How to protect employees COVID-related data – comments from Professor Kevin Curran, senior IEEE member and professor of cybersecurity at Ulster University
“A key aspect of keeping an organisation safe from cyber threats during the pandemic is to make sure that CISOs have a holistic understanding and approach to cybersecurity as an organisational-wide risk issue, along with the legal and regulatory implications of cyber risks, as they relate to their organisation’s specific circumstances. This includes identifying which risks to avoid, accept, mitigate, as well as specific plans in each case, and also communicating this to senior management.
© Diego Cervo
“Cybersecurity training for staff is important as people are often the weakest link in security. As such, it is important to ensure all employees are well trained on aspects such as cyber security best practice, including phishing and data sharing practices, keeping software updated, unique strong passwords and enabling two-factor authentication. The first line of defence for organisations to stop some attacks is to simply educate employees about the dangers of clicking on links – however, only a fraction will listen and learn. There has recently been a new movement where security teams send phishing emails containing fake malware to their employees which, when activated, simply leads them to a site telling them about their mistake and educating them on the dangers of what they did. Education is crucial.
“Another good move to counter cyber threats would be to incorporate a ’cybersecurity by design’ framework. Introducing a cybersecurity by design framework into a company provides it with a holistic set of pragmatic guidelines, which can enable an organisation to more completely consider the full remit of protection and processes which should be in place to cope with the ever present avalanche of cyber threats. Cybersecurity by design provides a number of core principles, but, ultimately, it makes compromise detection easier, enabling companies to be more proactive to cyber threats.
“All aspects relating to the protection of data need to be considered. This includes examining security of physical locations and employee access, data storage, data backups, network security, compliance and recovery procedures and, of course, all Internet of Things (IoT) devices. It can be easy to neglect software, but it also needs to be audited and a security architecture survey should follow. This should form part of a larger threat modelling/architecture risk analysis of an companies infrastructure.
“The rapid move towards remote working is an obvious risk during lockdown. Some organisations will have built policies and procedures over many years which protect staff, students and the organisations infrastructure. However, unless a significant percentage of employees had previous access to proper remote access technologies, there is a real risk of them making bad choices.
“Virtual private networks (VPNs) should be used to secure data between remote workers and core systems. In the ideal world, organisations would have a Zero Trust network system deployed. However, this can be difficult to implement in response to Coronavirus, as it should ideally be rolled out in a phased manner which entails pilot projects and tweaks in a safe environment before deployment. Saying that, if an organisation has not yet embraced the concepts of privileged access and least privilege, or still uses shared accounts for access then Zero Trust is probably not going to work. Organisations should also make sure that employees have up-to-date security protection on any devices, such as virus checkers, firewalls and device encryption.”