A CISO Agenda for Addressing COVID-19 Challenges

Andrew Retrum, Managing Director Security and Privacy

With millions of workers around the globe working from home in an effort to contain the spread of COVID-19, the guardians of information security are facing an unprecedented array of challenges, from network capacity concerns to an escalation in cybersecurity incidents. As organizations alter their operating models to accommodate a remote workforce, chief information security officers (CISOs) should be reassessing their priorities related to cyber risks, data security and compliance in light of the new reality.

The Macro View

From a macro perspective, here are a few of the considerations CISOs should be weighing:

How does the change to a remote workforce alter the risk profile of the organization? 

Most corporate networks are not set up to allow a majority of workers to connect remotely. As such, as millions of workers sign into corporate VPNs through insecure routers and personal devices, the risk of cyber intrusion has increased exponentially.

The key concern for CISOs is balancing the need to bolster network capacity to accommodate the increased volume of remote traffic while protecting the security of networks and data.

Is certain data more susceptible to compromise given the decentralized workforce?

The U.S. Department of Homeland Security’s Cyber and Infrastructure Security Agency (CISA) warns that malicious actors are using COVID-19 as a pretext to send emails with attachments or links to fraudulent websites to trick victims into downloading malware or reveal sensitive information, such as medical records and financial information.

Given the decentralized workforce, CISOs should continue to send frequent reminders to employees to avoid clicking suspicious links or attachments and to remain vigilant against phishing emails.

How have changes to key vendors’ operating models altered the risk to the organization? 

Due to the unpredictability of the pandemic, vendors can be expected to make quick decisions to protect themselves and their employees and in the process may not fully consider the effects on the organizations they service. 

Firms need to understand the fluidity of the current environment and proactively reach out to all critical vendors to understand how their operations have changed or are changing. Where needed, organizations can make accommodations such as relaxing certain requirements if that would ensure continuous, secure or reliable services.

Are specific controls less effective, or even not available, when using remote access and other less-frequently utilized channels to perform key business functions?

Outside the safety and security perimeter of the workplace environment, specific controls may be less effective or unavailable. For example, efforts to lock down and protect data on user laptops may be circumvented entirely if the ability to work from non-corporate devices is introduced. Another example is sharing files using collaboration tools: These documents may not go through the usual file monitoring process, which could facilitate the propagation of sensitive information to unauthorized users. CISOs can address this issue by making sure the workforce is using sanctioned tools, not shadow IT, and deploying technical controls as they identify new potential risk channels.

The Micro View

One silver lining that has emerged from recent events is that organizations are finding creative ways to solve operational challenges. While the inventiveness is commendable, security professionals should understand how crisis-driven operational decisions are changing the organization’s risk profile. CISOs should stay on top of creative, on-the-fly solutions to ensure they are implemented smoothly without unmitigated security compromises.

As new practices and technologies are rapidly adopted in response to the pandemic, here are a few key questions and considerations:

Will bandwidth be an issue for a new or existing service given the significant increase in remote usage? 

  • Have VPN concentrators and gateways been assessed, and are they actively monitored, for bandwidth concerns?
  • What single points of failure exist that should be monitored closely or aggressively addressed to achieve redundancy and maintain availability?

Are traditional security controls operating in a similar manner in the new environment?

  • Are monitoring capabilities that would typically detect bad actors or malicious behavior in place for the new solution? 
  • Is there logging that can be enabled to retroactively identify issues and events?
  • Can data loss prevention (DLP) or other similar tools be used to monitor and block the transfer of sensitive information?
  • Can the use of home systems or other non-corporate devices be restricted?

Additional Tips

  • Take a quick inventory of security controls and processes. This is important to ensure systems will operate properly as remote traffic increases. For example, security leaders should know whether they rely on individuals to be in the office to push security patches or other critical updates to the device. If so, are there concerns with the volume of traffic created by these updates on critical infrastructure supporting remote access? 
  • Beware of phishing threats. Phishing campaigns often leverage current events to gain credibility and the attention of unsuspecting victims. Information security professionals should reinforce the need for vigilance when receiving emails and other communications.
  • All hands on deck. Consider adopting a bi-modal model of operations within the IT security department, with a small team focused on COVID-related activities while the remaining team continues with business as usual to minimize disruptions.
  • Security tools and (IT vendors’) capabilities. Just like Microsoft is doing with its Teams platform, many security vendors are offering license and fee waivers to encourage organizations to adopt tools that will help them manage their remote workforce. CISOs should not miss an opportunity to adopt some of these tools now, both to address the immediate risks and to maintain stronger security posture in the future.
  • Last but not least, show empathy and patience. Be flexible. Do whatever you can to support your team, internal customers and external stakeholders during these difficult and dynamic times.

Find this and other related content on Technology Insights, Protiviti’s technology blog.

Add comment