Posts

COVID-19 return to work security plan

As lockdown measures are slowly eased across Ontario and the rest of Canada, organizations are preparing to return to the new COVID-19 workplace normal. But nothing is simple when it comes to navigating the uncharted waters of social distancing and industry-wide lockdowns–especially when it comes to developing a return-to-work security plan.

While a return to business may still be weeks away for organizations in some parts of the province, no one can afford to be idle. As a business owner/leader, you need to start planning today to ensure that your workplace is as safe and secure as possible once your employees return to the fold—and that you comply with all relevant government health and safety rules and regulations.

Security plays a key role

Of course, safety and security planning is about much more than ensuring the availability of sanitizers and protective equipment, ramped up hygiene practices, or establishing social distancing rules and protocols. Those are, of course, essential foundational elements. But there are many security-related components that need to be addressed in a comprehensive and strategic return-to-work plan, many of which will take time and resources to implement.

Cybersecurity, access control, monitoring employee movements and activities, and secure collaboration practices, are among many items that need to be integrated into a well-architected security plan. The good news is that your security provider can play an important role in helping develop and execute a fully-integrated strategy—one that addresses the new (and in some cases, rapidly evolving) demands around health and safety compliance, risk mitigation and technology.

A return-to-work security plan should cover everything from basic policies around distancing rules and staffing requirements (some organizations may resort to staggered hours, for example, or a combined office/work-from-home model to minimize personal contact), to more complex technological initiatives around health monitoring and building access and control.

Cybersecurity training

Conduct a security infrastructure audit

An integral part of the initial planning stages is a thorough review of infrastructure equipment. Planners need to examine what needs to be improved or updated. Are repairs required due to the protracted pandemic shutdown? This is an especially important checklist item for facilities that have been fully closed for a long period of time.

Organizations will also have to familiarize themselves and their employees with the plethora of new safety protocols that are being introduced, including those established by public health authorities and/or the building managers, or your company itself. With that, extensive retraining for both security personnel and other staff will be needed before doors re-open for business. This will need to be refreshed as new guidelines evolve in the months to come.

Bear in mind that security personnel in particular may be required to perform additional services, from temperature checks and entrance/exit screening, to more frequent patrolling and social distancing enforcement.

Analyze cybersecurity vulnerabilities and requirements

With the rapid transition to a work-from-home business model, organizations should also be making time to review their cybersecurity protocols. During the recent, rapid escalation in remote workers accessing cloud-based services from multiple devices, organizations had little time to assess their network security in an in-depth way. Now that you have a bit of breathing space, it’s time to develop or enhance your current digital security strategy as part of your return-to-work plan. This should include a rapid redeployment backup plan in the event of a future shutdown.

A safe and secure workplace will likely involve new technology investments. As you plan, consider the role security solutions can play in reducing touching of surfaces; tracking and tracing movements to quickly isolate and address potential outbreak situations; or responding to social distancing infractions (e.g., alerts when employees enter a restricted area).

There are a number of technology enablers that can be integrated into existing security systems to meet the demands of a post-lockdown work environment and ensure that only authorized employees or visitors can enter your premises. Examples of tools being implemented right now across some organizations include swipe pads on doors, touchless registration, “smart” barriers at entrances and exits, biometric scanners, remote locking systems and pressure sensors, and mobile two-factor authentication.

Additional video surveillance systems, along with thermal scanners and face recognition software can help identify suspected infections, while tracking the contact and movements of anyone within range of a potentially infected person.

All of this needs to be supported by HR policies that clearly outline restricted areas, who has access, and policies around travel and sick leave—among others. Work with your HR team and potentially even a qualified labour and employment lawyer, to draft effective policies customized to the needs of your workplace and employee culture.

Return to work

Getting your workplace ready to reopen

Global real estate firm Cushman & Wakefield has developed a document entitled Recovery Readiness: a How-To Guide For Reopening Your Workplace. It’s a handy starting point that outlines six guiding principles on how businesses can ensure a safe and efficient transition to workplace readiness.

Here is a distilled version of the principles:

  • Prepare the Building—Implement cleaning plans, pre-return inspections, and HVAC and mechanicals checks
  • Prepare the Workforce—Create policies for deciding who returns, shift/schedule management and employee communications
  • Control Access—Enforce protocols for safety and health checks, building reception, shipping/receiving, elevators and visitor policies
  • Create a Social Distancing Plan—Follow guidelines for decreasing density, schedule management and office traffic patterns
  • Reduce Touch Points and Increase Cleaning—Implement open doors, clean-desk policy, food plans and regular cleaning of common areas
  • Communicate for Confidence—Recognize the fear employees may feel in returning to the workplace and work with them to alleviate their anxiety

Plan early and be flexible

There’s no question there will be a great deal of uncertainty as organizations plan their return-to-work strategies.

