For many businesses forced to close their doors and send workers home because of the coronavirus, last week was akin to fleeing a burning building, says cybersecurity and compliance expert Mike Semel. This week should be about taking stock of your security posture, he stresses.
“Last week was the panic to get everything connected” for working from home, says Semel, adding that “what we're telling clients this week is now that things have settled in, let's make sure you've got all the proper cybersecurity controls in place.”
Given the uncertainty of the timeline as to just how long businesses will need to support remote workers, they will “need to make long-term security decisions. Everybody panics when there's a disaster, but the ones that survive are the ones that get past that faster than others and are able to make smart business decisions. This week, the smart business decision is to make sure that the security's in place,” he says.
Earlier in the week, Semel Consulting in collaboration with CompTIA released a series of cybersecurity tips for working at home.
These include continuing to adhere to privacy rules if you’re dealing with healthcare or financial data that may fall under compliance regulations. “There's no reason for a business to compromise security or compliance because of this situation,” Semel stresses. “True, you may not have the physical security at home that you would have in an office, but you still need to maintain confidentiality.”
For example, he says, make sure your computer screen can’t be seen by other people and your phone calls can’t be overheard by anyone, “and that includes your family,” he says. “If you're an accountant doing taxes, you still need to protect the people's social security numbers … And you need to remember that all that HR information is also confidential. These are the things that people don't think about when you're ‘fleeing the building.’”
Another consideration is what you may print at home. “You shouldn't print things out and just throw it in the garbage if it's business sensitive or it's legally protected.” Instead, Semel says, you need to shred such documents.
For those workers who last week used home computers because they don’t have company-issued laptops with VPN connections, Semel advises having your IT department or managed service provider scan them and “apply security tools that maybe you didn't have time to do last week.”
Semel is also advising clients to work with IT department or their MSPs to move as much as possible to the cloud, “because we're seeing not just businesses shutting down but buildings are getting shut down.”
Now may also be a time when flaws in your business continuity plan surface too, Semel says. For instance, one of his clients has a very onerous laptop policy. “People were reluctant to take their laptops home with them because of the company policy that said that if you damage or lose your laptop, you're financially responsible for it.” Last week, he says, “They had to send a memo out saying, ‘Hey, we gave you those laptops, you need to have them with you.’”
This example “cemented a lot of the things that we say to our clients, which is you need to be prepared for these things and you need to have plans in place.”
Planning for a pandemic is different than typical disaster planning, he adds. “When you're dealing with hurricanes and floods, you're looking at usually days from the time that begins until the time it ends, but then it ends. And with this, there's so much uncertainty and it's hitting people in so many different ways. People are uncertain about their jobs and if they're a business owner, their companies.”
The silver lining? Business owners may start to see disaster planning and cybersecurity as more of an investment than an expense, Semel says. “When I was an MSP, people used to say no to a lot of things. They didn't want to invest in that level of security. They didn't think that compliance regulator would ever get to them. That all needs to change right now because people are dispersed. The one good thing about this is that executives I think are now thinking differently than they did in the past. And while everybody's concerned with conserving cash and protecting their finances, they realize that their entire workforce is now dispersed and they still need to protect the company.”