Managing the information security impact of COVID-19

Risk and security threats related to remote working.

Kyle Kappel

Kyle Kappel

Cyber Security Leader, KPMG US

+1 949-431-7359

Part of KPMG's series COVID-19: Insights for CIOs and IT executives on considerations for building IT and business resilience in challenging times

As CISOs, CIOs, and business owners grapple with an expanded and more complex threat landscape, KPMG currently sees six risk and security threats we want organizations to be aware of related to remote working in these times.

In this video we discuss the heightened cyber security risks related to remote working in response to COVID-19. And while this video includes just a few of the immediate and near term considerations on key risk and security-related areas, technology can only go so far in protecting your most critical assets. Supporting changes in human behavior, particularly around generating awareness, providing easily accessible support, and avoiding a sense of fear and retribution are equally important.

Video companion text

Key risks vs technology

Steve Bates, Principal, Global Leader, KPMG’s CIO Center of Excellence


In today’s remote working culture, CISOs, CIOs, and business owners are tasked with keeping their organizations safe from security threats. We see six risk areas to focus on in these challenging times.


1.  CEO fraud exploiting social distancing

Knowing who to trust in challenging times is crucial. Be aware that there could be people posing as a CEO, CFO or another senior company figure looking to transfer corporate funds to other bank accounts. It is important to advise staff with appropriate access to continue to following all proper company money transfer protocols as well as encourage them to follow the incident management process and escalate any irregular communications.

2.  Insecure remote connections to the office

When time is of the essence, organizations still need to ensure secure remote connectivity. In our video on Standing up a remote environment, we discuss the recommendation of multi-factor authentication for access to company data, along with securely configured and reputable cloud solutions for collaborations wherever possible.

3.  Increased personal use of company devices

Working from home with company devices has brought new temptations to use company equipment for personal use. This opens up the possibility and increases the risk for these devices to become infected with a virus or malware. To be on the safer side, we recommend, updating browsers and related third-party software such as PDF readers, Flash players and JAVA.

4.  Employees under financial stress or job uncertainty may pose a risk as insider threat:

The stress of uncertainty in a time of a pandemic can cause employees financial concern as well as concern over loss of employment. That concern has been known to be exploited by competitors to lure them into giving away corporate data. In our Workforce, people and communication video, we discuss the importance of transparent messaging and reaching out to workers to keep lines of communication open. 

5.  Confidentiality at home

When your personal space is no longer just yours, but, now your households, confidentiality brings a whole new challenge into play. Whether you’re surrounded by family, friends or children, we advise that you have your staff work in separate rooms as much as possible, not leave out any confidential materials, use privacy screens and headsets, rather than speaker phones. 

6.  Phishing attempts specifically related to COVID-19

Since mid-February, we have seen a rapidly increasing number of cybercriminals using COVID-19 themed spear-phishing attacks. These cybercriminals are looking to bait targets to fake websites and collect Office 365 credentials. 

One example is phishing emails sending targeted users to fake Center for Disease Control (CDC) website or comparable sites in other countries, which solicit user credentials and passwords.

As you coordinate your response across all three lines of defense—operational management, risk oversight, and internal audit—consider these steps to reduce risk to both your organization and employees working remotely:

  • Raise awareness of the heightened risk of COVID-19 themed fraud and phishing attacked. Emphasize the existing protocols and encourage employees to voice concern is something seems out of place.
  • Lean on your Internal Audit function to provide guidance on where controls can be modified to accommodate changes in decision making or risk tolerance.
  • Stay in touch with your employees and share regular updates on how your organization is handling the COVID-19 pandemic.
  • Ensure all company provided technology has up to date anti-virus and firewall software.
  • Add a dedicated hotline, service desk menu, or portal to report any security concerns including potential phishing.
  • Encrypt data-at-rest on laptops and add data loss prevention software to detect data breaches and leaks.
  • Offer an employees an alternative to transfer data, such as secure collaboration tool, and disable USB drives to avoid the risk of malware.


With a few of the immediate and near-term consideration key risk and security-related areas laid out above, keep in mind, technology can only go so far in protecting your most critical assets.  Supporting changes in human behavior, particularly around generating awareness, providing easily accessible support, and avoiding a sense of fear and retribution are equally important.