COVID-19 lockdowns are causing a huge spike in data breaches

Fears over data leaks from remote workers are not only founded, they're much worse than anticipated, said the International Association of IT Asset Managers.

COVID-19: Security risks are increasing as more people work from home

The International Association of IT Asset Managers (IATAM) is warning that at-home work due to the COVID-19 pandemic is leading to a spike in data breaches that's greater than anticipated.

IATAM raised the alarm about potential cybersecurity failures in the wake of coronavirus lockdowns in mid-March, and has found that its prophecy has been fulfilled a bit more accurately than it had hoped.

SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium)

"We anticipated that things would get bad. Companies and agencies may be hoping and praying they are safe, but the work-from-home environment has created a multitude of opportunities for leaks," IATAM President Dr. Barbara Rembiesa said in a statement. "Too many organizations have left themselves wide open for attack. Understanding the pathways for access within a company's data network is a valuable lens for businesses and agencies to avert leaking their own assets."

IATAM has found that COVID-19 breach risks fall into one of four categories:

Assets are being purposely left unsecured

Several examples of purposefully making devices less secure to simplify remote work were cited by IATAM. 

"One example would involve removing admin permissions so that employees can complete the task without administrator oversight. Another would be allowing the use of "unpatched" business computers that allow hackers to load malicious files with admin privileges. In some cases, companies with high-end virtual private networks (VPNs) pre-loaded on business computers are allowing people to work from home on personal devices either with no VPN or with a lower-end virtual private network that may be less hacker resistant," IATAM said in a statement.

Rapid addition of new hardware leaves little time for security

The shift to so many people working at home has meant many organizations are struggling to fill IT asset gaps. This has led to rapid purchasing of a high volume of machines and little time for IT teams to prepare them or train workers on proper security while out of the office.

"The more corporate assets that you have, the higher risk of intrusion. Each asset becomes a doorway or entry point for a breach, particularly when it (or its user) is underprepared," IATAM reported.

Assets on home networks are fundamentally less secure

Many businesses reacted quickly to stay-at-home orders. If unprepared, their technology has no chance to adapt as quickly, leaving many people working from home under less-than-ideal security conditions.

"Many company devices were deployed into a work-from-home situation quickly, leaving little time to ensure that they would be secure via a virtual private network or other means," IATAM said. 

Unprepared users are making mistakes

The dominoes set up by the previous three problems become easy to topple when users aren't trained or prepared for online threats.

"These phishing attempts were disguised as appeals for help, disinformation campaigns, or new information about COVID-19, to gain login credentials or install malicious software. This is a prime example of how an employee could unwittingly invite in an intrusion."

How to protect data in the hands of remote workers

Companies with mature cybersecurity plans, Rembiesa said, should already have provisions in place to address contingencies like mass work-from-home orders. Unfortunately for those that don't, there's quite a bit of work to be done, and it's going to have to be done remotely.

Rembiesa has several tips for businesses busily working to secure their data during the COVID-19 pandemic:

  • Make sure remote workers have access to a VPN, and ensure they're using it to work with sensitive information
  • Enable remote wipe of computers that are compromised or stolen
  • Help users learn how to assess their home network's security and protect it going forward
  • Make sure users know how to treat sensitive data and what their responsibilities are when working remotely.
  • Train employees on data privacy laws like GDPR and HIPAA.

Data security is a fight that both IT and users have to be invested in together. Training, combined with good asset management, is the only way to ensure businesses get through COVID-19 without becoming another security statistic.

Also see

Middle aged woman sitting at a table reading using a tablet computer, holding a cup, front view

Image: Monkeybusinessimages/Getty Images/iStockphoto