The CARES Act: Prioritize Cybersecurity for Economic Relief Act Funds Before They’re Gone
ime is running out for organizations to spend any of their remaining CARES Act relief funding. They must use their funds or lose them by December 30, 2020 for eligible expenditures related to COVID-19. Fortunately, for organizations still adapting their IT infrastructure to accommodate new work-from-home teams, updating cybersecurity for remote workforces qualifies.
The Importance of Spending On Cybersecurity During Times of COVID-19
One of the fundamental changes inspired by the coronavirus pandemic is the shift to remote work. When COVID-19 hit, a majority of the population was suddenly working from home within a matter of weeks. Like other employers, state and local governments needed to quickly and efficiently adapt to a newly distributed workforce.
The hasty shift to remote work put serious pressure on IT security professionals, who were already stretched dangerously thin from setting up new systems for video conferencing, team collaboration, remote access, and more. Perhaps the most pressing need, however, was -- and is -- ensuring cybersecurity. The 2020 Cyber Threats Report from Netwrix, which asked 937 IT professionals about recent cyberthreats and their responses, found that:
- 85% of CISOs said that they had sacrificed cybersecurity to quickly enable remote work
- 48% of organizations reported at least one phishing attack during the first three months of the pandemic
- 63% reported an increase in cyberattacks during the pandemic
- 60% found new security gaps as a result of the transition to remote work
- 54% of CISOs said that they lacked the visibility needed to ensure proper data protection
Automox Delivers a CARES Act-Eligible Solution for Securing and Managing Remote Teams
With Automox, state and local governments can leverage their CARES Act payments to secure their remote teams immediately and in the future. Automox is quick to set up, with zero timing roadblocks before the December 30 cutoff, and easy to use, so your team can get immediate value from the solution.
Why the Urgency to Spend CARES Act Funding Now?
When the United States Congress passed the Coronavirus Aid, Relief, and Economic Security (CARES) Act in March 2020, state and local governments were one of the many entities that benefited from this economic relief and received direct payments to cover expenses incurred because of the COVID-19 pandemic. Many of these organizations may have quickly spent the relief funds to cover immediate and obvious expenses resulting from the sudden shutdown of our economy. But for the other organizations that have yet to spend the CARES Act payment, consider this: The deadline for using this payment is rapidly approaching. All CARES Act money must be spent by December 30, 2020.
State and local governments with funds remaining from their economic relief act payment have a fairly urgent decision to make: how to use their CARES Act disbursement in a way that provides the immediate economic relief intended by the act, as well as supports and protects their organizations and citizens in the months and years to come.
The CARES Act does put parameters on how the payment must be spent, one of which explicitly calls out the facilitation of teleworking as a COVID-19 expense. Now that it’s becoming clear that remote work is the new norm, investing in cybersecurity is an essential and eligible expense for CARES Act funds. Keeping your remote endpoints and devices protected from possible breach must be a priority to keep government data secure. Act now with your CARES Act money to secure your remote teams with a modern, cloud-native patching and configuration management platform.
What is the CARES Act?
The CARES Act is a $2 trillion economic relief fund implemented by the U.S. government in 2020 to help people, businesses, and governments struggling with the impact of the coronavirus pandemic. The CARES Act relief fund includes:
- Providing Economic Impact Payments to American households of up to $1,200 per adult for individuals whose income was less than $99,000 (or $198,000 for joint filers) and $500 per child under 17 years old, or up to $3,400 for a family of four
- Supporting businesses with the Paycheck Protection Program, which provides funds to pay up to eight weeks of payroll costs, including benefits
- Offering Economic Injury Disaster Loan advances of up to $10,000 for businesses experiencing a temporary loss of revenue
- Issuing Employee Retention Credits to incentivize businesses to keep employees on the payroll as well as payroll tax deferrals and payroll support
- Delivering direct payments to state, local, and tribal governments to support their efforts in combating the coronavirus
How the CARES Act Applies to State and Local Governments
State, local, and tribal governments are among the many entities that received a portion of the $150 billion Coronavirus relief fund. Payments were distributed based on population size to local governments with populations over 500,000 that submitted the required certification by Friday, April 17, 2020.
Governments that received payments from CARES Act are required to use their funds in particular ways. The Coronavirus Relief Fund Guidance for State, Territorial, Local, and Tribal Governments document stipulates that payments from the CARES Act relief fund may only be used to cover costs that:
- Are necessary expenditures incurred due to the public health emergency with respect to the Coronavirus Disease 2019 (COVID-19);
- Were not accounted for in the budget most recently approved as of March 27, 2020 for the State or government; and
- Were incurred during the period that begins on March 1, 2020 and ends on December 30, 2020.
The document goes on to provide further clarification. The first point, for instance, includes any expenses taken by the government to respond directly to the emergency, such as addressing medical or public health needs and providing economic support to people or businesses suffering from COVID-19-related challenges. It also emphasizes that the expenditure must be “reasonably necessary” and cannot be used to fill shortfalls in government revenue.
