Rapid response to the COVID-19 crisis has exposed organisations to vulnerabilities and security breaches. Bad actors, cyber criminals and hackers aren’t in mood to take time off even during the crisis on humanity.
In Czech Republic, a cyberattack brought surgeries to a halt and rerouted critical patients in a hospital fighting COVID-19. World Health Organisation (WHO) website was attacked. Daily, many companies are falling victim to DDoS attacks. Ransom ware attacks have skyrocketed. COVID-19 themed scams are on all-time high.
Now that most workers are working remotely and organisations are altering their operating models to accommodate them, the security and risk management teams need to be more vigilant and cautious.
These situations have put CISOs into a quandary. They have been facing unprecedented challenges ranging from network capacity to escalation in cybersecurity incidents. It is time for CISOs to reassess their priorities related to cyber risks, data security and compliance.
As a cybersecurity and risk practitioner, and also the CISO of Nissan Digital India & Deputy Global CISO, Nissan Motor, after a comprehensive assessment of situation, I came up with six key points that CISOs need to consider while preparing their cybersecurity strategies during these times.
Here’s a list of some important FAQs that fellow CISOs can use as reference and bring the security to speed:
Q: Does the sudden shift to remote workforce alter the risk profile of my organisation?
Answer: Yes. Most corporate networks are not tailored to allow majority of workers to connect remotely. With millions of workers signing into corporate VPNs through insecure routers and personal devices, the risk of cyber intrusion has increased exponentially. The key concern for CISOs is to balance the need to bolster network capacity to accommodate the increased volume of remote traffic while protecting the security of networks and data.
Q: Is certain data more susceptible to compromise given the decentralised workforce?
Answer: In the prevailing situation, malicious actors are using COVID-19 as a bait to send emails with attachments or links to fraudulent websites to trick users into downloading malware or reveal sensitive information such as medical records or financial details. These are phishing emails or scams.
Given the decentralised workforce, CISOs should continue to send frequent reminders to employees to avoid clicking suspicious links or attachments and remain vigilant against phishing emails. Security awareness trainings for remote workers are critical, and is the need of the hour. Conduct as many as you can.
Q: Have changes to key vendors’ operating models also altered the risk to my organisation?
Answer: Due to the unpredictability caused by the current situation, vendors can be expected to make quick decisions to protect themselves and their employees and in the process may not fully consider the effects on organizations they service. Companies need to understand the current environment and proactively reach out to all critical vendors to understand how their operations have changed or are changing. Wherever required, organizations can relax certain requirements if that would ensure continuous, secure or reliable services.
Q: Are specific controls less effective, or even not available, when using remote access to perform key business functions?
Answer: Outside the safety and security perimeter, specific controls may be less effective or entirely unavailable. For example, efforts to lockdown and protect data on user laptops may be circumvented entirely if the ability to work from non-corporate devices is introduced.
Another example is sharing files using collaboration tools. These documents may not go through the usual file monitoring process, which could facilitate the propagation of sensitive information to unauthorised users.
CISOs can address this issue by ensuring that remote workforce is using sanctioned tools, not shadow IT, and deploying technical controls as they identify new potential risk channels.
Q: How should, I as a CISO, work in the present circumstances?
Answer: You should understand how crisis-driven operational decisions are changing the organisation’s risk profile. You should stay on top of it to ensure controls are implemented smoothly without security compromises. As a CISO you need to answer the following questions (but not limited to):
Can my business function effectively through remote working?
Are traditional security controls operating in a similar manner in the new environment?
Have VPN concentrators and gateways been assessed, and are they actively monitored, for bandwidth concerns?
What single points of failure exist that should be monitored closely to achieve redundancy and maintain availability?
What would happen if there was a cyber incident?
Can Data Loss Prevention (DLP) or other similar tools be used to monitor and block the transfer of sensitive information?
Can the use of home systems or other non-corporate devices be restricted?
Q: What, in summary, can be the approach?
Answer: COVID-19 poses an unparalleled cybersecurity challenge. This crisis introduces a heavy burden on CISOs with a double whammy impact of a mass transition to remote working coupled with a surge of cyberattacks that strive to monetise in a chaotic situation.
CISOs need to play vital roles in making sure the organisation can function as pandemic specific measures are implemented. It is therefore critical that CISOs take steps to help their business continue to operate securely and to enable remote workers to have a seamless work-from-home experience.
The need for awareness is more important than ever. It is not news to anyone that attackers are leveraging the current situation for their own gains, as seen in the increase in phishing attempts.
Last but not the least, CISOs need to show empathy and patience & be flexible. CISOs need to do whatever they can to support their teams, internal customers and external stakeholders during these difficult and uncertain times.
Tarun Kumar is CISO – Nissan Digital India & Deputy Global CISO, Nissan Motor
Disclaimer: The views expressed in this article belong solely to the author, and do not represent or reflect upon the views of his organisation.