Managing the Cyber Risks of Remote Work

Across the world, companies and governments are rapidly taking responsible measures to protect the health of their employees and citizens—including asking people to work remotely. More than 30 million office workers in the US, and up to 300 million globally, are expected to be working from home, according to US Bureau of Labor Statistics and Boston Consulting Group estimates. Accounting clerks, procurement officers, human resources staff, the C-suite, and other workers will be logging into company sites, attending online meetings, and accessing sensitive company data via the internet—in many cases through their home computers and private mobile phones.

While digital tools offer excellent support for remote workers, shifting work patterns on such a massive scale can have serious unanticipated implications for IT and cybersecurity. Is your company adequately prepared for the changes in your cybersecurity risk?

Consider the implications of workers clicking on an ad promising a COVID-19 wonder drug, or opening an email attachment—from what appears to be a legitimate health agency offering pandemic updates—that embeds software designed to compromise security. Or what if a worker is manipulated by social engineering techniques to follow instructions from a cyber criminal claiming to be from the employer’s help desk? Does your company have adequate provisions in place to prevent workers from downloading malware that could be used to collect passwords providing access to payment systems, personnel records, personal customer data, intellectual property, and other important assets?

It’s an unfortunate reality that in times of humanitarian crisis, we need to speak more about cybersecurity. We have observed several warning signs. As early as January, COVID-19-branded website domain names began to be acquired. Cyber criminals use these domain names to masquerade as legitimate COVID-19 information sites. They are also sending phishing emails that appear to come from legitimate organizations, such as the US Centers for Disease Control and Prevention and the World Health Organization, but that actually contain malicious links or attachments.

In one case, recipients were offered a link to a university dashboard about COVID-19 that is a popular source of up-to-date information. But when they installed the software needed to view the dashboard, malware worked in the background to compromise their computers, collecting and transmitting personal and company user IDs and passwords to cyber criminals. In another case, users who clicked on an email link purporting to be a COVID-19 update from a leading shipping supplier were redirected to a realistic-looking Microsoft Outlook login page that prompted them to enter user credentials, giving cyber criminals access to company email accounts.

By implementing a number of practical training, process, and technology measures, companies can avoid adding a cyber crisis to the challenges associated with COVID-19. We urge companies to take the following seven steps to protect their corporate assets. (See the exhibit.)

1. Assess Core IT Infrastructure for Remote Working

In an office environment, much of the workforce uses desktop computers connected to corporate servers by Ethernet cables or an enterprise Wi-Fi network that depend on the physical security of the building to keep data secure. To work remotely, people will most likely be required to use company-issued laptops or even personal devices that connect to company servers over the internet. Instead of speaking with IT and cybersecurity help desks via an internal phone system, workers will use their mobile phones or landlines.

Companies need to assess three categories of infrastructure: endpoints, connectivity, and enterprise architecture and infrastructure:

• Endpoints. Ensure that these include approved applications and cybersecurity tools. Collect a complete inventory of devices authorized to connect to company systems, paying special attention to device Ethernet MAC addresses in order to correlate authorized devices with authorized users.
• Connectivity. Ensure that connections to company networks take place over virtual private networks (VPNs) with two-factor authentication to prevent spying on data transmitted between workforce endpoints and company servers. VPN and token software can be downloaded remotely, but additional licenses may need to be acquired.
• Enterprise Architecture and Infrastructure. Configure firewalls, networks, collaboration tools, and servers to accept remote connections over the internet. The capacity for remote connections at many companies may not be sufficient to accommodate the increased load of thousands of connected workers. It may therefore be necessary to purchase additional hardware for on-premises systems or to rapidly move to a cloud service provider.

As the dramatic shift to working remotely accelerates, these technologies will have to be tested at scale to ensure that the company’s infrastructure and systems can accommodate the high loads. We observe many companies facing significant capacity limits given the rapid increase in demand. 

2. Secure Applications and Devices for the Remote Workforce

IT infrastructure alone will not ensure that a company’s systems, software, and security are properly configured and operating well. When incorporating the technology needed for remote work into your infrastructure, take the following measures to ensure the cybersecurity of operations:

