COVID-19: The top 6 cyber issues your Organisation faces and what to do about them
It’s now a cliché but we live in unprecedented times. Organisations, people, societies are rapidly adapting to protect from COVID-19. The focus is correctly on protecting people, business and critical national services. Organisations are being forced to adopt new methods of working, new systems, new services and new streams of business, in timeframes and manners that would be inconceivable and potentially unsafe at any other normal time.
Here are the top 6 notable observations that Ward Solutions are seeing at the moment, with respect to information and cyber security and our suggestions to address them.
The Shift to capital “A” small “c” small “I”
Cyber Security professionals were traditionally focused on Cia – Confidentiality (with a capital C) integrity and availability (small I, small a), perhaps reflecting an implied priority. The world right now seems focused on Availability with a capital A. Right now it’s about survival of organisations – Access to systems and services via the new remote working model is key, Integrity, confidentiality (compliance) as always really important seems to be taking a back seat in the fight for survival.
Rapid deployment and adoption
Prior to COVID19 organisations were working on strategic planned roll out of their IT and digital transformation strategies. In the last number of weeks some organisations have rolled out and adopted 2 years’ worth of IT work program and strategy in a highly accelerated manner to service their organisations for the new reality of COVID19. This has been achieved without the usual governance, security design, risk management, assurance and testing controls so carefully constructed by them to ensure order and control and to minimise downstream organisations risks.
Budgets shot, inflight projects continue for now
Most organisations are now rapidly scrambling to assess the financial and economic impact to their businesses. They need to spend money to put in place the key services that they need to continue to operate. Financial controllers are now trying to hoard cash as they can to hunker down for an indeterminate period of massive downturn, inevitably trying to rein in budgets and spend quickly until a “V” or “U” shaped recovery becomes apparent. Organisations still seem to be intent on continuing with key in-flight projects that they were working on. Presumably if they were in flight they were already a priority.
Scamsters and Nation States may push stressed businesses over the edge
Inevitably criminals, nation states will seize on chaos, fear, uncertainty, doubt to ply their toxic trade of malware laden websites, malware laden emails of COVID-19 topical interest, business email compromise, invoice redirection, social engineering to gain foothold in organisations. Glance in your inbox. The volume and nature of topical domains and URLs, COVID19 maps, “urgent” tenders, and rapid cures for Corona Virus is telling. Distracted, distributed staff, changed business process, rapidly adopted new systems, rapid untested changes to environments means that it’s going to be a really good year for the cyber criminals, badly intentioned Nation States and a bad year for highly stressed businesses. The costs and impact of a significant cyber event are already well known and will be a significant factor in pushing a high volume of already highly stressed organisations over the edge. This could have national and global impact on critical services such in Healthcare, life sciences, food production and distribution, utilities etc. at any time, but particularly during a pandemic/epidemic.
Beware of John and Jane
John and Jane are already highly stressed, worried about their family’s health, their employment security and their new way of working. John and Jane will be trying to get their job done come hell or high water, trying to find workarounds to new impediments presented to them in terms of rapid adopted new business processes and systems, limited access to files, systems, data, no physical access to their offices and work colleagues. Well intentioned short cuts and workarounds are inevitable. Inadvertent data loss, data breach, incorrect data production, data analysis are inevitable. Well intentioned John and Jane are inevitably highly vulnerable to scams. A malicious John and Jane are going to have a field day.
COVID19 has shot holes in Business Continuity Plans
The COVID19 crisis has exposed vulnerabilities in organisations with mature and immature business continuity plans alike. Organisations business continuity model had not anticipated the full likelihood and impact of global working from home, travel restrictions and dual work site, work force infections on a global scale in similar timelines. Invocation of remote working and business continuity has broadly succeeded in continuation of their business for now but has left a lot of organisations in a very vulnerable position in the medium term.
The Top 6 things to do right now
Re-establish control, governance and security strategy
This is our new normal. Reestablish control by ensuring a systemic approach to ensure a secure IT environment. Go back to basics. Ensure that you gain an inventory of what has happened in your IT environment. There is a high likelihood that your users have resorted to “shadow IT services” to get the job done. Risk assess and test your organisations and put in place structured, prioritised mitigation planning and remediation. Ensure that new services and systems are incorporated into your security lifecycle. Don’t sacrifice strategic security initiatives when addressing short term tactical issues. There will inevitably be a recovery from COVID19 and organisations that are well set strategically will capitalise on that recovery best. Organisations that don’t have the right security strategy may not even survive the COVID19 crisis.
