Cybersecurity Risk Management: How Companies Are Responding to COVID-19 and Remote Work

App Development
Sydney Wess
10/27/2020

Companies are making strides to prevent cyber attacks as they prepare their remote workforce for various threats during COVID-19. Businesses are implementing new risk management measures such as two-factor authentication and required VPNs to secure company data.

When COVID-19 was declared a pandemic in March 2020, people searched Google for information on health, wellness, and, surprisingly, cybersecurity.

In fact, the search team “how to remove a virus” increased 42% in search volume in March 2020 alone.

Remote work strained IT infrastructures across industries. Individuals, companies, and government organizations have struggled with an influx of cyber attacks as the pandemic persists.

Visual Objects surveyed 500 full-time employees in the United States to understand how companies are handling cybersecurity with many employees working remotely.

cybersecurity measures required during COVID-19

Measures such as secure WiFi networks, training employees to spot phishing emails, two-factor authentication, and virtual private networks help companies keep their IT infrastructure safe during COVID-19.

How Are Companies Preventing Cyber Attacks During COVID-19?

  • Employees at two-thirds of companies (66%) are taking work computers and devices home during the pandemic to keep work and personal data separate. 
  • 35% of companies require employees to use secure WiFi networks for work activities.
  • About one-third of companies (31%) require remote employees to use virtual private networks (VPNs).
  • 31% of companies use two-factor authentication (2FA) to protect employee accounts and data during COVID-19.
  • Phishing training is practiced by only one-third of companies (32%), despite an increase in phishing scams during the pandemic.
  • 34% of companies are not practicing any of these cybersecurity measures, leaving their remote workforce more vulnerable to cyber attacks.   

Employees at Two-Thirds of Companies Are Taking Work Devices Home

With many employees working remotely, some equipment normally housed in office buildings has found a new home in living rooms and home offices.

Since the COVID-19 pandemic began, employees at 66% of companies have taken home devices such as work computers.

employees took home work devices during COVID-19

Personal devices are often used on public, unsecured networks and are more vulnerable to attack. Companies often prefer that employees working from home do so on company devices. 

Chris Blunt, CEO of cybersecurity firm BrokenStones, believes employees invite cyber threats when working on personal devices rather than a secure work computer. 

“To me, the riskiest approach is using personal machines,” Blunt said. “If you’ve got your work machines set up properly and the right remote access systems in place, then taking your work computers home is a good, cost-effective option.”

“If you’ve got your work machines set up properly and the right remote access systems in place, then taking your work computers home is a good, cost-effective option.”

Blunt also recommends companies ensure that security protections such as ransomware and software patches are up-to-date and active throughout the entirety of a firm’s remote network. 

Benedict Jones, CEO of mobile security solution Traced, agrees that taking home secure work devices is beneficial for data safety. Jones also warns that cyber attackers commonly target mobile devices, so employees should avoid using personal phones for work when possible.

“Work emails, access to internal systems, and web browsing for work purposes are happening on mobile devices all the time,” Jones said. “[Mobile devices are] an incredibly common attack vector used by attackers to pilfer corporate and sensitive data.”

Encouraging employees to take work devices home comes with risks. In particular, companies should be ready to lock and wipe devices in the event that they are lost or stolen.

Having employees work from company devices, even remotely, is a simple, cost-efficient way for businesses to practice proper cybersecurity.

Secure WiFi Networks Are a Common Cybersecurity Protocol for Companies 

Companies are more likely to require employees to work from secure WiFi networks than any other cybersecurity practice during COVID-19 remote work.

Currently, 35% of companies mandate using a secure WiFi network.

secure wifi network is a way to manage cybersecurity risks

Proper security measures are inexpensive to implement on WiFi networks and help protect devices from attacks.

Tilly Holland, marketing manager of data recovery and management company Ontrack, believes that secure WiFi networks are essential for anyone working remotely.

“Public WiFi hotspots are characteristically weak and are ripe pickings for hackers to collect and steal data,” Holland said. “Cybercriminals can also take advantage [of public networks] by infecting devices with viruses that can easily spread throughout the network once people are back in the office.”