• Encrypt and install firewalls on all devices. Ask users to immediately install security patches and update endpoint protection and security (EPS) software on all endpoints, without exception. EPS provides personal firewall, application control, antispyware, and antivirus protection and keeps computers from becoming infected, thereby preventing hackers from accessing IDs and passwords and using computers as points of entry to the company’s servers and systems. Make sure that all computer hard drives, external hard drives, and USB (thumb) drives are encrypted and company issued to protect worker endpoints from theft or unwanted physical access. Put guidelines in place to prevent the use of USB drives that are not company issued. All endpoints should have remote wipe capabilities so that data can be erased from a lost or stolen device, as well as data loss prevention (DLP) software to prevent data exfiltration. (DLP protects against even authorized workers, who may be less careful not to exfiltrate data when working remotely than they are in the office, where they can be more easily detected.) Finally, instruct employees to regularly back up data on all laptops to company servers in order to ensure quick recovery from incidents and protect critical business processes.
• Secure access to company systems. Your company’s security operations center should monitor all VPN and remote-access logs for anomalous behavior. If the organization does not operate globally, consider restricting system access to specific networks or locations in order to reduce exposure to the internet, mitigate risk, and ensure early detection of unwanted behaviors.
• Make sure cyber-incident response processes are robust. Security operations and IT teams should update and test all processes and procedures to ensure that cyber-incident response and chains of escalation work seamlessly with the remote workforce and backup personnel. Companies should also test restoration of backups so they can be relied upon during a crisis.
• Install remote-collaboration safeguards. Ensure that the remote workforce has licensed, secure, enterprise-level teleconferencing and collaboration tools that have been tested. Such tools will enable secure productivity and prevent workers from using a chaotic proliferation of consumer-quality tools that should be prohibited. Compromise of just one workforce endpoint could create a breach for the entire company. 

3. Embed Cybersecurity into Business Continuity Plans

While the workforce is operating remotely, it is important to consider the security of employee locations—and, potentially, new ways of working. Business continuity plans should include cybersecurity provisions on several dimensions:

• Guarantee emergency security access. Ensure that security operations and incident response teams can access their tools and collaborate remotely if they are unable to physically access systems or be near colleagues during an incident.
• Train backup teams and enable remote support. Plans should take into account the possibility that at least some cybersecurity staff will contract COVID-19 and be unable to work, even remotely. Companies should also have service level agreements with remote cybersecurity and IT providers that can realistically be maintained for several weeks, and they should verify that these providers can support remote operations at the needed scale.
• Put clear communication plans in place. Secure direct and backup communications so that remote cybersecurity employees and other key staff can be safely reached in an emergency. Don’t rely on a single communication method, such as email, which can be compromised.
• Adapt your plans. Because the COVID-19 crisis is evolving rapidly, it’s important to track and quickly incorporate lessons learned, as some things will inevitably go wrong in this new environment.

4. Make the Newly Remote Workforce Aware of the Added Security Risks

In addition to the technical considerations, cybersecurity training and awareness-building initiatives are critical to reducing risk. Here are some of the steps you should take:

• Train workers to use new tools and features securely. Ensure that your workforce knows how to use the tools and technologies that support remote collaboration, as well as how to recognize and prevent COVID-19 cyber threats, such as phishing and fraudulent emails and phone calls offering tech support or posing as solicitations from charities. While working from home, staff should configure their routers to create a network for their work computers that is separate from the one used by the rest of the family’s personal devices—a capability that is a feature of almost all home routers. This is a necessary measure because nation-state operatives and criminals are targeting the computers of C-suite executives’ family members.
• Establish protocols for remote workers to authenticate each other. Train remote workers to use only secure methods to authenticate help desks and co-workers. Maintaining strict protocols will prevent staff from inadvertently divulging information.
• Prepare a guidance library. Distribute materials such as self-service guides, videos, and lists of frequently asked questions that make employees aware of the security threats and cover best practices for working remotely in a secure manner.

5. Establish Protocols and Behaviors to Prepare for Secure Remote Working

The speed and scale of the transition to remote working create numerous security risks for an organization, and your help desk will be the first line of defense. Here are ways to prepare for the change and mitigate risk:

• Enhance help desks. Support the rapid surge in remote workers with additional secure tech support. Create or expand your support center (or centers) with voice and chat services to address increased queries. Ensure that the help desk authenticates remote workers properly using multifactor methods of authentication. This can be as simple as texting a code to the authorized worker’s confirmed or company-issued cellphone. Establish periodic touchpoints with your workers to discuss their progress and solicit their ideas for improving secure ways of working. Your workers want to help, and they know what is working well.
• Explicitly define ways to work remotely. Provide the organization with clear guidelines and explicitly define secure procedures for dealing with remote working. Distribute a remote-work policy that specifies acceptable methods for connecting to the internal network. Consider minimizing data access only to those who need it, and align on “normal” working hours, which will facilitate the cybersecurity team’s ability to detect anomalous activities. Define close of business, end of day, and other times after which sensitive data can no longer be accessed—just as if workers were leaving the office to go home.
• Document, announce, and provide for remote meetings, digital collaboration, and file sharing. Well-known platforms such as Webex, Zoom, and Skype will reliably enable secure meetings, but users must be trained and informed. The meeting host should be hypervigilant regarding potential intruders by taking attendance and requiring all participants to announce themselves. Sending password-protected calendar invites will add further security. Enterprise-level collaboration platforms such as Slack, Trello, and Skype for Business provide organizations with secure chat and project management capabilities. But allow only those collaboration and file-sharing platforms that have been approved for business use; avoid commercial platforms that can lack data protection features. Organizations should review the security configurations of these technologies and conduct assessments to detect Shadow IT that may have been set up to collaborate in unapproved ways. Finally, be open to new secure ways of working by listening to employee suggestions and implementing solutions per best guidance from the provider.

