The Coronavirus/COVID-19 pandemic is here; but let’s not lose sight of staying cybersafe.
By the time you finish reading this sentence, the news will have changed regarding the COVID-19 global pandemic. The spread and impact of this novel coronavirus has sent shockwaves through the world, and is likely affecting your business operations, as well.
To our valued customers: As the situation around the COVID-19 continues to evolve, at ISA, we have been closely monitoring the situation and making sure our security team is responding and continuing to support our customers’ businesses. We are collectively experiencing something that is unprecedented in the last 100 years of an industrialized society. However, the technological advances that have been made, allow all of us to combat situations like this. We have defined a COVID-19 BCP (business continuity plan) which, in concert with our cloud architecture, we believe will allow us to continue to provide the same level of service to our managed clients as they have come to expect.
To the greater community: ISA also cares about the greater community and have put together a “top seven” list of cybersecurity tips and resources to assist you and your organization during this challenging time.
- Phishing: Don’t believe for a moment that scammers are taking time off from their activities due to COVID-19. The World Health Organization (WHO), the Centre for Disease Control (CDC) and numerous government agencies have received reports of phishing emails purporting to have news updates, outbreak information, and health tips. Fake messages pretending to come from Bell and Virgin Mobile offering free additional data/services (or warnings about data overages) have spiked, hoping to capitalize on people doing more streaming while off work or in isolation (in fact, Rogers, Bell, and others have actually waived residential data overage fees during the crisis – check with your provider directly for specifics). Scammers love to launch phishing campaigns during high-stress times as they know people’s defences will be down. Take an extra moment before clicking that link or downloading that attachment – verify it’s from a trusted source, or move on.
- Spoofed Websites: Domain registrars have noted a rise in website name registrations containing “corona” and “COVID”, and fake news/health sites have been reported. These sites often mirror bona fide sites, but attempt to drop malware payloads on visitors or entice you to enter personal information. Take steps to ensure you’ve checked the validity of the website you are visiting by independently searching for references to the site, checking links on well-known and trusted news sites, etc.
- Remote Access: Where business operations and job functions allow, demand has never been higher for the ability to work remotely. As access requests come in, consider:
- a) Remote access licensing – you may have never faced this number of requests the same time. Do you have sufficient licensing, or have “burst licensing” arrangements with your cloud service provider?
- b) Remote system capacity – similarly, your remote access systems may be at maximum load – or beyond. Monitor performance and allocate resources where possible through cloud and virtualization software. For operations maintaining physical systems to support remote access, time-shifting or restricting applications to top priority users may provide a short-term measure of getting through these peaks.
- c) Authentication – by now, you should have two-factor or multi-factor authentication in place to secure connections to your systems. Particularly at times of higher volume and demand, anomalous connections to your network may slip through the cracks, so ensuring high security at the first point of connection is critical. No matter how you’re supporting remote access, be sure that monitoring and log review are in place in order to confirm system usage is appropriate and authorized.
- d) Endpoint security – your corporate policy on remote access should speak to the requirements for remote systems (whether they’re desktops or laptops, tablets or phones). VPN software is always recommended to help ensure that the connection between your remote worker and your data centre is encrypted and secure. Unmanaged devices can introduce a new crisis to your operation unless the risk is mitigated appropriately.
- e) Home offices – while your company’s “work-from-home” policy likely speaks to this issue, staff should be reminded to avoid storing corporate materials on home computers, and to never print confidential assets off-site unless secure shredding facilities are available. Staff should maintain a “clear desk policy” at home, and must be reminded to log out of their systems at the end of every work session, especially on home computers that may be shared by other family members.
- f) File-sharing – unless you have established a secure extranet or file-sharing service, staff may resort to using email or other “end runs” around document delivery that may create security concerns. Assess your capabilities in these areas, and communicate with staff about the appropriate way of exchanging files. Once the crisis is over, re-assess the effectiveness of your tools, and consider any changes in advance of the next incident.
- Business Continuity Plan: To what extent have you been following your corporate business continuity plan or incident management documentation? This is an opportunity to put your materials to the test to validate the currency and completeness of the instructions in the plan. Be sure to take notes and highlight areas where the plan could be improved, and be sure to follow up with any revisions to your continuity strategies. Treating this as a learning exercise is a way to find a silver lining in a difficult situation.
- Remote Coordination: Ad hoc teleconference services, screen sharing, and remote collaboration tools could be very important to maintaining operations for your business. Lots of “software-as-a-service” tools are available to allow users to connect even if they’re scattered geographically (e.g., Microsoft Teams, Skype, FaceTime, Slack or Zoom for collaboration and tele-conferencing). Understand and identify use cases, document pros and cons of solutions you are using now, and conduct a postmortem on communications once things have settled down. Remote broadcast applications are useful for getting standard news out to all staff from a single console; all managers should have their staff contact numbers (and vice versa) programmed into their phones or on regularly updated call sheets to ensure that one-to-one communication, at a minimum, can be made.
- Client/Staff Communications: The appropriate extent and frequency of communication with your customers and your staff is important to assess. Understand that everyone is under stress, and is looking for clear, timely, and reliable information. Web updates, social media feeds, and broadcast emails are all useful tools for getting the message out to people at a sensitive time. It’s effective to identify a specific individual or small team of personnel to handle communications. Non-authorized staff should be discouraged from making comments or observations (either officially or on their personal social media channels) in order to ensure consistent and accurate reporting.
- Trusted Resources: Finally, consult Health Canada or the Centre for Disease Control (CDC) for the latest updates on the pandemic. And Canadian law firm McInnes Cooper has published a helpful list of legal and HR-related FAQs.
COVID-19 is testing all of us. Maintaining calm, thinking of one another, and learning what we can from the incident as it unfolds is essential to help us get through the crisis as best as possible.