Reducing Enterprise Cyber Risk During COVID-19ED AMOROSO
This article was shared with the TAG Cyber community during the earliest days of the COVID-19 Pandemic in early March of 2020. The suggestions made then are still quite applicable, so the article is re-shared here with our readers in the hopes that the ideas are helpful. Working from home via remote access will continue to dominate the enterprise landscape for many years, so security teams must learn to adjust.
With COVID-19 now revving its engine, I suspect that many of you are reading this article from the kitchen table, perhaps still in your pajamas. But even before the present global virus situation, this casual teleworking image was pretty familiar for many job functions. I mean – let’s be honest: Checking email is checking email – regardless of whether this mindless task is done on the corporate LAN or across your home broadband.
But when an entire company decides to collectively embrace telework at the same time, over an extended period of time, the result is that business processes must change. And whether a given change is good or bad is perhaps beside the point (although most required changes to accommodate virtual work are good). Rather, I choose to emphasize that as a result of COVID-19, some business processes will necessarily change. This is unavoidable.
Which brings me to cyber security. Now, it’s difficult to make general statements about our proud discipline of protecting enterprise that will apply in all instances, but here is one you can take to the bank: Business change creates seams between people, processes, and technology that can be exploited. This is universally true, regardless of how well any business change is managed. The goal is thus to minimize the size and duration of seams.
The conditions caused by COVID-19 are especially dangerous for cyber security, because the changes prompted already have three strikes against them: First, the situation was unplanned, with little or no advance warning. Second, it is largely unprecedented for most workers (I am in my upper fifties and other virus outbreaks felt much different). And third, it has no clear end. Virtual operations are being planned and there is no expiration date I am aware of.
So, enterprise security teams must deal with these exploitable vulnerability seams arising from business process changes. And they must do so for an unprecedented issue that could continue for some time. Sigh. Those are the facts, and if you work in enterprise security, you would be wise (even if your personal politics might suggest otherwise) to take this situation seriously. Below are five recommendations from the TAG Cyber team for immediate action:
ACTION 1: PROVIDE COMMON SENSE GUIDANCE FOR EMPLOYEES ON VIRTUAL CONFERENCING. While most employees already know that Zoom is not just a Seventies kid’s show, they should be reminded to be extra vigilant of scamming, eavesdropping, and other threats. Sending a clear text invitation over email to a conference call that will discuss next week’s reported earnings is just – well, you get the idea. Remind people to not be stupid.
ACTION 2: DEMAND INCREASED SITUATIONAL AWARENESS FOR SECURITY STAFF. I know that you already tell your boss that you’re at DEFCON 1. Despite this little white lie, get your SOC team or other individuals tasked with real-time detection, prevention, and response, and push them from DEFCON 3 to DEFCON 2 (I’ll let you fill in the definition). One idea might be a daily stand-up meeting (er, conference call) to discuss real-time indicators.
ACTION 3: REINFORCE SECURITY POLICIES FOR TELEWORKERS. This assumes (I hope, I hope) that you already have a published security policy for teleworkers. If you don’t have one, then have a look at this nice guide. It’s important, for example, that your employees remember that the helpful teenager at the Apple store is simply not authorized to work on your office computer. Make sure employees know your policies and understand their importance.
ACTION 4: REMIND EMPLOYEES OF HEIGHTENED PHISHING RISK. Everyone knows that when you get stressed, rushed, or confused, you will be more likely to click on something bad. It is your job as an information security professional to remind remote workers freaked out about COVID-19 to please . . .slow . . . down. Remind them that notifications will not come as emails with links. And if some external entity sends such a thing, they should ignore it.
ACTION 5: MAKE SURE YOUR SECURITY HOTLINE IS WORKING. When someone in the office becomes concerned about a security issue, they have the luxury to ask a colleague what to do. When that same person works from home, they are more likely to say the hell-with-it. You can minimize this by ensuring that your security hotline (you have one, don’t you?) is working. If an employee sees something suspicious, they should be encouraged to report it.
Look – I know that people like Elon Musk are calling this whole thing dumb – and for the average person, it is probably reasonable that they remain calm and go about their lives in a normal manner. But when you are in a position like enterprise security, it is your job and your responsibility to do the worrying so that others don’t have to. The last thing on this entire planet that your company needs is to get hacked as a result of COVID-19.
So, stop reading this article and go start working immediately on the five actions I recommended above. And please let me know how you are doing. Good luck.
To read the full TAG Cyber report, click here.
About Ed Amoroso
Dr. Ed Amoroso is currently Chief Executive Officer of TAG Cyber LLC, a global cyber security advisory, training, consulting, and media services company supporting hundreds of companies across the world. Ed recently retired from AT&T after thirty-one years of service, beginning in Unix security R&D at Bell Labs and culminating as Senior Vice President and Chief Security Officer of AT&T from 2004 to 2016.
Ed has been Adjunct Professor of Computer Science at the Stevens Institute of Technology for the past twenty-seven years, where he has introduced nearly two thousand graduate students to the topic of information security. He is also affiliated with the Tandon School of Engineering at NYU as a Research Professor, and the Applied Physics Laboratory at Johns Hopkins University as a senior advisor. He is author of six books on cyber security and dozens of major research and technical papers and articles in peer-reviewed and major publications.
Ed holds the BS degree in physics from Dickinson College, the MS/PhD degrees in Computer Science from the Stevens Institute of Technology, and is a graduate of the Columbia Business School. He holds ten patents in the area of cyber security and media technology and he has served as a Member of the Board of Directors for M&T Bank, as well as on the NSA Advisory Board (NSAAB). Ed’s work has been highlighted on CNN, the New York Times, and the Wall Street Journal. He has worked directly with four Presidential administrations on issues related to national security, critical infrastructure protection, and cyber policy.