“It will happen in phases, it will be very complex and it will look different for every organization,” Bill Knightly, Cushman and Wakefield’s Chief Operating Officer of Global Occupier Services, noted in a recent webinar. “We know progress is unlikely to be linear … We know the rules of the game are likely to change as we’ve seen inconsistent messaging from health authorities and governments around the world.”

That being said, a safety and security planning professional can help alleviate the uncertainty and tailor a fully integrated security plan to meet the specific needs of an organization and its workforce. The key is planning early and often as the situation evolves.

Winston Stewart–President and CEO

The latest cybersecurity survey by the Canadian Internet Registration Authority (CIRA) sheds light on the ongoing challenges that organizations of all sizes across industries face in protecting their data and networks from hackers.

According to the report, 71 per cent of Canadian organizations surveyed were the victim of some form of cyberattack in 2018. Nearly all of the respondents said that while “cybersecurity awareness training was at least somewhat effective in reducing incidents, only 22 percent conducted the training monthly or better.” Fewer than half (41 per cent) have actually mandated that training across their organizations.

Direct costs incurred in addressing these cyberattacks, as well as a negative impact on the victim’s brand, were the most damaging aspects of the incidents for affected organizations. Importantly, an earlier CIRA survey found that only 19 per cent of Canadians “… would continue to do business with an organization if their personal data were exposed in a cyberattack.” Only 48 per cent of organizations that had their data breached even reported the incident to their clients. A meagre 21 per cent made their board of directors aware that such a breach had occurred.

Meagre investments in cybersecurity

Perhaps most worrisome, a lack of resources was one of the main reasons why 43 per cent of respondents didn’t have specific systems, processes and talent dedicated to addressing cybersecurity vulnerabilities across their organization.

As the report notes:

“Canadian banks, schools, governments and businesses are still being taken down by cyberattacks, exposing customer data, paying ransoms to hackers, and losing valuable time recovering from breaches.

According to the annual Accenture Cost of Cybercrime survey, the average cost of investigating and remediating an attack among Canadian organizations last year was $9.25 million.”

A series of costly ransomware attacks targeting Ontario municipalities over the past year—not to mention companies ranging from SMEs to enterprise—underscore cybercriminals’ growing sophistication. But not in ways you may expect. The reality is the nefarious software used to extort unwitting communities and businesses is becoming more commoditized by the day. Even a novice hacker with access to the dark web can get their hands on ransomware relatively cheaply and quickly.

Hackers are becoming more sophisticated

What’s changing is how hackers are targeting organizations. Increasingly that means tricking everyone from managers to employees to open suspect attachments or visit dubious websites. From there cybercriminals can plant malware in a computer (and/or network) and wait to pounce. That process can take several months, during which time the hacker will collect information, observe behavioural patterns and then develop an attack strategy that will likely involve some form of data theft or financial extortion.

As the CIRA survey notes, more organizations than ever are taking cybersecurity training seriously. Many are mandating courses for employees and introducing new data-protection protocols. Is it helping? Definitely. But massive vulnerabilities still exist across organizations. The reason is that many leadership teams—and the security consultants they employ—are using a one-size-fits-all approach to training and compliance.

One of the greatest complaints that people have with cybersecurity is that defensive protocols tend to be so stringent they impair employees’ ability to do their jobs effectively. In some cases, they could compromise new business opportunities and in extreme scenarios, even revenue growth. When cybersecurity tools and training become too onerous to use, they’ll soon fall by the wayside. That’s why customizing that training and tailoring it to the needs of departments (or even individual employees, whenever possible) is a far more effective risk-mitigation approach.

In short, cybersecurity systems need to be designed to align with the operational requirements and work habits of real people.

 Customization is key

That’s why it’s incumbent on cybersecurity service providers to ask a comprehensive list of questions before delivering training. What are your organization’s business objectives? How do your people work? Why are your workplace policies—in particular those that address the management of sensitive data and information—drafted as they are? Can they be updated or improved to address rapidly-increasing cybersecurity risk? How can we design and implement policies that keep your business secure, while ensuring that key processes in areas such as sales or operations aren’t unduly disrupted?

