Home
Internal
published on 6 April 2020 | readíng time approx 4 minutes
We are currently witnessing global changes the occurrence of which could have been foreseen only as remote and only in the most insightful risk analyses a few months ago. But now we have to face them having in mind not only the protection of our health but also the ways to secure the business continuity of enterprises both now and in the future. Do we fully realise what risks the global pandemic entails?
The primary task faced now by company managers is to reliably estimate the risks related to the protection of the employees’ health and life, the change in the company's working processes during the crisis and the maintenance of business continuity until the situation stabilises. In terms of the security of IT systems alone, at least the following basic aspects should be considered.
We must remember that covid-19 infection can be deadly and therefore it must not be ignored. We should implement all possible measures to limit direct contacts between employees, including, or rather especially, contacts with the administrators of the key IT systems. But even if they can telework, we must remember that they may have to physically access e.g. the server room in case of a failure. The best solution would be to set up a few teams working in rotation and physically isolated from one another. This will both curb the spread of the disease and secure at least a part of the staff should any team be quarantined because one of its members has got sick. It is also very important to prepare employees for the new working conditions, and, above all, to make them aware of the related risks and the resulting responsibility for the strict compliance with the procedures.
We must secure not only the employees’ health but also their knowledge. We must check if at least a few persons have the necessary information about the functioning of the key systems. Good practices dictate that the necessary knowledge should be fixed in writing in the form of documentation, procedures and instructions. Particular attention should be paid to access data required for system administration. It should be kept safely, e.g. in a tamper-proof envelope locked down in the management board’s safe box.
IT equipment which has been used so far to operate the internal network will have to stand up to a large number of connections to the public network. This implies the increased risk of the malfunctioning, and eventually also the breakdown of hardware. Therefore, we should check our inventories of equipment and spare parts to see which of them are crucial for business operations. Such an analysis should be the basis for an emergency plan in case any of the devices fails and the best option is to have spare or substitute devices in our current stock. This is because we have to factor in the risk that the pandemic will interrupt maintenance and repair services and supply chains.
Our emergency plans should also take into account that certain problems will appear more often. At the moment, we can already observe that the network access is overloaded, which might cause data synchronisation errors or hinder effective telework. Other issues include voltage drops and overloaded power grid, which in turn may jeopardise the company’s IT infrastructure. You should also be prepared for breakdowns of company equipment used by employees, sometimes very far away from the company’s office. In every such case you should first of all secure the health of the employees and service staff.
Not only human health but also company data is at risk in the time of epidemic. Companies are forced to open their in-house systems to the outside world to enable their employees to access data from the public network. This multiplies the risk of cyber-attacks on their IT infrastructure.
To meet urgent needs, IT administrators act mostly in a hurry being focused on fast results rather than on security issues. In such a situation, it is very easy to make a mistake in setting up devices and systems or make shortcuts, sometimes ignoring even the most fundamental security rules. Maintaining default service accounts, using the same simple passwords to many different systems or opening a “backdoor” to the system from the outside are just a few basic examples of mistakes that hackers lie in wait for. Equipment set up for e.g. teleworkers under time pressure may also lack an up-to-date version of the operating system and individual systems and applications may be short of key security components. To make problem solving tasks easier, IT workers may also come up with an idea to give teleworkers the local administrator rights, which may in turn end up with downloading or installing undesired applications or disabling antivirus safeguards. All this could make the system an easy prey for hackers or viruses (and we are not talking here about covid-19).
Also the network environment that company in-house systems must come in touch with is basically different. What has been an internal network so far is suddenly connected to a multitude of unknown home networks. These may be open public networks or networks shared by entire housing estates in which teleworkers live. You should carefully consider such a risk and should best provide teleworkers with autonomous, company-controlled access devices, smartphones or SIM cards enabling unrestricted Internet access.
Teleworkers will probably feel more tempted to do things not necessarily related to their work, especially when for lack of other options they use their private equipment, which by definition contradicts the effective protection of company data. Therefore, you should prepare appropriate procedures and recommendations as well as ensure their compliance.
Longer confinement to home may result in an increased incidence of attacks by home-grown hackers. Young people bored for lack of other entertainment opportunities may experiment and test their hacking skills, targeting their attacks completely at random. In this process they may access wireless networks used by employees or shared with multiple users. But hackers may also attack corporate infrastructure directly, especially when they use the fact that administrators focus mainly on maintaining system operations and less on tracking security system records. This is all the more likely as the company’s IT staff, faced with a huge number of incoming emails, will find it hard to tell whether an address belongs to an employee or an unauthorised person. Thus, you must be prepared for such dangers as well.
Every change in our everyday activities, especially such a big change as a global pandemic, and the restrictions and new regulations it entails, comes hand in hand with an increased activity of various criminals, crooks and con artists. They use social engineering tricks taking advantage of our fear of an unknown danger and the shortcomings in the communication of government measures taken to remedy the situation.
Companies should make their employees particularly cautious of such attacks, which may be carried out not only by email but also by phone. For example, an employee may be asked by a hacker impersonating a technical support worker to accept a brief remote connection with the company laptop in order to enable an upgrade of the security system. The employee should know and apply procedures for verifying such activities so as not to become an easy target for hackers and jeopardise the entire company infrastructure by his or her reckless behaviour.
In the current situation attackers may also prey on the employee’s private needs. Examples include attempts to phish system access or even payment card credentials under the cover of a new online grocery shop offering deliveries within 24 hours (whereas competitors will deliver only in 2 weeks) or using a fake application supposed to help receive fast government subsidies in the times of crisis (the sooner you apply the better because this will affect the time you wait for the money).
If you want to avoid the whole array of problems, ranging from ransomware encrypted drives to taking over control of the employee’s computer to attackers accessing the company’s infrastructure, we strongly recommend that you well prepare your staff for attacks.
Companies which effectively analyse the covid-19 related risks and implement the necessary measures will be able to wait with more ease for the situation to go back to normal, even though nobody knows yet how long it will take.
Coronavirus: What you need to know
Adam Wódz
Senior Associate
Send inquiry
Rödl & Partner in Poland
