As the majority of us continue to work from home as a result of the pandemic, Rose Partners’ CEO Adam Honor offers invaluable insight into mitigating the threats of cyber-crime.
These are strange and challenging times for us all. As security and operational resilience practitioners, these are periods in which stripes are earned and lost, times during which we need to dig deep into our armoury of skills, and days in which we need to be surgical with our advice and support to our respective organisations.
There will be time in the future during which the necessary ‘wash-ups’ will take place, lessons learned and corrective actions for the future laid down. It will be difficult for some to not say, ‘I told you so’ when discussing pandemic incident response plans. I for one have sat at the executive management table where there is little oxygen in the room to discuss pandemics, where the topic is persistently de-prioritised off the agenda and where such talk of shutting offices was viewed as fanciful.
However, this should all be in the past. Businesses will now have global pandemic sat in their Board risk registers and top right of the impact / likelihood matrix. It is what we do now going forward, rather than looking back at past mistakes, that will future-proof our organisations.
You would be forgiven to think that this article is about pandemic response. However, this post is about, as the title suggests, going back to cyber-security basics when protecting our organisations.
This pandemic has shone a light right through our remote working models. Millions-upon-millions of employees are working from home, striving hard to keep business-critical functions operational and, at the same time, cyber security teams are trying to maintain the required level of security.
What COVID-19 hasn’t done is reduce the threats organisations face from cyber criminals. Funnily enough, these individuals do not have a corporate office that has been shut, where their management has told them to work from home and self-isolate. Remote isolation is a hacker’s modus operandi – everyday!
Figures have shown that the pandemic has sparked an exponential growth in phishing, with a 650 per cent + increase in the month of March, compared to February last year. COVID-19 has raised awareness among cyber-security experts that the internet, local networks, communication platforms, applications and devices that we so readily rely on are not quite ready for the global digital society we seek.
One of the main challenges faced by organisations I have been supporting is the time factor; the pace at which organisations were hit and the time to scale the required resources to forward mount all employees to home working has caught everyone off guard. Some organisations were in the midst of multi-factor authorisation programs, switching from on-premise to cloud or switching VPN provision. Even the most senior leaders in companies I have been working with have been caught out (I saw an example of a senior executive handing over work equipment to enable children to home-school and in doing so enabling his daughter to click on a phishing link in her school email).
The message is simple: back to basics. This is Duplo-level security guidance; follow the policies and procedures that are distributed by the cyber-security professionals within your companies and use common sense (not necessarily common for all). These are the policies and procedures that some senior leaders have given little time or effort to familiarise themselves with in the past.
There are some simple messages for leadership and employees that I have been sharing and working on with SMEs. These are listed below:
Be mindful of your online hygiene
- Do not click on suspicious links, especially if related to coronavirus, as attackers are using fear to prompt victims into clicking. Company policies should be consistently applied at home; report suspicious activity to support desks.
- With your own personal IT home equipment, ensure antivirus and malware are up to date, security patches complete and conduct regular scanning.
Only use the approved company storage solution
- Do not start using local or cloud storage solutions that are not approved by the company. Storage locations should be approved and accessible to approved users.
Do not allow your work devices to be used for family reasons
- As tempting as it might be, keep work IT and family IT separate.
Avoid using personal devices to connect to the corporate network
- If you have to use a personal device, ensure you consult with your IT function. All devices must have strong passwords and only utilised on your home network.
For the cybersecurity teams and CISOs I have been engaged with, the following applies:
- Where possible, implement MFA on all VPN connections and critical cloud services to increase security. If MFA is not implemented/possible, require home workers to use strong passwords.
- Ensure white listing and marking external emails as ‘EXTERNAL’.
- Distribute short ‘info-mericals’ on the threats of COVID-19 phishing and related topics and ensure they do not to click unknown or suspicious links.
- Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and security configurations.
- Closely monitor privileged access by optimising the behavioural analytics tools for detecting suspicious activity for admins and those who handle critical data.
- Adapt security monitoring systems and strengthen the log monitoring rules for triggering alerts. Security operations teams should manage the increased number of alerts, sorting them by risk and detect false-positives from real suspicious events
- Ensure web and email protection by implementing web filtering technologies to prevent employees from visiting malicious websites. Implement email filtering rules to block spam and phishing emails.
- Limit privileged access and activities to only what is strictly necessary. Administrative activities should be closely monitored and controlled.
I have previously written about what doing the basics can mean for an organisation, how all employees can collectively play a part in reducing the security risks faced by companies. Much like always wearing a seat belt to save lives and brushing one’s teeth to prevent poor oral hygiene. COVID-19 has reiterated the need for basics to be followed by all employees and the need for companies to invest in a multi-factor bio-metric approach to security, which can efficiently safeguard sensitive employee and customer data whilst future-proofing their business.
When we all come out of the other side of this difficult period, we will see that flexible working for many more companies will be more accepted and, in turn, security will matter more. Pandemic incident response and enterprise operational resilience will matter more.
That will be the time for the professionals among us to step up. Time to have the right people holding the right conversations. Time for CSOs, CROs and CISOs to step into the Boardroom and have the data and lessons learned from this difficult period to build on the security mindset and resilience required to face the next pandemic.
Because there will be another.