Re-establish compliance & basic best practice security operations
Make “c” a capital “C” again. Reestablish data protection, privacy and any of your other compliance and regulatory mandates that you have such as ISO, SOX etc. This will help de-risk financial or contractual risk and penalties. It will also benefit your customer, partner and employee relationships and trust. Put in place the basic IT and Cyber Security controls to secure and lockdown the new systems, new processes, new people/partners, new endpoints etc. Basic tasks such as security design review, secure implementation and hardening, assurance/testing, strong identity and access management, data protection, performing security operations of scanning, patching, monitoring and incident response. Review and test rule changes to firewall, new devices/endpoints.
Review your processes,
Your processes and work patterns have most likely changed. New systems may have been introduced. Workaround on original systems and processes are most likely the order of the day. Collegial proximity is now happening virtually or not at all. Original controls may no longer apply or if relevant may not be applied. A process risk assessment and audit as part of an overall risk assessment and security audit may need to be conducted and new control established or original controls re-applied, audited and monitored.
Reeducate your people
Your “human firewalls” are consistently your most effective security control. Right now they are stressed, over-worked, need an updated “rule set”, “threat intelligence” and enhanced “stateful inspection” capabilities. Educate them on the new work environments, their new processes and controls, the new risks that they face and how to deal with those risks. A blended approach always works best, so factor in time for tele-conferencing of instructor led, collaborative learning coupled with eLearning and policy toolsets. You may also need to consider enhanced defense in depth of your users, endpoints, web and email content controls to try and counter a mass upsurge in email scams and email and web borne malware.
Ensure you have locked down, metered cloud services and licenses use
Rapid adoption of new services such as cloud is point and click. Most cloud security incidents centre on a couple of key areas:
• Failure to identify and inventory cloud services and shadow IT. Ensure that you audit and inventory cloud adoption and use. You may need cloud discovery audits to ensure you have a full inventory so you can apply policy and controls.
• Failure to do due diligence on a cloud vendor and assume they are secure because they have lots of customers. In our experience Cloud vendors, big and small can have significant and fundamental security failings in their cloud offering.
• Failure to understand the shared security responsibility in cloud services and an assumption that my cloud vendor has got my back from a cyber-security perspective. You need to understand what your vendor does and doesn’t do from a cloud security perspective and then take responsibility for and put appropriate controls in place for the pieces that are your responsibility.
• Failure to implement security SKU’s and controls appropriately. Some vendors offer really good security features, which are often not appropriately secure by default. A rapid adoption of a cloud service by a relatively unskilled operator can literally leave buckets of critical or personal data open on the internet. Even skilled sysadmins make mistakes. So verification and validation of implementation is always required during build and operation.
• Failure to understand, meter and limit cloud consumption and cloud usage can lead to unplanned and very rapid and expensive usage in a short period of time. Frequently users are oversold or over use beyond their actual requirements. Know your likely and most efficient consumption model and monitor your consumption and usage carefully and frequently to avoid unexpected or unsustainable costs.
• Similarly, if you have mass adopted remote access or telecommunication or other collaboration services ensure that you are appropriately licensed. Be very careful of “introductory” no cost fees that drive mass adoption of a solution in vulnerable times but which may time expire, resulting in large unplanned fees at renewal or non-compliance with license terms. Temporary solutions have a habit of becoming permanent.
Revisit and rebuild your Business Continuity
Organisation need to reassess and remodel their disaster planning and business continuity plans based on what has emerged for COVID19 and its impact for the medium term. They then need invest in business continuity process and infrastructure to provide the new business continuity capabilities that are required. Organisation may also need to actively engage with Government contributing on national policies and investments related to critical national infrastructure and services that their organisations will now be heavily reliant on such as national broadband, power, healthcare, food security etc. for the future.
As always, Ward Solutions will continue to Assess, Protect, Detect & Respond to your cyber security needs. If you need to contact Ward Solution on any matter, then:
- Contact your normal account manager for sales or firstname.lastname@example.org
- Contact our orders department at email@example.com
- Contact our service delivery office at firstname.lastname@example.org
- Contact our Security Operations centre at SOC@ward.ie
- Contact our Network Operation centre at NOC@ward.ie
- Contact our finance department at Finance@ward.ie