Life in the New Normal: Adapting to Covid-19 Cybersecurity Considerations

The “New Normal” is the buzzword nowadays, with increasing tempo as the Covid-19 pandemic continues to grow globally beyond medical and clinical proportions. What originated as a public health crisis has now quickly expanded to encompass economic, social governance and information technology aspects. As a professional audit practioner by clock-in, a graduate student by clock-out and a seasoned traveler all-year long, this pandemic has changed the way I certainly do things on a daily basis.

Now that I’m taking a break from traveling, my focus has been divided between audit deliverables and masteral requirements. As work and school increasingly move online amid the implementation of community quarantine to help flatten the curve of the Covid-19 pandemic, we have also witnessed a boom in popularity of cybersecurity issues circulating around the digital world. The recent mystery on duplication of various Facebook accounts in the country is one of the concrete examples.

While I do believe that this is alarming, however, I don’t necessarily feel anxious of this unwarranted or futile attempt, as the case may be. Having a bogus Facebook account bearing my name on it without accompanying harmful acts is not as unsettling as somebody pretending to be me or hacking my real account, then setting up a duplicate page and asking my virtual friends to connect with my supposed “fake” personal page for fraudulent purposes. Nonetheless, both acts are disturbing and must not be taken lightly. If you encounter one, just go to profile settings and report it immediately.

Role of Internet Connectivity in Online Activities

Staying connected online plays a huge role during this pandemic. As a first year graduate student in the University of San Carlos, our scheduled classes were also disrupted by the Covid-19 outbreak. In the middle of the second semester, we shifted from face-to-face class set-up to flexible learning (e.g., online classes). Life in the new normal not only highlights telecommuting and work-from-home set-up, but also the existence of virtual education. It just means that learning never stops at home, especially with the help of internet connectivity.

As part of our final course requirement in Information, Audit and Controls, our instructor told us to watch webinars on Youtube with topics that are relevant both to the subject and current situation we are facing today. One of my classmates shared about her challenge regarding internet access. Knowing the adjustments brought about by this pandemic, I offered to lend her my extra mobile wifi router so that she can be productive at home and comply with our final class activity with access to high-speed internet plans. We’ve both chosen the webinar entitled “Adapting to Covid-19 Cybersecurity Considerations” hosted by IT Governance for the main reason that cybersecurity threats are emerging amidst the Covid-19 pandemic and control measures must be adapted.

Cybercrimes During the Pandemic

While almost everyone is struggling to stay hopeful and productive during these dire times, some people have taken this as an opportunity to trick or threaten a person or a company’s security and financial health. Yes, this pandemic has led to an explosion of cybercrimes such as phishing attacks and these aren’t the things that we need at this moment. These cyber criminals are committing offences against individuals or groups of individuals with an ill motive to intentionally harm the reputation or cause physical or mental strain, or loss, to the victim directly or indirectly, using modern telecommunication networks such as Internet or mobile devices. Well, the speaker of the webinar couldn’t agree more as he even highlighted that timing is everything such that cybercrime attackers are using stress and uncertainty brought about by the current Covid-19 climate to cause imbalanced-minded victims to do snap decisions which could later on turn into something they will regret.

Examples of Phishing Attacks During Covid-19

The webinar speaker continued to discuss about phishing attacks during Covid-19, examples of which includes “Authority Guidance” or “Directions”. Hackers leverage authority to encourage mistakes like for example when there is a message from a fraudster trying to be the President or Chairman and instruct you to do something illegal or prohibited of some sorts. Another would be phishing emails and malicious apps which are very common. There are a lot of horror stories shared on social media like opening an email purporting to be a legitimate brand site but in the end, the victim will unknowingly fall into a trap called a phishing scam.

Applying this situation in the company that I’m currently connected with, I can recall the times when the IT team informed all the employees to be vigilant when opening emails from unknown sources using either the company office outlook communication or personal email. I’m glad our IT guys are doing their job by spreading awareness on the existence of these cybercrimes and disseminating useful information on how to detect and protect oneself against those likely phishing attacks.

Cybersecurity Tips for Employees Working at Home

Another thing discussed was cybersecurity tips for staff working at home which is very relevant and timely during this pandemic. Some of the security loopholes for your equipment to watch out for are the following: (1) Access, do you have a family member, close friends or even strangers who has access or has the possibility to access your equipment? Then don’t let your guards down no matter where you are because these attackers are everywhere or could be anyone. (2) Unauthorized devices such as use of USB, storage devices and internet of things. To be honest, our company doesn’t have a policy for IT usage, especially on the security mechanisms for “bring your own device” set-up, so how much more in the work from home set-up where chances are high for a mix-up? Lastly, the susceptibility of loss or theft of your IT devices wherein password protection and encryption are at least given due considerations. I totally agree with this useful cybersecurity tips, proven and tested security measures even beyond the current Covid-19 environment.

