COVID-19 Coronavirus Business Continuity & Cybersecurity
updated 7 April 2020
Keep Your Business Running
With stores sold out of hand sanitizer and emergency food kits, many businesses forget about the cybersecurity implications of sick employees. Now — as always — it’s a good time to think about how to keep your business running when employees can’t make it to the office due to illnesses like COVID-19, flood, or other unusual events.
Virtual Private Networks (VPNs) have been around for decades to provide remote access to internal tools. VPNs are indispensable tools for road warriors, telecommuters, and those unable to make it to the office because of things like COVID-19 quarantines and natural disasters. However, outdated VPNs also provide an easy way for hackers and infected home machines to access corporate networks. We recommend VPN systems with:
- Multi-Factor Authentication (MFA) to require something more than just a password and username to access the network.
- Integration with other security systems to block access from unknown computers, those with viruses, missing patches, or other security risks.
- Firewall rules that limit access to what remote workers require.
Given how many vulnerabilities Remote Desktop/Terminal Services has experienced lately, we recommend restricting Remote Desktop to internal and VPN and access. Never directly expose Remote Desktop to the Internet. Remote Desktop on the Internet and phishing are the top two reasons why Calgary businesses get ransomware.
Cloud Services with Backups and MFA
Moving critical systems like email, accounting, and sales tools to the cloud can allow employees to access them from anywhere, even if the office is completely inaccessible or illness like coronavirus strikes. However, “the cloud” doesn’t fix everything. It’s essential to backup cloud data to another site. Office365 and G Suite are more reliable than most self-hosted email and file storage systems. However, they are still susceptible to ransomware and employee error. Inexpensive backup systems can protect all of OneDrive, Email, Google Suite, Calendars, SharePoint, and Teams.
It’s also important to make sure that anything that employees can access from outside of the office — including Office365, G Suite, and accounting packages — require Multi-Factor Authentication (MFA) to make it harder for the bad guys to gain access after they compromise a reused, disclosed, or weak password.
Phishing and Security Awareness Training
March 2020 saw a 667% increase in phishing attacks. Many of these scams abuse Coronavirus and COVID-19 fears like the one below:
These also spike during holidays and well-publicized breaches and are part of 91% of breaches to small and medium-sized businesses.
Make sure that your employees receive security awareness training, including phishing simulations. Without this sort of training, we’re able to compromise about a third of a company’s computers. In less than a year, that number drops below 2%.
During this pandemic (at least through the end of June 2020), we are offering free “Working from home” training as well as one free phishing simulation per company. Please go to our Training sign-up page to get started.
We get many calls from companies that tried to save a few bucks by saving backups on the same network as their protected systems. Many Veeam, VM snapshots, scheduled file copy, and Microsoft backups are set up this way. Unfortunately, the backups usually get encrypted when ransomware hits their main systems. We recommend backup devices that have no access from the local network and automatically copy the backups to isolated data centres in Calgary and Toronto. For more information on effective business continuity backup options, please see our backup, disaster recovery, and business continuity page.
Business Impact Assessment (BIA)
Often, businesses put the cart before the horse and jump right to backups instead of taking a step back to inventory all of their systems. Once businesses know what they have, they can determine how much data they can afford to lose and how long they can live without a particular system. This provides a foundation for determining how much to spend on alternative (often manual) processes to keep the business running and recovery systems to minimize outages and data loss.
If you don’t have a Business Continuity Plan and haven’t gone through the BIA process yet, the Calgary Chamber of Commerce has some great resources from the Calgary Emergency Management Agency at www.calgarychamber.com/business-continuity-planning.
When people are sick or unable to work, their knowledge may be unavailable too. It’s vital to document day-to-day operations as well as business continuity and recovery procedures. It’s also a good idea to have junior employees test the documentation to make sure that the business can keep humming when key players aren’t there.