6. Embed Cybersecurity in Corporate Crisis Management

Crisis management teams serve a central role in navigating organizations through difficult times. It is vital to adapt plans for secure, remote crisis management by taking the following steps:

• Update cyber crisis management plans to address the security implications of COVID-19. Ensure that the lines of communication used by crisis teams are secure and approved—and that alternatives are available. Review your refreshed incident management plans to ensure that they meet cybersecurity and privacy regulations in the countries or states in which the company operates.
• Ensure that mission-critical technology and personnel are always available. Confirm that leadership and security personnel can maintain secure access to the tools they need when working remotely or quarantined. Communicate emergency escalation procedures, identify backup personnel, and define succession plans by role, such as security operations and system administration. Make sure backup personnel understand that they may be called upon at any moment—if someone in the crisis management team has been hospitalized with COVID-19, for example—and confirm that they have appropriate training and documentation.
• Maintain awareness of the performance, location, and health status of all employees. Establish communication and reporting mechanisms for all staff throughout the crisis. Closely monitor the status of IT and cybersecurity staff in quarantine or in the hospital, and ensure that backup personnel are fulfilling their roles. Implement a secure, dedicated COVID-19 communication channel, such as an SOS application, phone hotline, or email inbox, so that staff and leadership can communicate easily.
• Provide frequent, coordinated cybersecurity announcements. Update the workforce on evolving cyber threats related to COVID-19. Make sure people understand the gravity of the cybersecurity situation by making it a core topic in all workforce messaging.

7. Update Access and Security Measures

Executives and other key staff who handle sensitive data are particularly critical but often less familiar with technology and its risks. Cybersecurity and identity management teams should limit their access and provide upgraded security measures to reduce the risk of compromise. The following are some examples of the roles that organizations must keep careful watch over and the security measures they should consider:

• C-suite executives should alert their family members to the fact that they are cyber targets and teach them to practice good cyber hygiene. This will help prevent attacks from cyber criminals who know that executives are working from home and possibly sharing the family network.
• Finance personnel should be on the lookout for phishing, phone, and business email scams, especially those claiming ties to health care organizations or charities. They should verify all financial communications, such as emails, links, and wire transfer requests, for authenticity and require verbal approval from executives for all financial transfers.
• Procurement officers should ensure that contractual and other confidential data are shared securely using secure Wi-Fi, enterprise file-sharing solutions, and encrypted, company-issued USBs. Beware of emails with suspicious attachments such as purchase orders and invoices from unknown vendors or from people pretending to be known vendors—especially those claiming to be related to COVID-19. Even emails with unfamiliar addresses that appear to be legitimate should be treated with caution. The difference between the following two addresses, for instance, is impossible to detect: mail@example.com and mail@exampIe.com. But in the first one, the “l” is lower case, while in the second, the “l” has been replaced by an upper-case “I.”
• Executive assistants should verify all requests of senior executives, especially from unknown entities. Cyber criminals often resort to personalized COVID-19 scare tactics, such as claiming that the CEO’s child has contracted the virus. Don’t open such attachments or provide information to the caller. Telephone trusted sources directly to verify claims.

Just as the COVID-19 outbreak has exposed the vulnerabilities of the world’s health care systems, a massive shift to remote working can put existing infrastructure and security measures to new and extreme tests. Remote working has been a growing trend for a while—and IT and cybersecurity professionals at most companies have worked diligently over the years to safeguard their systems. But few anticipated the scale and suddenness of this transformation of the working environment, and many companies just don’t have the infrastructure in place to support it.

The necessary technologies, digital tools, and procedures for mitigating the cybersecurity threat are available and can be implemented in a holistic and comprehensive manner with modest effort and expense. BCG staff have been working remotely for many years, and we know that thoughtful planning that takes into account digital modes of communicating and collaborating can avoid the potential cyber disruption and enable your business to successfully continue its operations. Cyber attacks are like the COVID-19 virus itself. Patching your systems is like washing your hands. And not clicking on phishing emails is like not touching your face. It may seem daunting at first, but these measures are crucial now and will continue to be important as remote working increasingly becomes a fact of life in the future.

The authors thank the following contributors to this article: Jennifer Hoffbauer, Shaina Dailey, Shirin Khanna, Matthew Doan, and Stefan Deutscher.