IT services and cyber security
During self-isolation and precautionary measures imposed by COVID-19, IT services staff should re-evaluate their policies and guidelines in relation to staff working from home and the potential safety risks. In particular, teams may need to introduce mitigations for the risks imposed by the virus.
- Staff working from home will face new security risks relating to their home network. Older models of home networking equipment may be especially vulnerable to attacks which a typical Enterprise IT infrastructure will be unable to detect remotely. Guidelines in purchasing appropriate hardware and patching network hardware such as routers is appropriate.
- It may be appropriate to provide security software such as virus scanners or, in some cases, hardware to staff working from home. Some freely available security software solutions have privacy policies which may leave company data exposed.
- A set of home security guidelines can mitigate risks while using a home network for work purposes. Consider steps such as disabling Wi-Fi in the home to secure sensitive data and encouraging staff to avoid putting their work devices on large networks shared with multiple devices. Staff may also want to consider fresh installations of operating systems, and other measures. In-office policies and standards related to password complexity and the like can also be extended to home networks.
- For employees remotely accessing a company network, it would be recommended to put in place an appropriately configured Enterprise VPN solution with security features such as multi-factor authentication enabled.
- In the case that remote desktop technology needs to be exposed to the internet, ensure every security feature reasonably possible is enabled such as firewall restrictions, secure access technologies, and multi-factor authentication.
- Providing COVID-19 communications guidelines can reduce the risk of COVID-19 and current affairs themed social engineering attacks such as email, phone, and text message phishing on employees. Staff should be encouraged to rely on specifically selected news and communication channels related to COVID-19. It should be made clear which services will not be used.
- As staff continue to work from home, malicious threat actors will vary strategies to exploit staff in the home office. If it is not in place already, IT departments should consider regular releases of intelligence relating to new tactics and threats to keep employees activated as a line of defence.
- Consider extending penetration testing and vulnerability auditing to specifically target employee home networks and remote working infrastructure as a priority.
During COVID-19, ordinary off-boarding of employees or customers may occur relating to contract termination or expiry. IT departments should be wary of risks to the personal safety of these employees or customers; particularly where the staff member or customer is reliant on the business infrastructure.
- Internet service providing businesses may wish to extend services with remote customers or staff in instances that would normally result in service termination. Staff or customers may be reliant on services for safety, both psychological and physical.
- Staff may be reliant on business communication systems or services such as phones, email, or other services which would normally be disconnected at the end of employment. In some instances it may be appropriate to extend access to these services beyond employment to avoid interruptions to communications.
- As part of IT off-boarding and on-boarding procedures, the impact of COVID-19 should be taken into account. Staff should be asked to consider making the business aware of their reliance on office infrastructure prior to exiting a company.
- Employees may be part of an emergency communication network put in place by your business. Consider extending this network to past employees for a period of time after employment ceases.