformation activities related to Coronavirus, new Information Security measures need to be taken by organisations to protect themselves against cybercriminals exploiting the new norms of remote working.

Phishing is on the increase

“These are challenging times for anybody responsible for information security and at an organisation. What was already a difficult job has been amplified, as criminals exploit the current situation on multiple levels,” says Karsberg. “More people working from home without the protection of corporate firewalls, for instance, has led to a dramatic increase in phishing emails – many of them playing on the insecurities we all face in light of the Coronavirus.”

“To reduce the risk, you should be on your guard if you receive mails from governmental bodies sharing links and downloads to ‘vital’ information, or from specialists offering advice on how to cure COVID-19. Employees of larger organisations are also being targeted with fake internal Coronavirus-related mails, so make sure to check sender addresses and content. Even if something appears to be sent from within your organisation, if it doesn’t sound like it is, report it. Above all, don’t download anything or share information if prompted in an email.”

Healthcare industry under attack

“Healthcare providers, drug manufacturers and even organisations like the World Health Organisation have all reported an increase in cyber-attacks,” says Wurtz. “If they weren’t busy enough fighting the Coronavirus, they also have to fight cybercrime. Some hospitals and medical research institutes around Europe have reported ransomware demands that have led to patient data being leaked and operations being cancelled. Furthermore, several hospitals in European epicentres of pandemic have warned staff to avoid opening suspicious mails as criminals attempt to destabilise IT systems – not what healthcare workers need to think about right now.”

Remote IT security

For organisations that have had remote working thrust upon them, with little or no time to prepare, the situation right now can seem very daunting. Business continuity management has been top of mind with information security and IT-continuity being left to IT to ‘solve’, rather than being a strategic operations decision.

Broadband Infrastructure

“Many of our home markets have invested heavily in their broadband infrastructure, but there are still areas where users experience regular service interruptions,” continues Wurtz. “During peak times, such as at the start of an hour, when new remote video meetings begin, bottlenecks can occur. If you are lucky, this is the only time you experience reduced latency issues, if not, you may experience issues throughout an entire meeting. In countries that haven’t invested as much in their infrastructure, this problem is multiplied. This isn’t going to lead to a major incident, but it will result in inefficiencies.”

“Networks can also be impacted if providers are prioritising network capacity and resources to hospitals, emergency services and government agencies. And, if your entire neighbourhood is streaming films simultaneously, you may also encounter low latency.”

Securely managing data

“Securely connecting to an office network from a remote connection requires a VPN,” continues Karsberg. “If you don’t have a common VPN solution in place yet, it has to be highest priority for those accessing sensitive data. However, there is obviously a cost involved in doing this that may not have been budgeted for. Not a problem if 50 people need a VPN to access data, but if it’s 10,000 it’s a different story. In such a case you may want to assess who can access sensitive data for the coming months and the impact of limiting access. ”

“Such decisions need to be taken quickly to safeguard operations, which, for some organisations, means elevating information security and IT continuity and making them part of overall business continuity plans.”

Personnel dependency planning

Implementing these IT security measures assumes that IT personnel do not have to take leave of absence, through ill health, childcare or any other reason. As this scenario is likely to become a reality for organisations across the globe, a Business Impact Analysis should be carried out, looking potential consequences using different variables, e.g. 20- 40 percent absence of staff in the short and long-term (2 weeks/6 weeks).  This should enable organisations to identify the minimum levels of staffing needed to maintain critical activity service levels.

Regarding absence of key IT personnel, such as the CTO/CIO, it’s essential to examine whether dependencies are full or partial, i.e., does a single person or a few individuals have a specific competence? If not already done as part of the assessment, organisations should examine the consequences of the absence of each key individual from a short-term and long-term perspective.

Service continuity plans should be developed, which include assessing if staff can be moved within the organisation and if the competencies of key personnel can be transferred to other employees. If not, arrangements with staffing agencies should be reviewed. Much more information on staff continuity can be found in 4C’s article on critical dependencies during COVID-19.

We hope these resources will be helpful to you and your organisation. 4C Strategies is ready to assist with any queries or specific needs as the situation evolves. Continue below for an overview of our COVID-19 support and 4C’s collection of publicly available resources for the pandemic response.