No one has ever seen a year like 2020. These are unprecedented times for all of us — individuals, families, and organizations alike.
As we continue adapting to the changing conditions, it is important for organizations to review the actions they have taken in response to the COVID-19 pandemic and assess the effects of those actions on the organization’s cybersecurity posture.
The imposition of quarantines to contain the pandemic forced thousands of accounting firms, their clients, and corporate finance departments to convert, often overnight, to 100% remote work and/or a mix of working remotely on certain days. Now, three months or so after rushing to provide the technology and resources for accountants and other employees to work productively from home, many organizations are mixing the remote technology with on-site technology as some employees return to the office on a limited basis. All organizations should take a careful look at the IT security aspects of their technology setups, both for remote work and a mixed environment (some at home, some at the office). This article explores six areas of interest, explaining potential concerns and recommending actions to take.
For more on this topic, including stories from the front lines, please listen to the June 24 episode of the Go Beyond Disruption podcast “Cybersecurity Advisory. Working From Anywhere, Rebooting Securely.”
Area of interest 1: Hardware configurations
- Concern: In the rush to get employees who typically work in office environments productive with remote working arrangements, many organizations purchased hardware (e.g., laptops) from retail stores and had to configure them on the fly. Many of those employers may not have had enough time to fully understand how to secure and harden these machines before introducing them into the production environment. Having machines operate in the production environment when they are not fully vetted and differ from the company’s pre-defined configuration standards could increase the risk of malware or ransomware being introduced into the corporate environment.
- Recommendation: Ideally, secure and standardize the hardware prior to use. If that was not possible, stop now and assess the security as soon as possible. For the future, have a plan for securely deploying and maintaining new hardware.
Area of interest 2: Personal devices connecting to network
- Concern: Some organizations have been able to avoid purchasing new hardware by allowing employees to use their own devices (e.g., mobile devices, home computers). Personal devices bring a huge risk due to a lack of malware protection and failure to install operating system and security updates. It’s important to ensure that the noncorporate devices only have access to certain portions of the network that are strictly controlled so if the device becomes compromised, sensitive data will not be exposed.
- Recommendation: Understand what employee-owned personal devices can access on your organization’s network and make sure that the correct security settings are implemented on those personal devices, including for use of a virtual private network (VPN), segmentation, end point management, etc.
Area of interest 3: Infrastructure governance
- Concern: Changes that were made to stay operational during the initial stages of the pandemic might have put a company out of compliance with regulatory requirements or its own internal policies. Examples of those changes include increasing password age configurations, changes to firewall rules, changes to network layout, or the elimination of network segmentation. It is important to understand what changes were made in response to what the organization thought was a short-term solution and evaluate the impacts of those changes.
- Recommendation: Evaluate the infrastructure configuration changes made to start working from home and evaluate if changes need to be undone or redone to reduce risks identified. If a regulatory issue is identified, self-report the violation and the corrective actions taken.
Area of interest 4: The location of company data
- Concern: Organizations should understand whether employees are using home computers or personal email or even a personal cloud subscription for performing work-related tasks. What could be well intended as a short-term workaround might result in company data residing on a personal computer, hard drive, unapproved cloud instance (i.e., use of cloud system), or email inbox — which could lead to infected files, from sources such as personal Dropbox storage, coming back into the organizational network.
- Recommendation: Reiterate to your employees that company data and company files should not reside, temporarily or permanently, outside the corporate environment. Have employees return all company data back to a preferred/approved storage location and stay diligent as they work from home full time or alternating with days at the office.
Area of interest 5: Videoconferencing
- Concern: Did your organization have a single videoconferencing solution prior to the pandemic? Or are your employees subscribing to and using free videoconferencing solutions? The more different videoconferencing platforms your people use, the more opportunities for security breaches.
- Recommendation: If videoconferencing is becoming an important aspect of your organization’s business, it would be in the organization’s best interest to establish one videoconferencing platform so it can better manage the security settings and other implications of that application. Whatever solution is used should be vetted and have proper security implemented.
Area of interest 6: Security awareness training
- Concern: Is your workforce prepared for the increased phishing attacks that the cybersecurity community is seeing? Do you have employees who have never had to consider the physical security implications of being assigned a laptop or portable device? It may seem like low-hanging fruit, but keeping employees engaged in, aware of, and educated on organizational security policies and their responsibilities is more important now than ever.
- Recommendation: Keep security awareness and training campaigns active during this time of remote work and, if anything, consider increasing training requirements so employees have a clear understanding of security policies and procedures.
Protecting your organizational information is now more important than ever — and more complicated — as employees are working from everywhere. Organizational technology teams have done an amazing job of keeping business running, as have creative employees. And now is the time to enhance security settings and communication of security responsibilities. In addition to the technology, focus on educating your people on the importance of security.
Christine Figge, CPA, CGMA, and Jennifer Zanone, CISA, PMP contributed to this article.
For more news and reporting on the coronavirus and how CPAs can handle challenges related to the pandemic, visit the JofA’s coronavirus resources page.
— Audrey Katcher, CPA/CITP, CGMA, is partner, Business Advisory Services at RubinBrown. To comment on this article or to suggest an idea for another article, contact Jeff Drew, a JofA senior editor, at Jeff.Drew@aicpa-cima.com.