The widespread transition to remote working during the Covid-19 pandemic has been well documented, as has the change this situation forces upon us in terms of our cybersecurity. Physical meetings have moved online, with this decentralization resulting in an acceptance of cloud-based technologies that is unprecedented. Indeed, many organizations are actively exploring how to migrate many of their physical operations online.
For tech-savvy companies, this transition has been pretty straightforward, if indeed it hadn’t already happened prior to the pandemic. More traditional companies have been somewhat slower, however, and the extreme time pressures placed upon people has caused information security to take a back seat. And the threats aren’t merely restricted to customer data.
Corporate and even national espionage is increasingly common in a time in which so many of our key pieces of intellectual property are held online.
Canadian telecoms company Nortel is a prime example of a company that suffered enormously from their IP being hacked, and earlier this year Russia was trumpeting a vaccine for Covid-19 that is widely believed to have been acquired after hacking western labs.
Protecting trade secrets
The shift to remote work has made the protection of these vital trade secrets that much harder to achieve. The pace of this transition has forced many organizations to cut corners to ensure business continuity, with cybersecurity among the first things to be cut. For instance, a paucity of work laptops meant a widespread implementation of ‘bring your own device’ policies that allowed employees to use their own computers via remote access software.
Sensing an opportunity, the pandemic has seen a significant increase in operations by hackers. For instance, American law enforcement agencies recently uncovered an extensive attack masterminded by a Russian hacker group on employees from dozens of major Fortune 500 companies, all of whom were working from home. The attack was delivered via malware that was deposited on popular websites.
The vulnerability was triggered when the computers were part of either government or corporate networks.
This kind of vulnerability has a number of origins. For instance, the distributed storage and creation of information presents an attractive target for hackers, especially as their rapid installation has often resulted in faulty configuration that leaves the door half-open. In such a circumstance, it’s often less a case of if an attack will happen as when it will. Indeed, it’s not uncommon for an unsecured device to be attacked within a few minutes, with massive undirected automatic attacks capable of targeting every digital device that isn’t securely patched.
Even the most advanced systems are no guarantee of safety, however, as poor configuration can often be the consequence of a hasty installation. It’s important to remember that security is only as strong as its weakest point, so even the most basic aspects must be taken care of.
Secure your employees
Another often overlooked aspect of the best cybersecurity is the workforce. Social engineering is such a potent means of cyberattack that Kevin Mitnick made his name from it. The stress associated with the pandemic has been well documented, with employees having to get to grips with new ways of working, often whilst adapting to new home circumstances, and grappling with the health and economic risks of the virus itself.
When we’re stressed, we tend to make poor decisions, which can leave us vulnerable to attack.
Throw in the inevitable distractions that working from home is likely to present, and it’s an environment that is extremely vulnerable. This could be a malware attack or even something as seemingly innocent as a family member using a device to search the internet. If detected early, these attacks can be limited, but the very nature of trojan horse attacks is that they can remain undetected until it's far too late.
So what can you do to ensure you, your workforce, and your intellectual property are kept safe and secure? While not intended to be an exhaustive list, the following are some good steps you can take:
- Identify what is truly important - A crucial first step is to have a strong idea of just what the most important pieces of IP are to your organization. This could be source code, chemical formulas, or even key customer records. Ask yourself the honest question of what harm would it do to your business if this information fell into the wrong hands? This will help you to identify the information that is truly worth protecting as much as you can and distinguish it from the vast majority of other information your organization will have.
- Limit access on a need to know basis - Hopefully, your culture is such that you treat all information respectfully, but the key IP for your business should only be distributed if verifiably required. This is common practice in industries such as the military, and is a good habit for you to get into during the pandemic (and beyond). You may experience some kickback on this, as it runs counter to the openness that is increasingly common, but these are unusual times that require unusual measures.
- Track information usage - The next stage is to develop robust systems to accurately track and monitor information usage and access. The most secure approach is to implement strict access rights to this vital information, and track who accesses it, and when. There are a growing number of vendors that seek to automate these processes to make it easier for companies to maintain security.
Corporate espionage is not a new thing, and organizations have long had to ensure their key intellectual property is safe from prying eyes. As with so much, the pandemic has exacerbated these concerns and made it doubly important that organizations get their house in order.