Enforcing Security Best Practices During COVID

If you are responsible for IT security, much of what you knew about keeping data safe and systems secure went out the window in Mid-March. While the data differs for every country, one morning in March you woke up to discover that all of your best plans and practices were obsolete. Your CEO sent out a letter asking everyone to work from home, and suddenly you went from a handful of locations to hundreds or even thousands in a matter of hours. Not only did you have to support remote workers, but the members of your own IT team were also working in isolation.

In the midst of this chaos, how are IT departments supposed to keep everyone’s computers running, upgrade video conferencing capabilities, and make sure that all of the VoIP phones are properly re-routed—all while preventing hacks and data loss? There’s no one magic bullet, but here are three ways that I’ve seen companies successfully manage their data security during the pandemic.

1. Enforce IT Security Policies. Let’s face it: most people halfheartedly sign a company’s cybersecurity policy the day they get hired, and then never really think about it again. This is the time to double down on reinforcing those policies. If you have an online cybersecurity refresher course, make it mandatory for all staff. We all know that people are more at risk for security issues when they’re at home but the lack of on-site support can exacerbate the problem.
   
2. Implement Multi-factor Authentication. There are plenty of reasons why IT departments haven’t made MFA a core part of their security stack, but there are no excuses not to have stringent rules for network access, as well as access to specific files and folders. I understand why organizations are reluctant to do this (you think helping people recover one password is bad), but during the pandemic, security is just as important as user experience.
   
3. Evaluate your VPN. There are lots of ways to configure a private network, but as an IT security professional, I can say that none of us expected the current workload. You can do all  the stress testing and disaster preparedness you want, but no one envisioned thousands of people all working from home on non-secure home internet connections. This is the time to see if your VPN is up for the task or if you need something better. If your VPN is up to the task, where can you implement more in-depth monitoring? How can you secure your connections even more?
   
4. Evaluate all of your systems. As chief information security officer, I’m tasked with implementing technologies and systems that make every part of my company, which has 1,500 employees in dozens of countries, run properly. This is the time when we’re all finding out what works and what doesn’t, and what needs to be upgraded to perform up to the standards that people demand. For us, it included looking at our phone system, our calendaring tools, and our video conferencing platform. And security needs to be part of that evaluation right now. As you implement new and different ways of communicating, how are you evaluating the appropriate level of security to accompany it?
   
5. Build the Office of the Future. Whatever we were doing on March 1, we won’t be doing it again for a while, if ever. Whether it’s going to a restaurant, seeing a movie, or going for a walk, it’s going to be different for quite some time. We don’t know what life will be like in two years, or even two months. That goes for how we work, too. No one knows when we’ll be going back to our offices, or what it will be like. But security teams need to prepare for many options. We need to prepare our security systems and our access protocols for a wide range of scenarios, and we need to be able to pivot on a moment’s notice as things change.

There’s no one way to solve the mess we’re in, and IT departments are still figuring things out every day. I’ve read a lot of articles about specific solutions, but those are all Band-Aids when we really need a tourniquet. This is not the time for half measures and a wait-and-see attitude. We need to commit fully to improving security. And it all comes down to education.

Why Education Matters

We all know that there is often a divide between IT in the rest of the company. Most people don’t have the time or the training to be experts in managing networks and enforcing security. That’s why they’re more than happy to leave everything to us. On one level, that’s a good thing, because it makes everything run smoother (most of the time). The problem is that it keeps individual employees from being fully invested in security. They may not need to know the ones and zeroes of fighting a phishing scam or a DNS attack, but they do need to know how to avoid inadvertently compromising security.

That’s why real education, not just making new hires sign a form acknowledging company security policies, needs to be a priority. People need regular training that gets them thinking about security rather than relying on IT departments to fix problems. They need to know how to recognize malware hidden in attachments and links. They need to know how to spot a spoofed email address. They need to know that many “free” offers are just enticements to get private data.

Most companies have programs like this in place, but whatever they’re doing, they need to do more. Annual programs need to be offered quarterly, and a special online “pandemic session” in the next few weeks might also be a useful booster shot to help employees recognize issues associated with working on non-secure web connections.

We’re in the first phase of a very long path back to normal, and cybercriminals aren’t taking a vacation. They thrive on uncertainty and confusion. That’s why companies that take security seriously need to double down on education and training. IT departments and cybersecurity teams can’t be the first line of defense right now.