Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

How to Keep Your Business Secure During the COVID-19 Pandemic

Illustration of fox wearing mask ekg pulse in background


The COVID-19 news has many more office workers in the United States working remotely as we all adhere to the social distancing recommendations put forth to reduce the spread of the virus. Today, more than ever, business data lives outside the perimeter of an office location. With so many working remotely, organizations are being forced to look critically at their remote work security. From an attacker’s viewpoint, business attack surfaces will expand greatly, potentially allowing them more access into an organization’s data through remote workers’ home networks, personal devices, and cloud applications.


As your data and the employees that are accessing it move beyond the trust boundary, or your corporate perimeter, attackers can capitalize on lack of enterprise-grade security controls. An employee will generally only be relying on their home router/modem settings set up by the telecom company and whatever endpoint protection is loaded on their work laptop. If you’re not providing laptops for employees and have no formalized bring your own device (BYOD) policy for those who are now forced to work remotely, you’re taking on even more risk that requires security measures if you must allow direct access from personal devices.

Proactive organizations should think about how their attack surface expands during this time and create threat models that adapt to those widening security perimeters. Each new remote worker essentially becomes another office location you need to manage from a security standpoint. There are some security basics to focus on that will protect your data from the ground up:

  1. Encrypt all corporate email
  2. Mandate the use of virtual private networks (VPNs) to connect to internal resources for all remote employees
  3. Enable multi-factor authentication (MFA) for resources and accounts
  4. Employ robust endpoint security (i.e., firewalls, antivirus, and malware)
  5. Centralize device management to push patches to endpoints and control configurations and device policies
  6. Ensure that a proper backup and business continuity process is in place
  7. Use privacy tools/add-ons for browsers

These technologies aren’t new, but they significantly raise an organization’s security profile. Now is the time to square away those efforts – when you’re likely to get full support from your executive staff to spend the time and money on these security measures.

Once you’ve implemented the suggested security measures, read Google’s “BeyondCorp” paper, which goes into detail about the concept of Zero Trust and not trusting the perimeter. The steps above are a great first step in securing your newly remote workforce.

Unfortunately, during our greatest times of weakness, attackers will do everything they can to leverage our vulnerabilities for their own purposes. Next, we’ll go into just a few recent examples of attacks launched during the COVID-19 crisis that show how quickly attackers move to exploit us during these times.


The Department of Health and Human Services (HHS) was just attacked by someone, and the FBI has launched an ongoing investigation. Not enough details have been released to the public to make any assertions or attributions about the attack, but according to the Bloomberg article:

"The attack, which involved overloading the HHS servers with millions of hits over several hours, didn’t succeed in slowing the agency’s systems significantly, as was apparently intended, according to one of the people familiar with the matter. They requested anonymity to discuss details of the sensitive incident."

Another article cites an unnamed FBI source that says the attack was tied to the HHS coronavirus response that was intended to slow its spread. As always with ongoing investigations, it’s important to focus on the why and how an attack occurred rather than to focus on who did it.

Now, for your employees, the risk is most likely going to be from social engineering attacks, rather than the massive threats against government organizations.


Online scams are often most successful for attackers during times of fear and uncertainty, when smart attackers exploit an individual’s anxiety about something going on in the world around them in order to get that target to provide them with valuable information.

There are enough ongoing attacks targeting people who are on edge and anxious about the spread of COVID-19 now that The Cybersecurity and Infrastructure Security Agency (CISA) put out some recommendations to help defend against these types of attacks.


It’s important to not just feed the flames of panic over the COVID-19 news, but rather to consider the impact to data security for organizations as employees are working remotely, potentially from different machines and laptops, and to also ensure that you’re aware that employees are more prone to social engineering attacks during these times.

Now is the time to ensure your remote working environment is as secure as possible and to educate your employees about suspicious emails, social networking posts, and other content that may come their way from unfamiliar contacts and strangers.

Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.

Dan Wood, Bishop Fox Alumnus

About the author, Daniel Wood

AVP of Consulting

Daniel Wood (CISSP, GPEN) is a Bishop Fox Alumni. Daniel was Associate Vice President of Consulting at Bishop Fox, where he led all service lines, developed strategic initiatives, and established the Applied Research and Development program. Daniel has over 15 years of experience in cybersecurity and is a subject matter expert in red teaming, insider threat, and counterintelligence. Daniel was previously the manager of security engineering and technology at Bridgewater Associates, where he shaped the strategic direction of technology for the firm and oversaw technical security assessments of Bridgewater's international office expansions.

Daniel has also served in roles supporting the U.S. government in security architecture, engineering, and offensive operations as a Security Engineer and Red Team Leader. He supported the U.S. Special Operations Command (USSOCOM) on red teaming and digital warfare operations, and the U.S. Army on the Wargaming Cyber Effects on Soldiers' Decision-Making project. Daniel is currently a member of the Ithaca College Cybersecurity Advisory Board. He holds a Bachelor of Science in Administration of Justice from George Mason University.
More by Daniel

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.