IT Security Policies & Procedures to Review During COVID-19
As the old adage goes, an ounce of prevention is worth a pound of cure. You are probably expecting this to be in reference to the topic of COVID-19, but today we’ll be covering the importance of having rock-solid IT policies and procedures in place during these uncertain times. Let’s dig in.
Security Awareness Training
With an influx in emails and communication about COVID-19 alongside changing routines means users are likely letting down their guard, and becoming more susceptible to phishing scams and attacks. Stay in front of your users, reminding them of best practices (don’t blindly click on links, assume every email is a threat, etc.) as well as continuing to execute Security Awareness Training. There’s never been a better time to roll out this kind of initiative – you can do it remotely and most employees have more time for training right now than they normally would. The last thing your organization needs right now is a breach, so work harder than ever to make sure your first line of defense (your users) are educated and prepared.
Work with other leaders from your organization to streamline communication efforts. It is so important to be communicating often while weathering so many changes, but too many emails can lead to an overwhelmed workforce and increase the likelihood of a successful phishing attack. Communicate the need for increased scrutiny around cybersecurity as part of the unified company communication. Consider using a tool like Microsoft Teams and creating a channel specifically for communication regarding the changes brought on by COVID-19. Let your team know that this will be the centralized hub for all communication over the next few weeks.
Policy & Procedures
What Types of Policy are Important?
When everything is changing rapidly and you hardly know which way is up or down, policies and procedures can give you a place to land. They might not fit the situation perfectly but you are able to have a starting point. Policies give you the what, and procedures give you the how. Procedures should provide a step by step action plan to help mitigate disaster and chaos. If you haven’t already, go through your documented procedures and see what needs to be updated. Here are some examples of procedures that are especially helpful in times like these, along with questions to help jump start your planning:
- Remote Work & BYOD policy:
- Do you have existing BYOD policies in place that prohibit use of personally owned equipment to access company resources? Make sure your users know if these policies remain in place or have been relaxed. Plan for the future when you need to put these policies back in force.
- Business Continuity and Disaster Recovery Plan:
- How has this crisis changed your plans to recover from a disaster such as a building fire, or severe weather? Do your Business Continuity and Disaster Recovery plans work without being able to work from your office? How will a disaster be noticed if you have temporarily suspended your operations?
- Incident Reporting Guidelines:
- Do your users need additional information on how to report incidents? Do you have data-sharing agreements with vendors, customers, or other third parties? Some customers require notification in the event that you are unable to operate from your established locations. Users interacting with highly confidential customer/vendor information from home may require vendor/customer notifications.
- Incident Response Plan (IRP):
- Does your incident response plan work when your office is closed and your workers are working remotely? Does your incident response plan work if your business has temporarily shut down? Do your incident reporting procedures need updating to ensure timely reporting by users of suspicious activity?
- WFH (Work From Home) Threat Modeling:
- What new security threats exist with a workforce working from home? Are your users accessing company resources on their home computers? Have additional computers been purchased but not onboarded with security tools? What physical security threats exist in terms of your data? Are company computers being kept in workers homes with reduced protection against theft? Ensure all users are clear on what the reporting procedures are for equipment loss/theft and even temporary misplacement of equipment.
- Validate these through tabletop exercises:
- Gather the parties included in your IRP via a remote meeting, and simulate some likely data breach scenarios and put your existing IRP and company procedures to test.
- Retainers (outside incident response, security vendors, IT vendors):
- Do your retained vendors know that your workforce is working from home? Do your contracts include support for incidents that may involve a user’s home network or personally-owned computer?
Don’t Relax Policies During a Crisis
An important thing to remember is that policies and procedures don’t go away while working remotely, or during a crisis. Users might think rules have been relaxed and be tempted to take shortcuts, but shortcuts will inevitably lead to security vulnerabilities and require massive clean-up once we return to normal operations. So what can you do about it?
- Test your policies to see if they still apply and make sense in your new work environment (no one will adhere to a policy that doesn’t make sense).
- Update any policies to accommodate for your new reality.
- Remind your users and leadership teams that the policies still exist, why they are important, and highlight pieces of them that might be especially important in these times.
- Hold your teams accountable! If someone shortcuts a policy and you notice it, make sure to address the person directly.
Not sure where to start with your policy & procedure planning? Schedule a free 60-minute Pour Hour with the Worksighted team to help you identify your risks, get proactive, and stay protected.