In my previous blog post, I promised more guidance on the next steps to consider taking now, while the pandemic is still upon us. Here are eight actions CISOs should consider taking.
Action Item #1: Focus Significant Resources on Stopping Threats
This first piece of guidance should not be anything new, though the attackers continue to up their game and use the fear, uncertainty, and doubt of the pandemic for leverage. The advice is to focus significant operational, training, and policy resources on stopping email and social threats (phishing, vishing, smishing, and business email compromise), remote access threats (brute force, man in the middle, password sprays, and credential theft), and ransomware (awareness and education via continuous testing and simulations).
Gartner and CSO Magazine report that COVID-19-based phishing attempts are up 667% since the end of March. Further, social engineering to bring about ransomware-based compromises for remote workers has increased by 47% over the course of the pandemic. Clearly, phishing emails remain the top vector. Ransomware is being combined with a newer breed of extortion: the confiscation of records with the threat to expose them on the internet. This indicates a level of sophistication and contemplation that is typically shown by “nation-staters” (i.e., adversarial government-sponsored attackers) rather than the opportunistic sorts looking for a quick payday.
Know that these expert cyber-criminals are now capitalizing on the opportunity presented by the pandemic with phishing campaigns, sending out emails inviting employees to click on links to malicious software that purportedly presents health safety measures, and that your employees may also be misled by emails appearing to be from their own IT departments requesting credentials.
Tip: Create an alias account for your IT department and inform employees that any IT communication will only come from that account. Show them an example of how to locate the full domain name and the mailbox owner, so employees can verify sender authenticity.
Action Item #2: Develop a Written Remote Worker Policy
It pains me to say this because it is foundational in nature, but please make sure you have a written remote worker policy that indicates what is permissible for your employees. Mention sensitive data in it. Indicate that even family members should not have access or visibility to Personally Identifiable Information (PII) or electronic Protected Health Information (ePHI). Make working from a distinct and private area of the household an additional guideline. Do not make that part of the policy, as it is not possible to enforce that concept, and policy statements should only appear if they can be enforced with consequence management.
Action Item #3: Review Your Cyber-Insurance Policy
This next piece of advice is very important: Reach out to whomever handles risk and insurance in your organization, and demand to see your cyber-insurance policy. Maybe you are already familiar with it and know what exclusions or exceptions exist in it. You should look for a few key elements:
- Does my policy distinguish itself in any way for employees using their own computers? Does it reference a specific “work-from-home” rider? Does that include work from anywhere, including the local coffee shop? Does the policy indicate that I must be able to forensically examine any device involved in an attack, or defined as a breach? This could add multiple complicating factors and increase the cost of investigating an attack tremendously.
- Is Wiperware defined and covered as a named peril? Wiperware is a deleterious extension of ransomware designed to simply DoD-level erase all data, essentially making all your devices a brick—hence it is sometimes referred to as “bricked everything.”
- One possible issue is when employees bring unencrypted data home on thumb drives or use BYOD without hard-drive encryption. We’ve seen some insurance companies have exclusions in their policy where, if storage devices have unencrypted data, the carrier will not pay the claims. Any sensitive data taken or stored outside of the office should be encrypted.
- Know that the insurance market is in transition, with insurers moving to explicitly include or exclude cyber coverage in traditional policies. Be very conscious of when your current policy comes up for renewal, and if any of the language changed in it when you receive your new policy.
- As we mentioned previously, do not count on filing government claims for supplemental support. We are in unchartered territory as a country and the likelihood of this being favorable to your claim is very unclear at present.
Action Item #4: Review Your Existing Policies
I’ve already mentioned policies. Know this: You need to review each of your existing policies and do one of three things:
- Suspend the enforcement of a particular policy for a period of time. An example is the concept known as “split-tunneling.” Simply put, split tunneling is having some traffic routed over a corporate VPN (e.g., access to your ERP system) and some traffic routed directly to the internet from a source that is remote, like an employee home. Banning this from the work computer seems like a good policy to have—and it is usually. However, we now have almost every employee working remote, and potentially from BYOD computers. It may be wise to suspend this policy for 60-90 days, as employees may be able to get portions of their job done without being connected over the organizational VPN. In addition, that BYOD computer may be a family computer used by others in the household, making it is very undesirable to have that traffic traversing the company network.
