COVID Planning for 2021: Protecting Your Business in the Year Ahead

At Needham Bank, our goal is to provide you with resources to improve your financial know-how. That’s why we are excited to have partnered with Ryan Barrett, Founder and Chief Executive Officer of ORAM Cybersecurity Advisors, a company that offers consulting services to organizations whose data is critical to their business. Massachusetts Lawyers Weekly 2020 Reader Ranking Awards ranked ORAM Corporate Advisors in the top two cybersecurity firms in Massachusetts. Barrett holds a Bachelor of Science Degree in Computer Engineering from Wentworth Institute of Technology and he serves on Needham Bank’s Advisory Council.

Read Ryan’s expert insights about the necessary COVID planning your business needs in 2021 and his resolutions to keep your company’s data safe. 

This year, businesses watched as the global COVID-19 pandemic took hold swiftly and unexpectedly. Organizations across the nation and around the world had to respond on a dime, shifting to a remote workforce that, in many cases, left business data at greater risk. A large number of employees were left to work on their private devices and networks to stay afloat, company leaders rushed to secure VPNs and implement other forms of cybersecurity, and Zoom felt the sting of hackers as it became the meeting platform of choice.

As 2020 comes to a close, most organizations are not counting on a COVID-19 vaccine being generally available until the fall of 2021. With that in mind, many companies are planning on continuing with the use of remote workers as much as possible until reentry of the workplace in September of next year. So what does that mean for technology budgeting for 2021?

Technology Planning

Business leaders need to start planning ahead now for their 2021 technology budget and that means looking beyond technology to new construction and furniture to make the office more COVID-friendly going forward as employees return to traditional offices. As business owners, we need to make the offices safer even with a vaccine in place. This will allow our employees and clients to forge ahead as comfortably as possible.

Cybersecurity Training

When it comes to technology in the coming year, you will need to plan for spending to bolster your cybersecurity training. This has always been something that ORAM Corporate Advisors has pushed but it’s more imperative than ever before. As explained by a recent online piece by ZDNet, “As the COVID-19 outbreak threatens to overload the healthcare system and the global economy, it’s also having a powerful impact on the security of businesses and individuals.”

According to the ZDNet article, one in three attacks are related to the coronavirus. The security news organization reported that the National Counterintelligence and Security Center (NCSC) said it is putting more resources into protecting healthcare. Additionally, “Nine out of 10 coronavirus domains are scams” and “Half a million Zoom accounts are for sale on the Dark Web,” according to the article. Furthermore, it also reported brute-force attacks are up a whopping 400 percent!

One of the best methods for protecting your business, its clients, and employees is to train everyone in your organization regarding the threats they face and how to address them. Employees are a critical point of defense against cyber threats. Bringing them up to speed on your company’s security policies, procedures, and best practices is essential in the fight against online threats. You can also read ORAM’s blog, “10 Tips to Keep Cybercriminals Out While Coronavirus Keeps You In.”

Written Information Security Plan

Every business or organization, regardless of industry, should have a written information security plan (WISP) in place. This plan details the policies and procedures for ensuring the private information of your clients and employees, as well as other proprietary or confidential data, is protected. A WISP accomplished this goal by outlining how information is protected within your company and who is responsible for ensuring it is safe.

A WISP includes both administrative safeguards as well as utilizing technology such as firewalls, antivirus, antimalware, and monitoring software to help keep bad actors out of your network. Some examples of administrative safeguards include the defining and identification of confidential data within the organization, where it is located, and monitoring who has access to it. This includes access to hard copies of data as well as digital access. Furthermore, the WISP will identify the roles and responsibilities for responding to and addressing data breaches whether internal or external.

Technical safeguards may include penetration testing, data encryption, continuous software patches, and upgrades of hardware and software. Other technical safeguards may include the tracking of digital documents and additional physical security. Even how data is properly disposed of and destroyed should be outlined in the WISP.

Business Continuity Plan

Though a WISP is incredibly important, so is having an updated business continuity plan (BCP). A BCP is a written document your company should have in place to ensure that it can continue operating as seamlessly as possible in the event of a cyber incident or breach. This outlines how your business will continue operating should a natural disaster, inclement weather, workplace violence, a breach, or other event occur that would otherwise shut down operations.

A BCP may outline the use of a VPN for workers who must go remote with little to no notice, the use of cloud computing for easy access to documents and other data needed by your workforce to keep plugging away. An effective BCP will minimize the negative impact of unforeseen disruptions as well as financial losses. It will also help keep a business’s reputation intact and keep strategic plans in place.

Cyber Resilience

Security Magazine has written about cyber resilience as a new way of looking at cybersecurity. In a May 2020 article addressing the topic of cyber resilience, the magazine wrote, “The need for real-time visibility of an organization’s security posture is, you cannot know if what worked for your organization yesterday will also work today. A new threat intelligence can change an entire defense strategy for an organization. The risks of an attack are not new, but as incidents become more sophisticated and persistent, organizations need to move from cybersecurity to cyber resilience.”

So what does that look like? An effective cyber resilience program will be predicated upon the three P’s, according to the Security Magazine piece: Predict, Prioritize, and Practice. The goal is to anticipate a breach (i.e. expect and plan for one to occur) rather than reacting to one. Business leaders should also prioritize more immediate, larger threats than smaller ones so they know where to best focus their planning and security attention. Practice goes back to the section above on policies, procedures, and cybersecurity training for every employee.

Strong cyber resilience also requires business continuity as also discussed above and includes attention to basic cyber hygiene. Knowledge of what important, personal, and proprietary data your company holds, where it is located, and what is protecting it is a necessity for ensuring cyber resilience. Be sure key security settings are properly configured to bulletproof your network. Keep access permissions updated and properly managed as people come and go in your company and you build and end partnerships with other companies that have access to your data. Regularly update all devices with software patches and employ systems that locate vulnerabilities in your systems before a hacker finds them such as email scanning software. All of this will also assist your organization in achieving and maintaining compliance with regard to cybersecurity.