Boards must be vigilant with their oversight of cybersecurity risks in this new environment of remote working.
The current environment has forced many employees into remote working situations and significantly increased online interactions between companies and their stakeholders. The need to rapidly adapt multiple business processes and protocols to enable remote working brings new risks to the confidentiality, integrity and availability of critical company data and the supporting systems. As a result, information technology (IT) functions are being stretched and distracted as they respond to an increasing volume of requests while continuing to maintain existing information security practices. Meanwhile a surging number of threat actors are seeking to exploit the changing work environment brought on by the pandemic.
Boards should consider the following questions to be more vigilant with their oversight of cybersecurity risks in the new work environment:
- With increased remote access, how is the company’s overall cybersecurity posture being optimized, and is the company confirming whether additional technology and operations are secure?
- Has management reviewed and tested all security features (e.g., point-to-point encryption, data protection) associated with the company’s videoconferencing tools, including patching, and are vulnerabilities mitigated if patches are not available?
- What changes have been made to security monitoring procedures given the increase in remote workers? Are changes to user accounts with administrative or privileged access being more vigorously monitored?
- Are security personnel effective working remotely? What physical (in-person) security requirements are not being performed?
- What are the contingency plans if key IT or security personnel require time off?
- How is management maintaining an effective incident response and recovery function considering the additional remote access technology and operations?
- Are there additional needs for software, technology, personnel or other resources to augment existing controls?
- Are system updates and patching current?
- Are employees being reminded of security awareness protocols because of the increased risk of COVID-19 phishing emails or similar tactics?
- Is management communicating with critical suppliers to determine whether they are evaluating additional steps to assess and protect their networks?
- Are incremental insider threats being evaluated, including revising print-from-home capabilities?
- What security risks might there be related to employee layoffs and furloughs? Are the human resources and IT security teams aligned so that user-access privileges are immediately removed?
- How is the IT security function affected if furloughs or budget cuts are being executed or contemplated?
- Should the company’s security personnel review or update board members and C-suite home networks for appropriate security?
The board plays an important role overseeing and supporting how a company enhances its cybersecurity in the new work environment. Widespread remote working and increased online interactions may become the new “normal” as businesses reimagine their business models. A company’s ability to adjust and strengthen its cyber resiliency through the dynamics of this crisis will position it for a more secure future.