Cybersecurity Considerations for Business Leaders Navigating COVID-19 Disruptions
Cybersecurity Considerations for Business Leaders Navigating COVID-19 Disruptions
In this article, we discuss what needs to be at the forefront of every business leaders' mind when it comes to protecting their organization during quarantine.
Join the DZone community and get the full member experience.Join For Free
Businesses around the world have responded to the evolving health and financial risk factors posed by coronavirus disease 2019 (“COVID-19” or the “virus”) with significant workforce changes, including asking employees to work remotely to mitigate the risk of transmission in the workplace. Some companies facing more dire circumstances have taken actions including furloughing or laying off workers.
Such changes not only pose challenges for businesses from a collaboration and continuity of operations standpoint, but they also involve cybersecurity risks that business leaders must carefully assess and mitigate. With headlines suggesting that COVID-19 will remain a top business challenge for some time, leaders should refocus attention on how they can proactively manage risk, including from a cybersecurity standpoint.
This article outlines cybersecurity issues business leaders should take into consideration as they navigate the business changes brought on by the COVID-19 pandemic. In many industries, the current situation is causing unprecedented business disruption. As a result, organizations are either devising or revisiting strategies for weathering the storm. Leaders should identify and prepare for cybersecurity-related contingencies appropriate to scenarios their business may face, which may include (but are not limited to):
- Unavailability of key personnel necessary for important cybersecurity functions.
- COVID-19-themed phishing attacks, social engineering activity, and targeted intrusions.
- An abrupt transition to a partial or fully-remote workforce.
- Protection of organizational assets, including intellectual property and trade secrets, especially during workforce reductions and subsequent organizational changes.
Businesses Should Remain Focused on Proactively Addressing Cyber Threats
Recently reported cybersecurity attacks — including on the U.S. Health and Human Services Department and private organizations involved in the global fight against the virus — are stark reminders that leaders must not lose sight of cybersecurity threats, even as their organizations are buffeted by the unprecedented financial and operational challenges brought on by COVID-19.
Leaders will face different challenges as they chart a course for their organizations through the outbreak. An organization’s business model, risk appetite, technology assets and footprint, workforce plans, scale, geographic footprint, and existing cybersecurity capabilities may influence priorities.
As an example, a smaller business may need to prioritize the implementation of foundational security measures, such as mobile device management (MDM) to support effective revocation of access; virtual private network (VPN) solutions to protect data-in-transit; data loss prevention (DLP) to prevent exfiltration of sensitive information; cloud-access security brokers (CASB) to secure cloud access; and employee awareness of common attacks and security best practices.
In contrast, larger corporations may have foundational controls implemented and need to focus on the coverage, maturity, and efficacy of existing cybersecurity controls, as well as abuse cases likely to be exploited by a more sophisticated adversary (e.g. exfiltration of intellectual property via unmanaged devices, cloud-based solutions, or third party products). Despite the differences, all organizations — especially those that must protect highly confidential information, intellectual property and trade secrets — should leverage industry standards and frameworks (e.g. ISO, NIST, CIS Controls, or OWASP) to ensure that cybersecurity measures are comprehensive enough to provide effective protection for key organizational data and assets.
This last point is critically important. Should regulatory action or litigation arise as a result of the compromise or misappropriation of an organization’s information?
Ensure Contingency Planning Addresses Adequacy of Staffing for Important Cybersecurity Functions
One of the most challenging aspects of the COVID-19 pandemic is its unpredictability. The disease has affected both young and old, and anyone could quickly be determined to be too contagious or ill to effectively carry out their job-related responsibilities. As a result, effective contingency planning should include testing of incident response and every business; continuity plan.
Organizational business continuity plans should be scoped to include key organizational functions, including cybersecurity processes. Amid contingency planning, organizations often fail to conduct an analysis of “key man risk” for critical cybersecurity processes and initiatives. In a pandemic scenario, it is important for organizations to understand vital cybersecurity processes and whether key personnel can be effectively backfilled if they become too ill to work.
We have frequently seen that even in large, extremely well-resourced organizations, critical cybersecurity functions might fall to one person with no redundancy. Too often, cybersecurity staff operate in a siloed fashion — focused on operation and maintenance of a particular security solution — and there is not enough cross-training and sharing of technical and organizational knowledge to effectively backfill key staff. In the current climate, business leaders and their cybersecurity leadership should ask themselves: “of the critical cybersecurity processes we must perform across the technology organization, are there any key tasks where we are one person away from not being able to carry out the mission?” Given the nature of the current situation, organizations should prioritize such an analysis and implement a plan to address any identified problem areas.
