Folks in the security industry like to talk about which risks are keeping CISOs awake at night. But these days, CISOs don't even get to sleep. COVID-19 has thrust us into a new reality, and even the most-prepared business continuity plans probably did not account for a worldwide pandemic that would simultaneously shutter all of its offices.
Cybersecurity professionals are risk averse, and the threat of coronavirus began to bubble up through their social networks well before it reached mainstream media. But even with the benefit of extra days or weeks of preparation, CISOs are still playing catch-up to securely enable home offices. More heavily regulated industries, such as those subject to HIPAA or PCI, are even more unsettled. In addition, we are already witnessing cyberattacks that exploit our fears of the unknown.
Let's take solace in the guidance of Mr. Fred Rogers, who said: "When I was a boy and I would see scary things in the news, my mother would say to me 'Look for the helpers. You will always find people who are helping.'"
CISOs and CIOs, you are our helpers. As you take action to reassure your company, your colleagues, and your board of directors by securely enabling a productive home office, your confidence is our confidence.
However, our paragons of cybersecurity might be concerned that amid all of their action, they are overlooking something important. As recent events have compelled organizations to extend work-from-home policies, many are realizing they have opened themselves up to a whole new threat landscape, putting their corporate systems, their employees, and their compliance initiatives at risk.
The Risk to Corporate Systems Posed by Home Networks
Some threats include using legacy or unprotected wireless networks, insecure passwords, or non-company-owned assets that are not protected by a company mobile device management (MDM) solution. Although there is no way to completely remove the risk, there are ways to minimize the attackable surface area for employees working from home.
Employees should be using a company-provided laptop that is managed to ensure virus protection and other security patches are installed, or if a company has a bring-your-own-device policy, then personal devices should be enrolled in an organization's MDM solution to ensure it is compliant with company policies.
Many companies use a VPN or data loss prevention (DLP) software that is meant to restrict and monitor access. All data is sent back to a "home base" and rules are in place to allow or disallow applications and other data. But not all companies use this architecture, which can be challenging for companies that operate in a diverse global environment. However, VPN and DLP infrastructure is also costly and difficult to maintain, so it isn't an option for every company.
The Risk to Remote Employees
It has always been gauche to suggest that humans are the weakest link, and now it seems downright ghoulish, but the unfortunate reality is that in this period of social distancing, our adversaries will be seeking to take advantage of our isolation. On a more uplifting note, the human element is our greatest strength — we will only overcome these challenges by working together. Security awareness, communication, and collaboration are key to ensuring our success.
Here are a few security awareness reminders that you can share directly with your organization:
- Do not open email from unknown recipients. If something looks suspicious, such as an attachment or URL, don't open it. Pick up the phone if you need to verify the sender, and contact your internal security group to notify them. Maintain a list of up-to-date contact numbers for your colleagues.
- Be especially vigilant about emails taking advantage of concerns about COVID-19.
- Only use approved messaging platforms, and do not share sensitive corporate data (such as passwords or customer information) on an unapproved messaging platform.
- Avoid storing corporate data on personally owned devices. (If your organization does not already have a file-sharing capability, there are various commercial solutions available for your company to consider).
- Ensure your home network and Wi-Fi connection is secured with a strong cipher/protocol for encryption such as WPA2 or above. Wired connections are more secure but encrypted network communication is still recommended.
The Risk to Compliance
Maintaining compliance has never been easy, especially if multiple regulations are involved. But with a remote workforce connecting through home networks, CISOs are now facing an unprecedented level of complexity. Understandably, CISOs are focused on the immediate tactics to enable their remote workforce to remain safely productive, but they should not lose sight of their strategic compliance initiatives. These initiatives will not only help ensure security during this transition but will also demonstrate trust to business partners and customers during these uncertain times.
Compliance management platforms can streamline and automate this process to minimize the time-consuming manual processes. Just as your organization is using technology to safely enable the productivity of remote workers, it can leverage technology to make compliance as efficient as possible.
Even more so, working with an experienced partner can accelerate compliance because well-defined processes minimize the time required for an audit. Select a provider with the capability to complete testing remotely, as allowed per standards. With the rising popularity of Zoom, video conferencing is an acceptable proxy for in-person meetings.
Ultimately, now is a time for partnerships. For every new digital collaboration, communication, and productivity tool available to the CIO, it is incumbent upon the CISO to enable its compliance with minimal disruption. Remember to look for the helpers.
- 8 Phishing Lures Preying on Pandemic Panic
- Why Humans Are Phishing's Weakest Link
- Using Application Telemetry to Reveal Insider & Evasive Threats
- State of Cybersecurity Incident Response
A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19.