Pandemic Work-From-Home Orders Raise Cybersecurity Threats

The global outbreak of COVID-19 has moved many business activities—and, often, entire workforces—online in a matter of weeks. While this new virtual reality is essential to sustaining business during the pandemic, it is critical that corporate boards become aware of the increased cybersecurity threat of this growing reliance on technology.

As this crisis will likely be prolonged and reveal additional cyber-risk vulnerabilities, boards will increasingly be called upon to ensure that management not only continues to effectively run business operations in a highly volatile environment, but also that they are doing so in a secure fashion.

The NACD Director’s Handbook on Cyber-Risk Oversight, produced by NACD in partnership with the Internet Security Alliance (ISA), warns that any technology innovations and transformations that enhance profitability can also undermine security. Successful cybersecurity cannot simply be “bolted on” at the end of business processes. It needs to be woven into an organization’s culture, systems, and processes end to end. When done successfully, the interweaving of security into business processes can help build competitive advantage.

Drawing on feedback from the chief information security officers on the Internet Security Alliance board of directors, who represent some of the largest firms in the country, the handbook authors identified the following list of strategies and tactics to smooth the transition to new working environments necessitated by the COVID-19 emergency. Many companies are adopting some or all of the following tactics:

• Enhance support for virtual private networks and data centers, including expedited delivery, for all remote workers.

• Allow employees to take their laptops home, but ensure that the proper security technology stack is loaded on their devices.

• Enable new solutions for areas where traffic patterns are impacting our current conferencing tools.

• Deploy enhanced monitoring of the network to identify contractors, stop phishing, and better understand network scanning events.

• Build additional analytics and updated detection and response playbooks.

• Increase communication and awareness for employees, including enhanced technical support as needed, and provide best practices to deal with added stress on security teams and management.

• Catalogue all new risk issues for post-COVID-19 analysis and action.

These tools and tactics can be incredibly helpful as technology-driven practices or processes that would typically be carefully planned and tested prior to implementation are being rolled out across entire enterprise systems in what some are calling the fastest and most disruptive shift in working conditions in history. The response to the COVID-19 pandemic is likely to have lasting effects on some workplaces.

Prior to the pandemic, most businesses were hesitant to allow widespread telework policies for their employees due to a variety of concerns, including technological risk and lost productivity. According to a new Brookings Institution study, less than 25 percent of the US workforce worked some hours from home on an average day prior to the pandemic.

However, the threat posed by COVID-19 and the need for social distancing tipped the scales toward allowing widespread telework to maintain as much productivity and profitability as possible.

Even under normal circumstances, boards and their management teams must strike the appropriate balance between protecting the security of the organization and mitigating downside losses while maximizing profitability, productivity, and growth through digital transformation. Now amid this dramatic shift to full-scale remote work for which traditional control and risk-management systems were not designed, boards need to be sure they are providing prudent oversight and supporting their management teams in making the necessary adjustments without overburdening them.

In particular, two of the traditionally most difficult cybersecurity issues—malicious insiders and supply chain or third-party vendor management—come under increased pressure as enterprises quickly and massively shift to online-only operations. For instance, as organizations adapt to telework, more are relying on third-party services such as Zoom and other teleworking cloud platforms to ensure business continuity.

With all of these considerations in mind, the handbook on cyber-risk oversight summarizes the questions boards should consider asking of their management teams, including:

• How many third parties have access to the company’s systems and what controls are placed on them?

• How does the board receive actionable cyber-threat intelligence?

• What is needed to fully include cybersecurity in current supply chain risk management?

• Is there a playbook with clear definitions of incidents, roles, responsibilities, and escalation processes? Are core business functions, such as information technology, business, legal, and communications, integrated into the response plan?

• Does the security team know exactly which employees have elevated privileges and are these employees monitored to ensure that they are not abusing their access?

Now is a time when boards who have followed the advice in the NACD-ISA handbook for best-practice business continuity plans specifically focused on cybersecurity concerns—and those who have practiced them—will see the benefit of advanced strategic planning. Indeed, Gartner, in a new survey on corporate board responses to the coronavirus pandemic, reports that most firms with such a crisis preparedness plan are at least initially faring well in the crisis. For organizations that don’t have such a plan in place or wish to assure that the one they have is adequate, the newly published NACD Director’s Handbook on Cyber-Risk Oversight provides clear guidance for effective cyber-incident response.