Given the increase in cybercrimes, companies must focus on acceptable use of office assets and networks
By Jayant Saran
The Indian government’s efforts to contain the spread of Covid-19 have resulted in significant business disruptions. Organisations have sought to minimise these by enabling remote working provisions. Technologies like video conferencing, VPN solutions, cloud enablement, etc, are being used to facilitate smooth business continuity. However, these could be putting additional pressure on internal cyber security teams.
It is challenging enough for cyber security teams to constantly defend an organisation’s networks from cyber criminals, and malicious insiders, when the workforce operates from the controlled office premises environment. Working from home, where a majority of staff may use unprotected personal networks, opens up organisations to a completely different level of fraud and cybercrime risks.
The cybercriminal community runs a global business that requires little to no physical human interaction. So, while many of us are operating outside our comfort zones by working remotely, cybercriminals are in a powerful position, and they have their targets exactly where they want them.
Research shows a spike in email-based cyberattacks in Italy between February and March 2020, when the country was going through a spike in Covid-19 related cases. A number of these appeared to be related to Covid-19 information, but were later found to be either phishing emails or those containing malware/ransomware.
India is currently witnessing a rise in emails related to Covid-19. Most of these contain attachments on charity, research, etc. Some are from businesses claiming to deliver essentials to one’s residence, or redirect one to web links.
Unfortunately, given the current circumstances, the possibility of such emails being opened, and of individuals becoming targets of cybercrime is high. The impact of this can be magnified if these emails are opened on office-provided laptops, with minimum internet security while being actively connected to the office network. Malware infections can speedily spread across office networks. Online meeting platforms have become the newest targets of cyber criminals.
Some organisations had to urgently procure laptops to enable their staff to work remotely. Most leading laptop manufacturers, with facilities in China, have been unsuccessful in meeting the rising demand of laptops at such short notice, resulting in increased sale of refurbished laptops from local sellers. Several organisations have also allowed their staff to use their personal devices to access office networks. Risks arising from the softwares these systems use—operating system, anti-virus, etc—need to be mitigated.
Organisations also need to address whether enterprise business applications, including security applications such as Data Loss Prevention (DLP), can be installed while complying with the licensing terms and liabilities. There could be instances of breach or leakage of sensitive company data residing on machines that cyber security teams cannot monitor.
An increased focus on reiteration of data confidentiality, cybercrime, social engineering, and acceptable use of office assets could help companies through this period. Companies holding Personally Identifiable Information (PII) of customers, and those who are highly vulnerable to data breaches, should consider engaging agencies to monitor the extended web for any indicators of breach.
More than anything else, organisations need to remain vigilant and responsive to cybercrime and associated risks. No company would want to come out of the present crisis and immediately fall into another.
(The author is Partner, Deloitte India Co-authored by Sachin Yadav and Archana Venkat, directors, Deloitte India. Views are personal)