By Felipe Coe, on Mar 17, 2020

How Covid-19 affects information security

Man holding a key to the cloud security lock on his laptop

It’s not very often that companies all over the world need to shut offices down. At this point, we don’t need to tell you that Covid-19 is a huge global concern that impacts all of us.

One of the recommendations from health organizations and governments is to practice social distancing. While it won’t stop people from getting the virus, it flattens the curve of new infections and prevents hospitals and health services from being overwhelmed. It’s also an effective way to reduce the spread of disease to the most vulnerable in society, such as people with underlying health conditions and the elderly. Every day more and more offices are closing to start social distancing. There’s a good chance you’re even reading this article on your WFH lunch break or during a self-isolation.

While we’re all transitioning to new routines, you might have a few worries. A few days ago, Contentful started receiving messages from vendors about their plans for business continuity. We also started receiving questions from customers about our own plan for business continuity. The overwhelming concern is, how can Contentful deliver the same level of service during a global crisis? We can assure you that we’re taking every step to ensure business continuity so that your data and information stay safe. We’re also passing along some of our tips to help you get prepared, too.

Our response to the crisis

When the spread of the virus escalated, our CEO Steve Sloan stood in front of the whole company to address a potential global shutdown. Our senior leaders knew from the outset the most important concern was to ensure the health and safety of the employees and their loved ones. The Contentful offices performed a trial shutdown with employees in Berlin and San Francisco working remotely. You can read more about this journey, as documented by Heidi, our Director of Brand & Marketing. We felt this was an important step to get prepared, and even though it wasn’t mandatory at the time, it was indicative of how serious we were about business continuity. The practice day set us up to succeed as a fully-distributed company. If you’re in the same boat, it might be time to do a business continuity practice day, too.

The impact on information security depends on how companies operate their data, online and offline systems, and their workforce. Lucky for us, Contentful is a company that was born in the cloud. We are a mobile workforce by nature. We don’t depend on a server in our basement to run our company. Therefore, our business continuity plan is much simpler than other companies that rely on a particular location, especially when this location is locked and unstaffed.

It’s important to remember that the COVID-19 is a global crisis. Before I discuss some of the advice below, I would like to acknowledge that some of the scenarios aren’t ideal. These concerns are at the forefront when I discuss the potential dangers and solutions related to information security.

Physical security at the office

At Contentful, data is stored and processed by cloud services. There are no important physical servers on-premise, and sensitive data is locked away in secure storage. The IT team can securely access video recordings in case of any incidents.

If you are a business with physical assets such as servers, or large quantities of data at the office, what do you do? A global crisis can incite vandalism and break-ins, and data can be exposed. It’s important to take stock of the data that is at your offices. Next, clean it up, store it in secure lockboxes and safes, or take it home. Choose the files and papers that you need immediately and store the rest safely to ensure data is kept confidential.

For servers on-premise, encrypt your data. Back them up at an off-premise location for data availability. This includes video camera feeds; If a break-in does happen, you will need the footage for the police.

New employees, onboarding and offboarding

It is difficult to greet a new employee when you are not there. The person needs a company laptop, access to new accounts and a rundown of your specific software. Some companies decide to allow employees to work from their personal computers, others hand over laptops physically or ship them via mail.

At Contentful, the people team created clear guidelines for new team members who are onboarding. During our preparation for remote work, the IT team tested and proved a solution for remote onboarding. Our Information Security Policy does not allow the use of private computers, so the solution we designed considers that. We’ve adjusted our guidelines for remote work to accommodate new threat scenarios related to COVID-19.

Loading areas, mail, and packages

We still have someone working at the reception at Contentful, and it’s operating as normal. If the situation escalates, our workplace team is coming up with a solution for remote letter and package delivery.

It’s unrealistic to expect mail to stop. For many businesses, this is fundamental to continuity. Contentful receives dozens of letters per week and a ridiculous amount of packages. If you’re looking for a solution to your mail during this time, take advantage of services like mail forwarding. There are companies that receive and digitalize your mail for you. Send mail to an address that you trust and understand the type of information you receive so that you make the right decision based on the data’s confidentiality, integrity and availability.

Access to production systems and customer data

As Contentful is a cloud-native company, access is centrally-managed and secured with a strong password policy and enforced two-factor authentication. Critical systems are protected behind additional layers of pre-authentication. Our operations do not depend on a particular location, and our endpoint security technologies ensure all devices are properly configured and encrypted. Our data classification policy sets the rules for protecting data at rest, in transit and in use.

If you depend on a physical location to operate your systems, invest in remote connectivity, and ensure the level of access, authentication and authorization are compatible with your on-premise security controls. It is very likely that you might already do this for incident response and on-call engineers. This is just a step up when all of your workforce is remote. Things that come to mind are VPN licenses, concurrent connections and offsite logging and monitoring.

Follow your policies regarding the download of company and customer data to laptops and mobile devices, especially when files are stored on a file server at your office. Data encryption at rest is paramount here.

We’re in a good position to run remotely (and keep a high standard)

Every company is different, and you might decide to run things your own way. It all depends on the risks your business will face in the coming weeks and months. Perform a risk assessment and make quick decisions. If you follow the advice here, you will be better prepared for a fully remote workforce.

Rest assured that Contentful is doing its utmost to protect your data and provide services reliably. We are in a good position to do so as our workforce is remote by nature. Our platform is running in secure data centers and cloud services. This is where our heavy investment in a security program compliant to the ISO27001 and a solid vendor management process pays off. If you’re looking for more information, you can find it on our security page.

Felipe Coe

Security Engineering Manager