When employees work from home during a coronavirus quarantine or for any other reason, they must have access to the passwords to access systems. This is reason enough to use a password manager. However, these tools also reduce the likelihood of hackers breaching your system because an employee reused a password. When assessing vulnerabilities, we often gain access through reused employee passwords that were previously disclosed through LinkedIn’s breach, for example.
As always, we recommend supplementing passwords with Multi-Factor Authentication (MFA). MFA sends a text message, call, or a phone app to add an additional layer of protection beyond your password. Here are links to set it up with popular services:
Modern Antivirus (Antimalware with Machine Learning, Detection, and Response)
When employees aren’t in the office, they can’t just swap out an infected laptop for a new one. This makes solid antivirus protection with machine learning and additional breach detection even more critical. Antivirus isn’t just about recognizing dangerous files anymore. Those types of viruses now account for a tiny minority of breaches. If you’re still using the same antivirus you were 5 years ago, it’s probably less effective than what Microsoft includes for free.
Over the last few years, all of the new ransomware remediation calls that we received were for companies that had antivirus installed. Unfortunately, these antivirus solutions didn’t include modern features like synchronization with firewalls, antispam, VPN, and wireless systems to isolate infected computers. Critically, these outdated tools didn’t have machine learning or “sandboxing” capabilities to test new malware.
To make things worse, even old-fashioned antivirus products disable Microsoft’s built-in antivirus. Sadly, Microsoft’s free solution would have detected most of the ransomware that those products missed in our January and February 2020 ransomware recovery projects.
Unfortunately, many managed IT service providers use these products because they integrate well with their support ticketing systems — not because they actually provide good protection. Services like Webroot, Trend Micro, Bitdefender, Avira, Avast, and AVG fall into this category. However, they have also been unable to detect most of the ransomware that we have found this year.
We’ve had a dramatic increase in clients who need to secure their employees’ home computers. However, they’re also concerned about cash flow and can’t make long-term commitments with such an uncertain future. During this difficult time (until at least the end of June 2020), we are waiving the usual annual managed security contract requirements and up-front annual license costs for our managed workstation package without sacrificing protection. If you’re interested in our month-to-month patching, breach detection, advanced antivirus, and monitoring package, please click here to call or email us to get started.
Few things are more disheartening than a call from a new client who says, “we thought that we had backups.” Sometimes, this is because the backup system was poorly designed and was caught by ransomware. Usually, the backups were never tested. We see this with everything from security cameras to customer information.
Your disaster recovery and business continuity plans should include walk-throughs where business and IT folks talk through the plan to find gaps. You should also perform full simulations to practice recovering data.
The simulations can be annual exercises. However, we perform automated restoration tests and ransomware detection on every hourly backup to spot problems with updates so we can be prepared with a solution before a server fails to restart, for example.
Vulnerability testing is often overlooked when people are looking to build resiliency into their businesses. This extends beyond just patching and firewall rules. We’re always surprised by how many vulnerabilities we find with simple vulnerability scans. These are the low-hanging fruit that inexperienced hackers and ransomware distributors can easily attack. We go much deeper than these automated scans by manually exploring vulnerabilities that a targeted attacker, disgruntled employee, or sophisticated malware might exploit as well.
We also make sure that you've got your ducks in a row for privacy laws, credit card compliance, and other regulatory requirements. Our process uses custom scripts that you can run on your own computers and remote tools that allow us to perform most of the assessment without having to come on-site during the pandemic. However, we will only provide an abbreviated physical security assessment based on surveys and your own pictures during this period. This reduces your costs while continuing to provide significant insight into your security posture.
Most businesses need to have at least one spare laptop to give to employees as a loaner when their computer gets lost, damaged, or infected. COVID-19’s effect on the supply chain is a good reminder to make sure to order new computers when you’ve approved headcount increases — and not to wait until after a new employee accepts the position. We are seeing growing backorders as pandemic-related delays increase throughout Asia and the United States. We are still direct shipping hardware, software, network cameras, and other solutions to our clients from warehouses in Alberta, British Columbia, Ontario, and California.
Want to prepare your business to weather storms and illnesses?