Of course, these are only a tiny handful of the queries your service provider should pose. In most cases, they’ll need to dig much deeper and work with individual managers or employees to design a pragmatic strategy that makes practical sense for your organization.

We should all glean lessons from the cyber malfeasants who are making the time to take a personalized approach to digital crime. Because if they can customize their approach to data theft, network vandalism or ransomware-driven extortion, we should be doing the same when it comes to developing and implementing plans to stop them in their tracks.

Winston Stewart, President and CEO

You know a situation is bad when even local governments are calling in the IT cavalry for help. But that’s the reality for municipalities struggling to combat increasingly frequent ransomware attacks that are targeting towns and cities across North America.

The problem is so severe that the Association of Municipalities of Ontario—a body that represents 444 of the province’s towns and cities—is encouraging greater information collecting and sharing between members, and calling on senior levels of government to provide funding to help protect their data and fend off this growing threat.

“AMO has also been urging the provincial and federal governments to work closely with municipal governments to help protect governments from cyberattacks, and to help public services weather attacks with less disruption,” AMO president Jamie McGarvey, the mayor of Parry Sound, Ont., told the Toronto Star, as published in a recent article.

Ransomware—a type of cybercrime where a hacker seizes or encrypts data and demands some form of payment, often untrackable Bitcoin, for its release—isn’t just plaguing big cities such as Toronto. Smaller communities with less robust digital infrastructure are also prime targets. So far the victims include Wasaga Beach, Stratford and Midland, to name only a few. More are sure to follow.

A North America-wide problem 

If it offers any comfort to municipalities and business owners in Ontario, a recent New York Times piece reminds us that hackers using ransomware to hijack public or private data do not discriminate when it comes to nationality. This is far from a Canadian phenomenon:

“More than 40 municipalities have been the victims of cyberattacks this year, from major cities such as Baltimore, Albany and Laredo, Tex., to smaller towns including Lake City, Fla. Lake City is one of the few cities to have paid a ransom demand — about $460,000 in Bitcoin, a cryptocurrency — because it thought reconstructing its systems would be even more costly

In most ransomware cases, the identities and whereabouts of culprits are cloaked by clever digital diversions. Intelligence officials, using data collected by the National Security Agency and others in an effort to identify the sources of the hacking, say many have come from Eastern Europe, Iran and, in some cases, the United States. The majority have targeted small-town America, figuring that sleepy, cash-strapped local governments are the least likely to have updated their cyberdefenses or backed up their data.”

And therein lies the challenge. Many municipal governments have cut their IT budgets to such a degree (or never funded them properly in the first place) that their systems are virtually open to cyber criminals. In some cases, data is being held hostage for millions of dollars. While in many instances these crimes are being orchestrated by sophisticated organized crime syndicates, a skilled teenager with a laptop can manage the same feat with minimal effort.

It’s one thing to lock up the data of an SME, but what happens when entire hospitals or health care systems are shut down by a clever hacker with a grudge, or a desire to cash in? These attacks are becoming so sophisticated that civic agencies and businesses of all sizes and across industries are at risk.

A very human problem 

As I’ve noted in previous blogs, most cybersecurity vulnerabilities stem from human error or negligence. Case in point: the town of Allentown, Pa., was targeted in a malware attack last year that shut down some municipal computers for weeks. The hacker exploited a vulnerability in a single employee’s laptop while that worker was on the road. Not surprisingly, the laptop hadn’t been updated to the latest software and was an easy target for the malware-toting hacker. That attack cost about $1 million to fix.

Now imagine that same unexpected cost taking a nasty bite out of your balance sheet and annual financial projections. When figures such as those are bandied about, it brings home the scope and seriousness of the problem—and underscores the need to take action.

That requires policies that ensure regular software updates of all machines, especially if your employees work off-site. It requires sufficient spending on IT, security and employee training. If we all agree that this is a ‘people’ challenge, we can start taking steps to fix the problem.

Employees should be trained to recognize phishing emails. They need to be equipped with VPNs for off-site work, and an understanding that websites that look fake often are—and are potentially run by a hacker residing in the cyber netherworld, waiting to pounce on an unsuspecting victim. They must also never share passwords and should change theirs on a regular basis.

These are all seemingly rudimentary best practices—and this is by no means an exhaustive list of essential cybersecurity tactics—but when combined, they form the foundation of an effective cybersecurity net that can protect an organization from digital worst-case scenarios.

Because once you get a $1 million ransom note from a hacker to release your data, the costs of being proactive seem quite reasonable by comparison.

Winston Stewart, President and CEO

Wincon Security