“Public WiFi hotspots are characteristically weak and are ripe pickings for hackers to collect and steal data."

Working on public WiFi networks can lead to the following cyber attacks:

  • Man-in-the-middle attacks: Hackers situate themselves in the middle of victims and their company, impersonating both parties to obtain information.
  • Malware: Hackers trigger software created to damage a device or network.
  • Worms: Hackers target security gaps to launch a malicious program that spreads from device to device without human action.
  • Packet sniffers: Hackers collect and log information moving through networks by locating a security gap.

Private networks prevent these cyber attacks by making it more difficult for cybercriminals to monitor your online activity. 

Having employees connect to secure WiFi networks while working remotely helps prevent cyber threats.

Enterprise VPNs Are Widely-Used and Promote Safe Data Sharing

Virtual private networks (VPNs) are the most secure way to protect sensitive work data in a remote setting.

About one-third of companies (31%) are using enterprise VPNs to secure their networks during COVID-19.

using vpns for work is a way to manage cybersecurity risks

VPNs offer an extra layer of protection through the encryption of work data. When companies encrypt data, they encode it so only VPN users can access the information. This serves as a critical line of defense in the event of a secure WiFi network failure. 

Regardless of a worker’s location, VPNs privatize online activity between members of the company’s network. Darren Deslatte, vulnerability operations leader of technology firm Entrust Solutions, believes VPNs are a vital part of any remote company’s operations.

“[A VPN] ensures that any work, logins, or sensitive data accessed while on the network are practically untraceable by others, including cybercriminals,” Deslatte said.

“[A VPN] ensures that any work, logins, or sensitive data accessed while on the network are practically untraceable by others, including cybercriminals.”

Without a VPN, remote workforces must rely on their personal WiFi setup for sustained security. Even password-protected home WiFi networks can leave employees more vulnerable to threats than office networks.

Enterprise VPNs offer enhanced security protections for companies with a significant remote workforce.

Two-Factor Authentication Makes Security Easier for Employees

Two-Factor authentication (2FA) became a widespread corporate cybersecurity practice after employees began working remotely due to the pandemic.

Currently, 31% of companies require 2FA for work accounts.

two-factor authentication is a way to manage cybersecurity risks

Cybercriminals are able to predict and deduce passwords based on common creation patterns that guess passwords based on requirements and expected formatting. A Verizon report found that 80% of hacking breaches involved weak, stolen, or basic passwords.

2FA protects employees from cyber attackers by pairing password requirements with authentication through something in the user’s possession, such as a smartphone or secondary account.

Many cybersecurity directors are proponents of 2FA because it secures user accounts without requiring much extra work from employees. Jasmine Henry is the cybersecurity director at Esper, an Android DevOps platform. Henry firmly believes that 2FA should be a standard cybersecurity protocol across companies.

“Passwords are over,” Henry said. “2FA is a mandatory minimum for cybersecurity, especially since remote work makes it harder to detect common signs of an unauthorized login.”

“Passwords are over. [Two-factor authentication] is a mandatory minimum for cybersecurity, especially since remote work makes it harder to detect common signs of an unauthorized login.”

Even if employees have different passwords for each account, Henry says a hacker can figure out a unique, eight-character password in less than an hour. Plus, there are more than 15 billion stolen logins available for hackers on the dark web.

2FA is a simple cybersecurity protocol for companies to institute and is effective in securing user accounts during remote work. 

Phishing Training Is Essential to Email Security During Remote Work

Phishing training enables employees to identify and avoid potential phishing scams that may compromise a company’s private data.

During the pandemic, less than one-third (32%) of companies are offering phishing training for employees.

Phishing is the act of sending emails while posing as a legitimate organization to obtain personal information and data from recipients.

phishing training helps with cybersecurity risk management

Phishing scams are the leading cause of worldwide cyber attacks. Edward Marchewka, founder of information security company CHICAGO Metrics, warns that companies should be focusing more closely on phishing to keep data secure. 

“I have worked at several organizations over the years, and every one of them has been a target of a phishing attack,” Marchewka said. “Email filters are getting better at stopping the obvious ones, but extra measures are necessary, including continual training.” 