Enforce Cybersecurity Controls for Remote Workers
Many larger companies will already have implemented foundational security controls to support remote work, such as MDM solutions to monitor, manage, and secure staff devices and VPN solutions that encrypt data in-transit and leverage multi-factor (MFA) authentication. Smaller companies may not have these controls implemented but should consider adoption depending on the organization’s scale, mission and assets. Larger companies may need to evaluate the security of VPN solutions in use by the organization as well as other controls that support remote work, including authentication and authorization, conditional access controls and DLP solutions.
Key considerations for all organizations include (but are not limited to):
- Whether VPN solutions, network infrastructure, and devices in use by the organization have received the latest security updates and patches.
- Whether MFA is implemented for all VPN connections.
- Whether VPN latency (the amount of time it takes between sending a request and receiving a response from the resource being accessed) is acceptable in a mass usage scenario, or whether personnel’s ability to perform key tasks is impaired.
- Whether technology and cybersecurity staff are able to effectively detect and respond to incidents and attacks through log review and other incident response and recovery tasks.
- Whether identity and access management controls are appropriately restrictive for remote work scenarios, especially access from home networks.
- Whether the organization has restricted the URLs — particularly malware-infected or phishing websites — that staff can access while working remotely.
Other measures that can be taken to harden corporate and unmanaged workstations include disabling writing to USB devices and CD-ROM, and using full-disk encryption to ensure organizational data is protected. Additionally, in case of a lost phone or workstation, the organization should determine whether it can remotely wipe devices.
Promote Security Awareness
Cybersecurity awareness is particularly important for organizations that may be working to implement controls to support remote work. Staff needs to be aware of key security issues including (but not limited to):
- Best practices for acceptable use of corporate technology.
- Best practices for password complexity.
- Best practices for locking unattended devices.
- Data protection and handling policies and key organizational assets that need to be safeguarded.
- The specific risks associated with public wi-fi networks, including man-in-the-middle attacks that could result in the interception of corporate information.
- Guidelines for employees if secure, private wi-fi networks are unavailable, including by identifying and rejecting insecure certificates and avoiding downloading organizational information over public wi-fi, or by leveraging a mobile hotspot.
- Increased phishing and vishing activity, social engineering, and other targeted attacks leveraging COVID-19-related themes.
Protect Organizational Data During Workforce Changes
A baseline requirement for protecting corporate information at any time, but particularly during a scenario where workforce reductions are contemplated, is identifying critical hardware and software assets, prioritizing their protection based on relevant abuse cases and enforcing controls to prevent unauthorized access, and exfiltration of sensitive information. This is particularly important for the protection of intellectual property, trade secrets, and other confidential business information when workforce changes are expected.
Beyond knowing and prioritizing the protection of your business’s most sensitive information, there are a number of potential issues to consider ahead of potential workforce reductions and subsequent staff reorganizations:
- Whether data loss prevention (DLP) and other enterprise controls have been validated through testing to ensure that they have the appropriate coverage and operate as designed (i.e., test to ensure controls are able to prevent the exfiltration of the organization’s most sensitive assets);
- Whether the activity of departing personnel with access to sensitive data are monitored through tools including DLP, file integrity monitoring and security information and event monitoring (SIEM) solutions;
- Whether identity and access management solutions and processes are adequately centralized to provide effective revocation of access by disabling the accounts of terminated employees; and
- Whether the organization should conduct a comprehensive user access review following workforce reductions and subsequent organizational changes, to validate that staff have not accumulated excessive privileges through role changes.
The ultimate effects of the COVID-19 crisis are unpredictable and will obviously vary from industry to industry. But as the saying goes, “those that fail to plan, plan to fail.” Cybersecurity is no exception to this rule. Whatever your business is, paying careful attention to foreseeable cybersecurity threats and implementing appropriate safeguards will help mitigate some of the risk and uncertainty in the current situation.
About the Authors
About Ryan McKamie
Ryan McKamie is CEO and co-founder of Certus Cybersecurity Solutions LLC, based in the firm’s San Francisco Bay Area office. Ryan is responsible for Certus Cybersecurity’s global cybersecurity services business. His client work focuses on providing strategic and technical guidance to business and technology executives seeking to assess and improve their ability to defend against data breach and business disruption. Prior to Certus Cybersecurity, Ryan was a director at Visa Inc. and served as an officer in the US Army. Ryan holds active QSA, CISSP, CISM, CRISC and CISA certifications.
About Swapnil Deshmukh
Swapnil Deshmukh is CTO and co-founder of Certus Cybersecurity Solutions LLC, based in the firm’s San Francisco Bay Area office. A thought leader and technical expert with extensive experience in information security, Swapnil leads consulting delivery for Certus clients worldwide, partnering with executives to implement and enhance layered defenses and effective security processes and policies. Prior to Certus Cybersecurity, Swapnil served as a senior director at Visa Inc., where he played a leadership role in enhancing the company’s security architecture and secure software development lifecycle (SSDLC) capability.
Opinions expressed by DZone contributors are their own.