Remote working due to the COVID19 pandemic heightens existing cyber risks and introduces new ones to many organisations. The key assurance question for boards and you as internal auditors is whether the internal control environment is sufficiently robust to protect the organisation during this time.
According to one security vendor phishing emails during the pandemic have increased 600% - as with the virus itself no-one is immune – all sectors and individuals are being targeted and need to be alert.
We have listed lots of controls, depending on your organisations size, sector, maturity etc they may or may not all be possible at the moment. Assurance in times of crisis management is about controls being reasonable and pragmatic not textbook.
Key takeaways
Be alert to cyber issues on networked devices
Be hypervigilant to phishing attacks
Be mindful of sensitive data and regulations
Cyber criminals are busy
Malicious and mischievous hackers have a lot of time on their hands during lockdown, increasing and compounding the risk of unauthorised system access as employees are forced to work remotely.
Coronavirus is being used extensively as bait in emails and websites to distribute malicious attachments and obtain login/financial information. The content often preys on emotions and uncertainty in an attempt to bypass training and rationale responses. This video from cybersecurity experts Cygenta looks at the red flags to watch out for at the moment.
All the major security vendors are reporting massive spikes in attacks including scams, brand impersonation, blackmail and business email compromise.
Phishing controls
Remind employees about the dangers – email, tele/video-conference
If a communication is unexpected and triggers an emotional response be wary
Donation requests from legitimate organisations
Free voucher offers from supermarkets
Financial support from government
Check the details on a trusted source before taking action
Online training/refresher course ideally with a test – if the company doesn’t have one to use, consider the CIO recording a video to share or use one of the many YouTube tutorials available
IT administrators alert to external environment changes – new threats and communicating to employees
System patches appropriately installed across network
Robust network firewall
According to MP Dean Russell, a member of the Health and Social Care Select Committee, “this is a new low for cyber-criminals, who are acting like piranha fish, cowardly attacking people on mass when they are at their most vulnerable. It’s vital that the public remain vigilant against scam emails during this challenging time.”
Heightened cyber risks of remote working
While some organisations are geared up for employees to work remotely, for others the need to allow people to work from home was a scenario they were unprepared for with a scramble to source adequate equipment. Think about the scenario not just in your organisation but suppliers and partners, particularly smaller companies.
Communication is central to our working lives and social distancing has increased the need for virtual networks. There is a plethora of choice on the market. It is important that organisations determine their approach based on need and risk assessment to prevent employees making their own arrangements.
Which software is your organisation using?
How was this decision made – was security considered?
Has the decision been effectively communicated?
Have employees been given training/guidance on using the software?
Are employees blocked from using alternatives?
Remote working is dependent on broadband. Services vary across the country and organisations should not assume that all employees have access to (reliable) functionality either due to infrastructure or financial priorities.
Remote working controls
Maintain a comprehensive remote working policy
Work screens should not be in view of a window facing a public space – workspace will be a major challenge for some employees, organisations may need to assess the trade-off between security and productivity (risk appetite)
Work screens must be locked when not in use to protect against unauthorised access by other members of the household
Computers should not be on public display and should be securely stored when not in use – this is about reasonable protection as with any valuables in their home
Instruct employees to secure their Wi-Fi networks, public networks must not be used, specific guidance should be issued to employees living in shared houses to ensure additional device security measures are utilised such as personal routers and VPNs
Remind employees to maintain professional boundaries and conduct personal business/browsing on personal not corporate devices
Issue guidance if employees are required to use personal devices to work remotely, including minimum security requirements and disconnecting from corporate networks before conducting personal business
Automated monitoring with alerts when corporate VPN is switched off (a Virtual Private Network creates a secured point-to-point connection between an employee’s computer and the corporate network using an encryption algorithm and authentication - end users often turn their VPN off to improve operating speeds)
Maintain sufficient IT cover to support employees working remotely. This could be as simple as a peer network where normal expertise is unavailable.