Marchewka believes phishing training is essential to security during the pandemic, while employees are more vulnerable to scams working from home.

What Should Employees Know About Phishing?

Can you get a virus from opening an email?

No, but employees need to be wary of clicking on links within emails. Generally, viruses such as worms and Trojan horses will be triggered after someone clicks on an attachment or link within a phishing email.

What does a phishing scam look like?

Zach Fuller is head of business operations at Silent Sector, a cybersecurity services provider. In his investigations, unsuspecting victims may fall for simple phishing techniques without proper awareness training.

“One company had almost 2,000 machines across multiple offices infected with ransomware because an employee clicked on a phishing email promising a $20 Starbucks gift card,” Fuller recalled.

How common is phishing?

Phishing is the most common cybercrime, especially during the pandemic and remote work. Cyber attacks in the workplace start with a phishing email 80% of the time

Phishing scams have become more prevalent during COVID-19. Some cybercriminals have even taken to sending COVID-themed emails that impersonate government agencies, prompting victims to reply with their personal information.

Who do phishing emails impersonate?

Henry advises remote workers to be wary of phishing emails that impersonate their colleagues, CEO, or senior staff members. She recommends that employees verify any suspicious emails with the sender through another communication channel, such as Slack or a phone call.

Why is phishing awareness important for remote workers?

Employees may be more likely to fall for a phishing attack during remote work because they are relying on email rather than in-person office conversations. Phishing awareness training is important for employees as attackers devise new, targeted scams during COVID-19.

Some Companies Aren’t Practicing Common Cybersecurity Protocols During COVID-19

Despite the increased risk of cyber attacks in a remote work environment, some companies have maintained relaxed cybersecurity protocols.

Currently, more than one-third (34%) of companies don’t follow common cybersecurity practices.

companies have not required common cybersecurity protocols during COVID-19

According to Deslatte and Henry, companies may be hesitant to increase their focus on cybersecurity due to cost. There may also be concerns about smoothly implementing new cybersecurity protocols in a remote setting. 

However, experts agree that a cybersecurity breach could be much more costly than implementing new cybersecurity practices. Deslatte feels that more companies should turn their attention to cybersecurity, especially in a remote work environment. 

“A single data breach can easily shutter a business forever, which is why it’s important to maintain your cybersecurity at all times, even in difficult circumstances,” Deslatte said.

“A single data breach can easily shutter a business forever, which is why it’s important to maintain your cybersecurity at all times, even in difficult circumstances.”

Companies not only are responsible for recovering compromised data or equipment following an attack but also may also have to address marketing or reputation management issues. 

Cyber attacks are increasingly common during the COVID-19 pandemic. Blunt indicated that it’s safest for companies to expect and prepare for a security threat of some kind while employees are working remotely. 

“It's basically guaranteed that organizations will face common security risks, like phishing or weak employee passwords,” Blunt said. “Doing the basics is essential.”

Remote Work Requires Cybersecurity Protocols to Ensure Data Safety

Experts are calling for a renewed focus on cybersecurity during COVID-19. As more employees work remotely, companies may be vulnerable to a cyberattack. 

At this point in the pandemic, employees at the majority of companies have taken work devices home. This allows them to connect to company networks and keep work and personal data separate.

After months of remote work, companies are:

  • Requiring that employees connect to a secure WiFi network
  • Expanding security with VPNs
  • Securing email and work accounts with two-factor authentication
  • Offering phishing awareness training

Despite the increased risk of cyber attacks with more people working remotely, some companies are taking a relaxed approach to cybersecurity risk management during COVID-19. 

Experts acknowledge the challenges of implementing new protocols during a pandemic but universally encourage companies to require basic security measures during remote work and beyond.

About The Survey

Visual Objects surveyed 500 full-time employees in the United States from September 17- 23, 2020.

51% of respondents are male; 40% of respondents are female; 9% of respondents did not provide their gender. 

23% of respondents are ages 18-34; 38% are 35-54; 29% of respondents are 55 or older; 11% of respondents did not give their age.

34% of respondents are from the Midwest; 33% are from the South; 23% are from the West; 11% are from the Northeast.