With 42% of the workforce working remotely as of June 2020, the COVID-19 pandemic has transformed remote work from a trendy workplace perk into a necessary adjustment across many businesses. This fast migration of so many business models is both a technological and organizational triumph for many companies. However, since the shift to remote work was rapid, bad actors are taking advantage of the resulting disruption with new vectors of attack on the cybercrime front.
In fact, 80% of malicious campaigns are expressly leveraging a COVID-19 angle and are using social engineering in their attacks. This contextual approach to cybercrime increases the risk that organizations will experience an attack that causes financial harm, whether it’s business interruption, theft of intellectual property, or a data breach.
Understanding best practices for cybersecurity protection is essential as we move into 2021. That’s not always easy. Today’s cybersecurity vendor landscape is immense, confusing, and oversaturated. When we think of how to protect ourselves, it’s daunting.
Reducing this complexity to three essential steps allows you to enhance your company’s cybersecurity protection in the COVID-19 economy.
Step 1: Determine Your Company’s Exposure Landscape
While the threat landscape hasn’t changed during the pandemic, the exposure landscape certainly looks different. You can stay one step ahead by reviewing your business processes; if the pandemic has caused them to change, the cybersecurity methods you have implemented may no longer fit your organization’s needs.
Understanding your company’s unique exposure profile is an essential first step in determining your organization’s best cybersecurity methods. Ask yourself questions like these:
- What are my company’s operating hours? Are we only open a few hours a day or 24/7?
- Do we have healthcare records we need to protect? What about payment card records?
- Do we have intellectual property that’s at risk? If so, what’s the value of that intellectual property? Is that worth 1% of annual revenue? 5% of annual revenue?
Answering those questions empowers you to map them into known risk scenarios and threat categories to figure out where the most risk lies in terms of financial (or reputational!) damage to your company.
Step 2. Offer Protection Where It Matters
Adjusting to the COVID-based threats is essential now and in the future, particularly since 74% of companies plan to keep between 5-20% of their workforce remote, post-pandemic.
Threat changes have been mostly contextual during the pandemic, with cybercriminals using social engineering as their attack vectors. The same types of threats that targeted organizations in 2019 are the same that threaten organizations in 2020. These include web application attacks, denial of service attacks, human error-based events, cyber espionage, and ransomware attacks. The most significant difference is that you introduce corporate assets into your employees’ home networks when you deploy remote workforce solutions. Those home networks often have spotty, outdated, or inadequate protection.
Endpoint protection is essential in this context. As you expose your company’s cybersecurity ecosystem to all of those remote connections, securing those endpoints (including laptops and mobile devices) can help you keep bad actors at bay.
Step 3. Implement Security Awareness Training
The third and most potent step is implementing security awareness training. Since human error remains a top threat, training can reduce event probability on the front end and even the cost of an event on the back end if one does occur. It’s also relatively inexpensive.
In fact, 60% of the Top 10 threat categories are mitigated by security awareness training. Implementation of that training is just as important as the training itself. Security awareness training should be an ongoing process throughout the year. It also should apply to your organization and not become just another box to check.
Following the National Institute of Standards and Technology (NIST) guidelines help you develop a meaningful annual training program. Current NIST recommendations include:
Months 1-9:
- Phishing
- Password Security
- Safe Web Browsing
- Social Engineering
- Malware
- Mobile Security
- Physical Security
- Removable Media
- Working Remotely.
Months 10-12 (customer-defined courses):
- HIPAA
- PCI
- NIST
- FAR & DFAR
- GDPR
- GLBA
- CJIS
- Advanced awareness topics
- Awareness refresher courses
Outsourcing is also an option. For example, TPx provides a cost-effective security awareness training that’s affordable to all organizations, follows NIST guidelines, and runs throughout the year.
If you’d like information on our training program or assistance with any of your cybersecurity solutions, https://www.tpx.com/request-consultationor call: 855-924-1393 to see how we can help.
Here are some additional resources you can use:
VIDEO: Understanding Managed Endpoints in 2 Minutes
How to Keep Your Business Running If Coronavirus Closes the Office Doors
UC Makes the Most of the Mobile Workforce