Where companies are operating a skeleton IT support team, force software updates to maintain security of network, do not allow end-users to ignore requests
Procure adequate insurance to cover equipment used by remote employees
If appropriate temporarily restrict access to sensitive data for furloughed employees and non-essential users
Where there is sufficient IT expertise available, organisations can consider analysis of data changes/access for irregularities to normal patterns, may indicate malicious employee actions such as data theft, fraud or misuse
A common bugbear for internal auditors and IT administrators is the use of shared passwords; despite the warnings, employees often use them to make their jobs easier. With the vast majority of employees working remotely the impact of this increases and organisations need to face into this threat. If it’s a known or suspected issue introducing a secondary authentication control could be a prudent mitigation.
Sensitive data
Many employees working from home will be working with or have access to personal or commercially sensitive data that may be protected by legislation such as General Data Protection Regulations (GDPR) and the Payment Card Industry Data Security Standard (PCIDSS). Within financial services there will be additional regulatory requirements around data imposed by the Financial Conduct Authority.
Can existing processes be complied with when working remotely?
Has a risk assessment been conducted? Actions?
What regulatory guidance has been issued specific to the COVID19 situation?
What assurance is being provided over new/adapted processes?
Additional remote working controls
Clean room policy must be maintained - sensitive data must not be written down on paper
If account data is ever written or printed on paper, ensure it is securely stored and disposed of appropriately when no longer needed
Use of PCIDSS compliant systems
Use of multi-factor authentication
Depending on the nature of the work and the culture of the organisation it is possible to use software to remotely monitor employee activities where appropriate pre-authorisation exists. It is good practice to consult with employees and unions as part of this. According to the UK government employers must explain the amount of monitoring clearly in the staff handbook or contract. They should tell workers:
if they’re being monitored
what counts as a reasonable number of personal emails and phone calls
if personal emails and calls are not allowed.
Examples of tracking available with remote monitoring software include:
on-screen activity
audio input and output
keystrokes
opened folders and files
executed commands.
Remote working wrap-up
Aside from cyber issues, there are other considerations that employers need to take into account when its labour force is working from home. Here is a list of some key points to consider if providing assurance over this topic.
Has the organisation:
Been realistic in what can be achieved by a remote workforce and adjusted expectations/performance objectives accordingly?
Made provisions (flexible working, furlough, reassignment) for employees with specific needs such as shielding, child care, carer and disabilities restricting remote working?
Briefed individuals on health and safety requirements and confirmed that they have sorted themselves an adequate work space? While individuals must take personal responsibility, organisations remain accountable.
Ensured individuals have the equipment required to perform the role expected of them? This might be as simple as reimbursing an employee for a printer cartridge or extend to using a courier to deliver items.
Clearly communicated the protocol for reimbursement of work-related expenses such as printer cartridges, stationery and phone calls?
Addressed the issue of increased utility costs for employees working from home? Some organisations may be in a position to introduce an ‘ad hoc’ payment to compensate for additional costs, others may offer advice to employees in claiming appropriate tax relief.
Instructed line managers maintain regular contact to check on employee welfare, particularly feelings of isolation?
Encouraged (via human resource/line management) employees to talk about mental health including remaining mentally and physically active outside of working hours? This may also extend to advising line managers of warning signs to be alert to and supports networks to refer employees to for professional help.
Confirmed insurance arrangements to employees and suggested that they should check with their personal home insurance, mortgage provider and/or landlord that there are no issues with them working from home? It is unlikely to be an issue but a prudent step.
Started to plan strategically for different return to work scenarios that can then be adapted to meet government guidelines once announced? One scenario for example could be a staggered return to continue social distancing; how could this be managed, which roles are critical, which employees are vulnerable etc.
Future thinking
COVID19 brings many challenges for organisations however it also has the opportunity to be a powerful game changer in terms of ways of working, particularly for those sectors and organisations that have previously been hesitant to enable employees to work remotely. There are wide ranging benefits in terms of climate change, overhead costs including travel, agility and talent attraction. Internal auditors may want to think about the long-term sustainability of current practices and offer advice on control improvements to secure the control environment going forward.