The CARES Act guidance document clarifies the second point as well. An expense meets this criteria if it can’t be funded from a line item, allotment, or allocation within the government’s most recent budget or the cost is for a “substantially different use from any expected use of funds.” So, even if an expense was accounted for in the budget, it could still potentially be covered by the economic relief act payment if circumstances have significantly changed.
Finally, the timing. The original CARES Act guidance released in April provided that “the cost of an expenditure is incurred when the recipient has expended funds to cover the cost”; in other words, when the government actually paid for the product or service. Treasury recently amended its guidance, however, to state that “performance or delivery must occur during the covered period but payment of funds need not be made during that time.” This is an important distinction that gives state and local governments more leeway in where and when to spend their economic relief act payments.
Examples of Eligible CARES Act Expenditures
What actual expenses meet the criteria explained above? The CARES Act guidance document provides some helpful examples. These include:
- Medical expenses, such as COVID-19-related expenses from existing healthcare facilities, establishing new medical facilities, providing COVID-19 testing, and emergency medical responses
- Public health expenses, such as acquiring and distributing medical and protective supplies, disinfecting public areas and facilities, expenses for technical assistance to local authorities, and costs related to quarantining individuals
- Payroll expenses for public safety, public health, human services, and similar employees whose services are substantially dedicated to mitigating or responding to the COVID-19 public health emergency
- Expenses of actions to facilitate compliance with COVID-19-related public health measures, such as food delivery, distance learning, teleworking, and paid family and medical leave to public employees
- Expenses associated with the provision of economic support, like grants to small businesses, payroll support programs, and unemployment insurance costs
- Any other COVID-19-related expenses reasonably necessary to the function of government that satisfy the CARES Act relief fund’s eligibility criteria
It’s clear that state and local governments have a number of options for how to spend the funds from the economic relief act. Most have likely put some or all of their CARES Act payment towards the expenses listed above. Those with remaining funds, however, must promptly decide how to best allocate their portion of the CARES Act relief fund, preferably with an emphasis on cybersecurity.
As the Netwrix report statistics highlighted: a virtual, distributed environment engenders less IT control and increased opportunities for cyberattacks as more employees access networks and systems from more devices. Employees are more distracted working from home during the pandemic as well, further opening the aperture for cyberthreats caused by human error. Most organizations must face the fact that the “new normal” of remote work includes a vastly expanded attack surface.
The Netwrix report summarized the implications of these circumstances nicely:
“The broad disruption to businesses and swift transition to WFH [work from home] caused by the pandemic forced many organizations to prioritize service availability over security. Now that we are all more comfortable with the new normal, IT and security pros should re-examine their earlier decisions with the goal of closing security gaps. This requires identifying sensitive information and reducing its exposure, gaining visibility into user activity, and automating change and configuration auditing to ensure rapid incident detection.”
How to Use the Economic Relief Act to Fund Cybersecurity Updates
Which brings us back to the CARES Act. State and local governments must spend their payments from the economic relief act by the end of 2020. They also must adapt their cybersecurity practices to the new world of remote working as soon as possible. This process will require some expenses, and will, as required by the CARES Act, be more than “reasonably necessary.”
What does an investment in cybersecurity for the remote workforce look like? Organizations should consider a number of strategies when evaluating the best use of their economic relief act payment. Experts recommend:
- “Revising existing cyber risk guidelines, requirements, and controls on how employees access data and communicate with a company’s network.” (MIT Sloan Management Review)
- “Create a single, integrated security framework to simplify management and expand visibility and control… [starting with] the right corporate policy.” (TechRepublic)
- “Rethink existing security approaches, invest in emerging technologies, and develop new solutions… [including] a low-touch was for IT staff to monitor and analyze home network traffic while ensuring that private information like websites visited or services used is not tracked.” (Security Boulevard)
Enhance and Automate Cybersecurity with Automox
Automox offers a fast, effective, streamlined way to improve cybersecurity in a distributed environment. Automox enables organizations like state and local governments to harden their endpoints from the cloud. That means no on-premises infrastructure is required to continuously monitor every IT asset in the organization -- including those in your employees’ homes.
Automox enhances cybersecurity in a work-from-home environment by empowering organizations to apply software updates and configurations to devices not connected to the remote network or that exist outside the Active Directory. The platform removes the hassles of endpoint permissions, eliminates the need for patching via VPN, and automates remediation of vulnerabilities on remote, unpatched devices.
Organizations have many options for how to use their economic relief act funds. Keeping people safe should always be priority number one, but keeping data safe isn’t far behind. Get in touch to learn more about how Automox can help state and local governments achieve better security outcomes and operational efficiencies -- and make the most of your CARES Act distribution.
About Automox Automated Patch Management
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, macOS, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.