Search PillsburyLaw.com
  • All
  • Lawyers
  • Capabilities
  • Insights

Alert

COVID-19 Threats Raise Pressure on IT Systems and Cybersecurity Readiness

Practical steps to address cybersecurity threats—precautions to prepare for the possible system impacts from COVID-19.

By Brian E. Finch, Amanda G. Halter, Cassie Lentchner

Alert

By Brian E. Finch, Amanda G. Halter, Cassie Lentchner

Takeaways

Organizations preparing for COVID-19 are testing and implementing business continuity plans to address the situation and anticipated fallout.
There are several steps you can take to ensure your IT and cybersecurity readiness.

03.09.20

Business disruptions as a result of COVID-19 are already occurring, but effective business continuity planning and implementation can minimize adverse impacts to the company. Now is the time for companies to review their plans and make sure they adequately address the circumstances we face or modify as needed. IT systems and cybersecurity are typically core to business continuity and, for many companies, deserve particular attention to protect operations and guard against heightened cybersecurity attacks associated with major news events.

Virtually every aspect of business continuity planning has an IT systems component, as access to systems and data will be required wherever and however the business is being conducted. Many companies are testing their plans, including testing telework arrangements, remote meeting capabilities, and planning to relocate business activities to, or route supply chains, through alternative locations. Beyond logistics, good plans provide for regular and effective communication to promote successful implementation and minimize confusion and uncertainty, which can diminish already-strained productivity and result in security and functionality oversights.

To prepare deployment of business continuity plans that utilize telework or alternative business locations while minimizing additional cybersecurity risk, businesses should consider the following possible steps:

  1. IT System Readiness: Confirm that the IT Department is appropriately dedicating attention and prioritizing risks to your organization’s cyber systems and telework arrangements.
  2. Training and Communication: It is important to train employees and test business continuity plans that rely on personnel using IT systems and devices in ways that are different than normal usage. Distribute training and reference materials to employees carefully explaining how they are expected to utilize systems in a telework environment. Employees should be instructed on how they should access the systems and reminded of the cybersecurity precautions that they should utilize as they work remotely, including taking care with respect to their surroundings, phone calls, printing and system access.
  3. Testing: Test telework and alterative work arrangements by having employees work in the planned alternative location. Questions and problems with accessing and using systems remotely become apparent during a test on a small-scale basis. To avoid issues becoming significant problems during a large-scale deployment of a business continuity plan, consider whether issues that arose during a test warrant a revision of employee instructions or communications.
  4. Cybersecurity Program: Confirm the cybersecurity readiness of the company’s remote access plans. It is important that remote access systems have been fully patched and that all devices being utilized have properly configured firewalls, anti-malware and intrusion prevention software.
  5. System Capacity: Consider the impact on systems that will experience increased capacity demands that will be necessary to support remote access, including the IT systems and personnel and phone systems.
  6. Access Controls: Multi-factor authentication is important on all remote systems to ensure that the systems are being accessed remotely by legitimate, trustworthy personnel. Employees should be reminded of the importance of these systems, as well as the importance of them having available and keeping secure their authentication mechanism, including any required token or device required for access.
  7. Password Management: Employees should be reminded of the importance of keeping strong passwords, changing them frequently, and protecting those passwords when using their systems in a remote location.
  8. Phishing and Social Engineering: Raise employee awareness of the possibility that bad actors will use fear over COVID-19 to design phishing emails attempting to trick victims into revealing information. Remind employees of the important of taking steps to avoid phishing and social engineering attempts to breach their systems and information and that they should never click on links in unsolicited emails or reveal personal or financial information in response to emails.
  9. Vendor Management: Check in with key third-party service providers to ensure readiness and planning. In the event of their own increased customer demands, do vendors you rely on have the right plans in place to ensure they will be able to provide service to your workforce? Have they tested their systems? Take steps to confirm the readiness of key vendors.
  10. Regulatory Obligations: Consider regulatory obligations, including any reporting obligations that may exist under both normal operations like regulatory reporting and those that may be triggered by unusual or emergency circumstances. Arrangements should be made to satisfy any governmental or regulatory reporting that may need to be submitted, including testing the adequacy and security of remote systems to make sure reporting.
Tags
COVID-19 and Economic Impact Resource Center, Cybersecurity, Data Protection & Privacy, COVID-19: Disputes & Investigations, COVID-19: Financial Strategies, Crisis Management
These and any accompanying materials are not legal advice, are not a complete summary of the subject matter, and are subject to the terms of use found at: https://www.pillsburylaw.com/en/terms-of-use.html. We recommend that you obtain separate legal advice.