Application Security Measures

Application security was also given importance. The IT expert shared that application security encompasses measures taken to improve the security of an application often by finding, fixing and preventing security vulnerabilities. He mentioned examples like (1) Patch – all apps should be patch automatically, browsers need to be patched; (2) Restrictions – approved apps only, limited to trusted sources; (3) Videoconferencing – appropriate policies privacy controls; and (4) Backup – approved storage destination avoid data sprawl. Although I really haven’t evaluated the effectiveness and efficiency of the IT Governance of our company, most especially about application security, but I will certainly look for these controls and check how they are addressing the risks when an engagement is already planned and scheduled for audit.

Speaking of videoconferencing, our management committee meetings have been recently conducted via a famous videoconferencing platform called Zoom as part of our new normal. Our IT Head warned the management team about continued usage of Zoom, coupled with forwarding an article link about the cybersecurity issues raised against Zoom. When I read the Business Insider article entitled “Zoom’s security and privacy problems are snowballing”, I’ve learned that the videoconferencing service Zoom faces multiple reported security issues as both use and scrutiny increase. Reports surfaced that Zoom didn’t use end-to-end encryption for its video meetings and had leaked thousands of email addresses and photos of people in the company directory to strangers. Compounding its security woes, the Windows version of Zoom is reportedly vulnerable to attackers who could spend malicious links to users’ chat interfaces and gain access to their email passwords. This bad news affected Zoom’s reputation, leading to its stock price to plummet in such high level. More people are discovering problems and also more frustration because opting out isn’t an option.

Cybersecurity Risk Assessment and Mitigation

I personally think that these multiple criticisms are more than just a cybersecurity issue because it also involves data privacy violation. While none of my colleagues are affected by this kind of issue, I believe something must be done in order to mitigate those risks. One of the key measures to reduce risks and prevent cyber attacks is establishing a formal policy. Data Protection Policies and practices should be clearly defined and documented in order to be effective. This would give me an opportunity to recommend for implementation of an employee security awareness program and operationalize it by creating a Risk Assessment Security Team (responsibility includes identification of assets and risk as well as prioritization of high-rated risks). Likewise, team communication and implementation of behavioral change are necessary to motivate staff as part of the solution. By engaging and training staff on cyber security and IT-related seminars (discussions focusing on strong password, data privacy, incident reporting, social engineering among others), the workforce will be encouraged to apply the best of their ability by doing their part in promoting a robust cyber security in the company, and at home.

Internal Control and Internal Audit

I’ve learned a great amount of lesson from the such webinar. I think back on the days the internal audit team gave recommendations to the management committee of my former company to improve the IT Security process of the organization based on best practices and relevant IT-specific international standards, to wit:

(1) Perform access review of network, systems and shared files. Ensure access to critical data is limited to authorized individuals, particularly on access to files of resigned and/or transferred employees.

(2) Review current Technological Resources Policy. Address possible security and access risks and threats on the use of mobile technology within the network (e.g., smartphones, laptops, tablets, etc.)

(3) Conduct analysis of the recurrence of threats. Enhance the monitoring of endpoint security to include measurement and analysis of threats to ensure the trends are summarized and related treatment or security measures are considered.

IT Hacks beyond Covid-19

Well, this has led to a self-realization that these cybersecurity tips and good IT hacks are already existing even before this deadly coronavirus invaded the whole world. All it needed is actually a real scenario for the rest of the world to appreciate its value and importance to the business.

Now, for those companies which are lenient and not so adamant about strengthening their cybersecurity policies and measures, they are now probably scrambling to fight for their survival in this digitally-driven world. I don’t even think activating their un-updated business continuity plans and what nots can help them at all. As risk management principles put it, planning for a crisis management during a pandemic is not effective planning at all.

This could be a game changer for those who are already in an advance state where implementation of IT control systems is being efficiently practiced resulting to saving them all from cyber threats.

Conclusion

In life, there is no such thing as rewind button. However, it gives an opportunity for everyone to reflect on this unparalleled situation. I hope everyone can learn something from this global crisis in terms of staying relevant, adaptable and hack-proof by establishing an effective cyber risk strategy and measures to mitigate the destructive impacts brought about by cybercrimes. Adapting to Covid-19 cybersecurity considerations certainly goes a long way.

Finally, let me conclude this personal learning in the new normal by stating that rough days don’t last, strong people (and cybersecurity controls) do!

Tags: Adapting to Covid19 cybersecurity measures, Cybersecurity, Cybersecurity issues amidst the pandemic, e-learning, IT Security, Life in the new normal, telecommuting