Across the world, companies and governments are rapidly taking responsible measures to protect the health of their employees and citizens—including asking people to work remotely. More than 30 million office workers in the US, and up to 300 million globally, are expected to be working from home, according to US Bureau of Labor Statistics and Boston Consulting Group estimates. Accounting clerks, procurement officers, human resources staff, the C-suite, and other workers will be logging into company sites, attending online meetings, and accessing sensitive company data via the internet—in many cases through their home computers and private mobile phones.
While digital tools offer excellent support for remote workers, shifting work patterns on such a massive scale can have serious unanticipated implications for IT and cybersecurity. Is your company adequately prepared for the changes in your cybersecurity risk?
Consider the implications of workers clicking on an ad promising a COVID-19 wonder drug, or opening an email attachment—from what appears to be a legitimate health agency offering pandemic updates—that embeds software designed to compromise security. Or what if a worker is manipulated by social engineering techniques to follow instructions from a cyber criminal claiming to be from the employer’s help desk? Does your company have adequate provisions in place to prevent workers from downloading malware that could be used to collect passwords providing access to payment systems, personnel records, personal customer data, intellectual property, and other important assets?
It’s an unfortunate reality that in times of humanitarian crisis, we need to speak more about cybersecurity. We have observed several warning signs. As early as January, COVID-19-branded website domain names began to be acquired. Cyber criminals use these domain names to masquerade as legitimate COVID-19 information sites. They are also sending phishing emails that appear to come from legitimate organizations, such as the US Centers for Disease Control and Prevention and the World Health Organization, but that actually contain malicious links or attachments.
In one case, recipients were offered a link to a university dashboard about COVID-19 that is a popular source of up-to-date information. But when they installed the software needed to view the dashboard, malware worked in the background to compromise their computers, collecting and transmitting personal and company user IDs and passwords to cyber criminals. In another case, users who clicked on an email link purporting to be a COVID-19 update from a leading shipping supplier were redirected to a realistic-looking Microsoft Outlook login page that prompted them to enter user credentials, giving cyber criminals access to company email accounts.
By implementing a number of practical training, process, and technology measures, companies can avoid adding a cyber crisis to the challenges associated with COVID-19. We urge companies to take the following seven steps to protect their corporate assets. (See the exhibit.)
In an office environment, much of the workforce uses desktop computers connected to corporate servers by Ethernet cables or an enterprise Wi-Fi network that depend on the physical security of the building to keep data secure. To work remotely, people will most likely be required to use company-issued laptops or even personal devices that connect to company servers over the internet. Instead of speaking with IT and cybersecurity help desks via an internal phone system, workers will use their mobile phones or landlines.
Companies need to assess three categories of infrastructure: endpoints, connectivity, and enterprise architecture and infrastructure:
As the dramatic shift to working remotely accelerates, these technologies will have to be tested at scale to ensure that the company’s infrastructure and systems can accommodate the high loads. We observe many companies facing significant capacity limits given the rapid increase in demand.
IT infrastructure alone will not ensure that a company’s systems, software, and security are properly configured and operating well. When incorporating the technology needed for remote work into your infrastructure, take the following measures to ensure the cybersecurity of operations:
While the workforce is operating remotely, it is important to consider the security of employee locations—and, potentially, new ways of working. Business continuity plans should include cybersecurity provisions on several dimensions:
In addition to the technical considerations, cybersecurity training and awareness-building initiatives are critical to reducing risk. Here are some of the steps you should take:
The speed and scale of the transition to remote working create numerous security risks for an organization, and your help desk will be the first line of defense. Here are ways to prepare for the change and mitigate risk:
Crisis management teams serve a central role in navigating organizations through difficult times. It is vital to adapt plans for secure, remote crisis management by taking the following steps:
Executives and other key staff who handle sensitive data are particularly critical but often less familiar with technology and its risks. Cybersecurity and identity management teams should limit their access and provide upgraded security measures to reduce the risk of compromise. The following are some examples of the roles that organizations must keep careful watch over and the security measures they should consider:
Just as the COVID-19 outbreak has exposed the vulnerabilities of the world’s health care systems, a massive shift to remote working can put existing infrastructure and security measures to new and extreme tests. Remote working has been a growing trend for a while—and IT and cybersecurity professionals at most companies have worked diligently over the years to safeguard their systems. But few anticipated the scale and suddenness of this transformation of the working environment, and many companies just don’t have the infrastructure in place to support it.
The necessary technologies, digital tools, and procedures for mitigating the cybersecurity threat are available and can be implemented in a holistic and comprehensive manner with modest effort and expense. BCG staff have been working remotely for many years, and we know that thoughtful planning that takes into account digital modes of communicating and collaborating can avoid the potential cyber disruption and enable your business to successfully continue its operations. Cyber attacks are like the COVID-19 virus itself. Patching your systems is like washing your hands. And not clicking on phishing emails is like not touching your face. It may seem daunting at first, but these measures are crucial now and will continue to be important as remote working increasingly becomes a fact of life in the future.
The authors thank the following contributors to this article: Jennifer Hoffbauer, Shaina Dailey, Shirin Khanna, Matthew Doan, and Stefan Deutscher.