Panic makes us vulnerable.
But as any cybersecurity professional will tell you, diligence starts with the recognition that we are always vulnerable. The important thing to recognize right now is that panic can cause us to relax our diligence and make poor decisions. Here are some key things to consider regarding cybersecurity during the COVID-19 pandemic or any other crisis.
You need to be aware of the threats, but I share this information not to cause panic, but to help you take a measured approach. Across the board, your response to the pandemic should be based on awareness, not fear. The need for diligence is heightened, so you should consider cybersecurity an essential service to your business. Even if you are downsizing in other areas, this is not the time to lay off cybersecurity talent. In fact, you may need to increase your cybersecurity team.
Cybercriminals know that when victims panic, the time is right to strike. In particular, many more people are working from home, and in most cases, their networking and log-in protocols were put together hastily. ZDNet.com reports that the use of remote access technologies (like virtual private networks, or VPNs) has increased by at least 33% since the outbreak. Those are good tools in the fight against cybercrime, but it begs the question: How many newly remote workers are not using them? Hackers are counting on the answer being "plenty."
At the end of this article are some best cybersecurity practices for responding to the pandemic, and the extent of the list makes it clear: You need a fully staffed and funded cybersecurity function. Before we get to the list, here are some important things to know about adding talent to your team.
You may think, "My competitors are laying cyber talent off, so hiring will be easier." However, the Rand Corporation report "Hackers Wanted: An Examination of the Cybersecurity Labor Market" cautions that hiring cyber talent at any time is challenging, and could become even more so as the market adjusts to "exogenous shocks." The report was written prior to the COVID-19 outbreak, but the pandemic certainly qualifies as a shock. It also states that the cost of hiring technical talent, such as cybersecurity professionals, is higher than the cost of hiring in other areas — in some cases as much as 12 times higher.
Using contract staff can be an attractive alternative for several reasons. The main one is that it is much faster and more flexible than traditional hiring. You could hire a contractor for a few months specifically to focus on your remote working protocols, but the model isn't just for crisis response. Contract staffing can help you ramp up a project in short order or secure specific skills. It also lets you "try before you buy" in a contract-to-hire arrangement. Economic turbulence allows you to negotiate rates and pick up some great talent for less than a traditional hire. If you decide to use contractors, work with a staffing consultant who has expertise in cybersecurity. They can help you find just what you need quickly and easily.
The following best practices are tailored to the current scenario, but most are applicable at any time.
• Ensure your entire system is protected, including points of integration with customers and providers. Supply chain networks, with multiple points of connection, are particularly vulnerable. According to ZDNet.com, the FBI recently issued an alert about the vulnerability of supply chain networks, and it sent the same message out in January, February and March of this year.
• Take time to train your people about cybersecurity while working remotely. It may seem daunting to roll out such a policy and train so many people in so short a time, but it is essential.
• Ensure remote workers use a VPN, and ensure that the VPN is regularly updated with the most current security patches.
• Assign remote workers company-provided computers. Using personal devices exposes employees' private, personal information and makes it easier for cybercriminals to match email addresses to passwords.
• Make sure login protocols include two-factor authentication. Yes, it takes another few seconds, but the benefit is significant.
• Encourage people to be on the alert for new scams related to the pandemic. Emails may contain links to malicious sites, pleas for donations to fake charities and tricks to get people to disclose sensitive information. And it's not just email. Texts can include malware, and social media posts and phone calls can be part of a scam. In an article with a wealth of resources for responding to COVID-19, the Cybersecurity and Infrastructure Security Agency (CISA) recommends avoiding clicking on any links or attachments in unsolicited emails and relying on trusted sources only.
With a highly interconnected society, we're all in this together. Like a virus, cybercrime can find one weak spot and rapidly impact many, many others. To stay safe, the smart move is to make sure you have the right cybersecurity talent and policies in place.
