Preventing and Responding to a Business Cybersecurity Incident

The following article was originally posted on the Applied Systems blog.

As businesses send their employees home to avoid contact with COVID-19 and telecommuting becomes a growing option, many organizations and information technology professionals are facing the challenge of securing vulnerable computers and networks from the very real threat of cybercrime.

The huge influx of people working at home has expanded the ways cybercriminals can be a threat. From phishing emails to insecure Wi-Fi connections, there has been an increase in the number of cyberscams and hacking attempts related to the coronavirus.

People who are working at home may be more likely to click on bogus links spread on social networks, cybersecurity experts say. And because they expect to get out-of-the-ordinary emails from their IT staff, they may be more likely to click on phishing messages.

Everyone needs to be diligent. Cybercrime is a serious problem for businesses and costs billions of dollars in damages annually.

Follow best practices

The National Institute of Standards and Technology (NIST), which provides guidelines and best practices for managing cybersecurity risks, calls for a common-sense approach to protecting against cybercrime. As a start, consider implementing these best practices in your operation:

• Use strong passwords for each of your accounts and change passwords regularly. Use two-factor authentication to augment your passwords.
• Install anti-virus software on devices and keep it updated. Download software updates and security patches so your computers and devices are current.
• Limit who has access to information and ensure that user accounts are updated as soon as employees leave your organization or change their job roles.
• Organize and secure your data by taking an inventory of all your digital and physical information. Where is it kept, and who has access to it? Is it connected to the internet? Create a plan for properly storing, segregating and disposing of data. Don’t keep any data that isn’t needed.
• Plan for the use of personal devices connecting to your business. Employees working from home may use personal devices to carry out business functions, especially if they cannot get access to a business-supplied device during the pandemic crisis. Personal devices will need to have the same level of security as a company-owned device, and you’ll also need to consider the privacy implications of employee-owned devices connecting to a business network.
• Train your employees on the types of suspicious activity to look for, how to protect your computers and network systems from intruders, and why they shouldn’t use your devices for personal use.
• Lock and secure your networks just as you do your premises. Keep critical systems separate. Segregate your less important systems so they can’t be used to access your key infrastructure.
• Back up data on a regular basis. Train your staff to back up files daily and to store the backup devices in a secure location.
• Protect your mobile devices and media by encrypting confidential data on smart phones, laptops and flash drives or other devices that could be lost or stolen. Don’t exchange sensitive information over public Wi-Fi. Don’t put any unknown media into your devices.

Employees can do their part

Staff working in the office and at home play a key role in preventing a cyberattack. Communicate these tips to your employees.

• Update your passwords.
• Lock your screen if you work in a shared space.
• Ensure your home Wi-Fi connection is secure. While most Wi-Fi is correctly secured, some older installations might not be, which means people in the near vicinity can snoop your traffic.
• Keep kids off your computer if you use it for work. This will avoid downloading malware from infected games or other material.
• Consider installing a home router kit that lets you segregate your home networks.
• Exercise caution if you receive a suspicious email. Avoid opening email attachments from unknown parties.
• Be suspicious of any emails asking you to check or renew your passwords and login credentials, even if they seem to come from a trusted source.
• If you take advantage of any public Wi-Fi, have security enabled on each connected device.

Cyber incident response steps

Define a clear procedure to follow in case of a security incident.

1. Detect and report. Monitoring systems and detecting intrusions are crucial aspects of cybersecurity. Unfortunately, many data breaches aren’t discovered until long after the criminals have penetrated a network. Make sure your employees are aware of potential threats such as phishing and malware, how to detect suspicious activity and whom to report it to. Be aware of these signs that your systems may have been hacked:
   • Your passwords no longer work
   • You can no longer connect to your network
   • Your computer keeps crashing or unexpectedly runs out of disk space or memory
   • Your website has unauthorized changes
   • Your email contacts are receiving spam messages from you
   • A laptop or mobile device is missing
   • Your system logs show suspicious activity
2. Assess and act. Your IT staff must decide whether a suspicious activity is a breach, the result of hardware or software failure or human error. You may need the help of an IT security expert to analyze the activity. Gather as much information as you can before making a decision to escalate the incident. It may be helpful to create levels of response based on the severity of the incident, how widespread it is, and how disruptive it is to your operation and customers.
3. Respond and recover. Once you have determined there has been a serious incident, you must respond accordingly. This may include shutting down your networks and systems, removing hardware or software that has been compromised and conducting a forensics analysis of the incident. In some cases, there are legal reporting requirements, especially if personal information has been stolen. Your legal and compliance teams should be made aware of a possible breach as soon as possible so that you can meet regulatory requirements and defend against liability. Your public relations team should also be informed so that it can make statements to the press (if warranted).
4. Perform a post incident assessment. In this last phase, you should document the lessons you have learned from the COVID-19 crisis and any cybersecurity incidents. Were there weaknesses and areas for improvement? Note how long it took to discover the incident and how long your system was down. Were your recovery efforts satisfactory? Did you have adequate backup procedures?

Liability and risk coverage

You may need to review your insurance coverage for data protection and cybersecurity. Many insurers offer privacy and network security policies as a part of a business or professional liability insurance program.

Cyber liability insurance is divided into first-party and third-party liability coverage. First-party insurance covers your own organization and the risk to your computers and systems. This would include data you store on your systems. Third-party coverage takes care of the costs associated with a client’s system being compromised or a breach of client data.

Most cyber insurance policies will cover:

• Customer notification of a breach
• Anti-fraud protection for customers
• Security incident investigations
• Insider data breaches
• Cyber extortion
• Ransomware costs

Maintaining security in an office or remote environment requires commitments from both employers and employees. Follow these recommendations to establish a safe and flexible work environment.

Business Continuity, Blog, 2020