- Give certain employees a short-term waiver if they simply cannot comply with the policy for a defined period of time. The policy remains in effect, but one department perhaps gets 30 days dispensation to not adhere to that policy. An example is multi-factor authentication using hardware tokens. We recommend MFA for every remote worker, but now we are in a place where you have “new” remote workers who have not used MFA before and need to receive and learn how to use their hardware token (and IT needs to assist in the setup). A short-term waiver may be a good approach, with some compensating controls in place via something like an Active Directory Group Policy Object in the meantime to allow controlled network access.
- Write a new policy. Call it the “Work from Non-Company Location” Policy. Make it short and simple (three pages at most), with no jargon. Tell employees only what you need them to know and do, nothing more. Don’t give tips here, give them focus, such as “use VPN” or “use your two-factor authentication or multi-factor authentication tool.” Do not use the words “should” or “may.” These things are not optional. Tell people who to call with questions. Give them a failsafe statement: “When in doubt about the origin of something you received, do not click or follow any instructions in that message or document. Contact your manager or IT.”
Action Item #5: Ensure You’re Using Commercial Cloud-Based Services
Many companies quickly moved to the cloud in early and mid-March. There are free cloud-based services and there are commercial cloud-based services. However, free services are not free. If you're using a free service to run a business of any size, you are putting your customers, your employees, and your critical intellectual property at risk. If you're going to use the cloud for business, you must pay the money and use commercial services. If you have any free cloud-based services, switch them to commercial as soon as possible. Inventory all the cloud-based services, make sure you understand the exposures and risks, and implement the appropriate commercial grade that has security and proper monitoring built in.
There are very good tools for assessing and evaluating your cloud-based cybersecurity. There are also ones that have variability in effectiveness or do not work at all. Know this going in and contact organizations who know this landscape. We know it well at ConvergeOne and supply insight and recommendations to customers who are making this transition so that they do not introduce risk to their organization.
Action Item #6: Evaluate the Perception of Risk Management
As the head of cybersecurity, you must show resolve in evaluating the perception of risk management in your organization by doing the following:
- Take time now to develop and track metrics to measure the success of cybersecurity risk management and illustrate the value of the program to senior leadership in the form of business aligned reports (give examples of unfortunate calamities happening to others due to poor readiness and resiliency).
- Become the CRO (Chief Resiliency Officer). Create deliverables that inform senior leadership about your cybersecurity’s risk improvement, where you were, and where you are at presently. Highlight the potential cost of risk had you not made improvement and the digital asset value created by risk mitigation or transference projects.
- Once back in a more steady state, institutionalize the cybersecurity risk management program by consistently engaging key stakeholders within and outside of IT.
- Show holistic concern by dominating the knowledge of what drives your business. Think and speak like an auditor. Auditors have the trust of senior leaders. It has always been this way in corporations and will not stop now.
Doing these four things will transform the perception of your security team. You will go from being seen as a necessary IT function to being a business-enabling component.
Summing It All Up
We live in vastly changing times. Individuals and organizations have scrambled to remain productive while working remotely. New tools have been introduced for communicating and sharing information while off the company network. Your IT teams have delivered, providing what was necessary with what was available.
Now, security leaders, that dust has settled and it’s a good time to review your security posture knowing that remote work introduces security concerns different from on-premises concerns. Know your employees may have turned to a wide variety of publicly available online applications.
ConvergeOne is here to help with everything from understanding how to monitor network security with such a large footprint to assessing your risk of data breach or potentially violating privacy legislation and all domains that sit in-between. We can be your virtual CISO, DPO, or your information security management office.
There is much more to discuss, but I leave you with this: You are accountable as a CISO or head of security/security operations. Of that, there is no doubt. Failure to do your function well can result in an existential disaster for your firm. Cybersecurity and privacy are as much an art as they are a science, so your keys are founded in this question: Am I prepared to recover, and do I have the resilience to run my operation properly in the face of a major cyber event?
Recovery is the key to success. Stay safe, stay well, and stay secure.
Is Your Business Prepared to Withstand a Ransomware Attack?
The ConvergeOne Ransomware Readiness Workshop focuses on your organization’s readiness to withstand a ransomware attack. During this workshop, ConvergeOne experts will analyze your environment in areas like user awareness training, network security and segmentation, testing and monitoring, incident response plans, and disaster recovery.
Schedule your complimentary Ransomware Readiness Workshop today.