Update: I initially posted this article in April of 2020. At the time, we did not realize how widespread and long-lasting the pandemic would be. Now, a year later in April 2021, as businesses and corporations really are beginning to open up, the article may be even more significant. I have updated the article slightly to provide a more current view. Stay safe! -Charles Patterson
Privacy and information security problems are side-effects of the pandemic concerns.
The CoVid-19 response has had serious and devastating effect on individuals and businesses throughout the world. There are immediate concerns of protecting your health and providing sustenance for your family, as well as caring for employees which includes trying to keep businesses healthy and alive so there will be work for people to go back to once the virus concerns are over. There are a number of side-effects from this, though, many of which affect privacy and information security.
Greater risk.
Companies have faced major challenges that have had a serious effect on product lines, stock prices, market strategy, and more. Corporate decisions included shutting down of certain locations and departments, employee lay offs, shifting production lines, executives and CEO’s reducing or eliminating salaries, changing suppliers, or even closing up business all together. These actions and other types of confidential information are highly desirable by an adversary or competitor.
Security is weakened
One major problem is that companies were forced to scale back on employees, operations, and expenses. Security has been one of those areas suffering with both budget and manpower cuts. Company offices have been left mostly empty with at best a skeleton crew, and access being granted to maintenance staff or a few lone workers who may still be carrying out basic operations, or an employee who may have just needed to return to pick up something from their desk to help them work better from home. The security concern is that for well over a year, the employees, cleaners, and other staff have been largely unsupervised and may have had easy access to areas where they were not normally permitted.
Opportunities open up for the bad guys.
This creates the perfect opportunity for an adversary or rogue employee to breach security and perhaps install a listening device or surveillance camera, waiting to be used in the future when business returns to normal.
Employees who have been laid off or furloughed may not have had their access credentials removed. They may have found themselves in difficult financial situations where an lucrative offer from a competitor could entice them to become spies, returning to the office to “pick up some belongings” but they may have actually been stealing data or installing an eavesdropping device.
Securing the homefront.
Another significant concern is that now, your many employees and executives who routinely handle confidential information have left their fairly secure office building and taken their activities home with them. Residences are typically much less secure than a corporate office where stronger security systems may be in place. Home data networks are also typically less secure. Thus the home becomes a much more vulnerable target.
Board meetings, confidential discussions, and other private communications that were previously contained within a secure room in the corporate facility, now take place spread out over multiple locations, each of which may have significant vulnerabilities which compounds the threat for eavesdropping.
Employees and executives who are continuing to work from home should be aware of, and be reminded of, the need for vigilance and security – both physical security of their homes as well as protection of their data and all communications – laptops, files, and phone activity. Sweeps of executive homes has become more commonplace, particularly if there has been any suspicious security incident around the home. A break-in, vandalism, suspicious hired help for instance, could create the need for a TSCM sweep and other security considerations.
Security has left the building.
We also realize that during this time of the pandemic, there was less manpower available. This would mean fewer security guards, fewer patrols, as well a lowered response level where priority would be given to major, more obvious problems. Less significant incidents may be overlooked – such as an employee in an unauthorized area, a door left ajar, an alarm considered a nuisance where no cause was noted – yet these types of incidents should be recognized as serious info security concerns.
Compounded threat against board meetings and other confidential discussions.
In person meetings of all sizes, from one-on-one up to board meetings and even shareholder meetings have now moved to online platforms. The virtual platforms as well as the individual networks of users all have important cyber concerns, but that is not enough to ensure protection of confidentiality. Take a basic board meeting for example. Perhaps 10 to 20 people previously would gather in one room for their meeting. That room would often require a pre-meeting sweep as well as in-place signal analysis during the meetings. Those same attendees now have moved to their homes or individual offices where they participate online.
Previously conversations were contained with one secure room. Now, the same meeting, with the same confidential conversations, is spread throughout multiple locations, each with their own inherent security vulnerabilities. Precautions should be considered, and at least some education of executives and staff would be in order. Those who regularly participate in confidential online meetings may deserve appropriate attention with residential TSCM sweeps. Any security incidents occurring in or near an executive home should prompt consideration of a sweep. Back at the office, any meeting rooms that are still regularly used for teleconferencing should also receive TSCM inspections.
Security review.
When reviewing your security during this period, here are some very important points to consider:
- How secure was your facility during the down time?
- Note what areas had weakened security. In what areas was less manpower deployed, such as fewer guard patrols?
- Who continued to have access?
- What types of staff were still given access? Were employees still allowed back in?
- Were any private or classified areas left open and unattended?
- Pay particular attention to board rooms, conference areas, and C-suites. Look for any signs of unauthorized activity.
- How secure were rooms that are regularly used for teleconferencing or online meetings?
- Was access restricted, or were they available to any one who reserved the room?
- How secure are the home offices used by the CEO or other executives?
- Homes are typically less secure than the corporate office space and may be an easy target. Residential sweeps of executive homes may be required to ensure both data and conversations are protected.
- What types of security incidents may have occurred during the period?
- Review logs of any security incidents, look for any correlations that could indicate suspicious espionage activity: signs of any type of break-in, doors left unlocked, employee entrance found open, fire doors unsecured, etc.?
- Were there any areas accessed by unauthorized personnel?
- Investigate thoroughly any reports of employees found in unauthorized areas.
- Have any break-ins or vandalism occurred?
- Security breaches or other incidents could be used as a cover for actual espionage activity. If a break-in or theft was reported, pay attention to any nearby areas that may have been accessed as well.
When you return to your offices, pay close attention to anything that has been disturbed, anything that may have been tampered with. Any indication of unauthorized access to offices or secure areas should be investigated thoroughly. Electronic sweeps of critical offices and confidential areas should be scheduled.
Just as it is important to fully sanitize areas for protection from viruses, it’s also necessary to keep them clean from the other type of bugs – illicit transmitters, listening devices, cameras, or any other technical surveillance device. TSCM sweeps should continue to be given a high priority in your security considerations.
Stay safe!