[BreachExchange] Don’t Abandon Security During a Crisis

[Destry Winant]

https://www.cisomag.com/dont-abandon-security-during-crisis/

Working within dispersed teams is often part and parcel of a CISO’s
job. In fact, before COVID-19, 7% of Americans were working remotely
either part or full-time, according to the 2019 National Compensation
Survey from the Bureau of Labor Statistics. But in the wake of social
distancing, almost all organizations are operating 100% remotely.

Other members of the C-Suite might elevate the importance of
productivity with remote teams. But as security executives, we should
approach the issue from a cybersecurity angle. This is not the time to
take our eyes off security in trade-off for expediency.

For IT professionals in industries not well-versed in remote work,
this notion is especially true. The sudden shift to remote work across
entire organizations has highlighted faultlines in some professions,
with industries like health care, education and service/production
feeling the pressure. CISOs within these industries are called to
expand on already successful security strategies with their teams —
who are often already dispersed to some extent — in a potentially
unexpected way.

These CISOs are pressed to weigh operational efficiency with security,
forced to manage risks while maintaining “normalcy,” and ease up on
employee end users in order to allow for more productivity across the
company. They also might be having conversations with the COO/CIO or
even the CEO about which processes impact operational efficiency the
most. But this is actually the time to be just as strict, if not
stricter, with end users and policies than before.

A Virtual Workforce Changes Everything

This remote work scenario means several things for security teams —
from shifting the way they handle day-to-day remote access to
narrowing in on potential insider threats — CISOs and their teams have
to stand their ground by advancing wise business and security
decisions before convenience.

Insider Threats

Some organizations have discovered their own stress test of their
remote access systems, both virtual and even more traditional like
VPN. While they’re licensed appropriately, they’ve figured out that
their hardware can’t keep up, so they have the provision outside of
the VPN and direct access to certain systems in the cloud. This is
where employees may circumvent existing security procedures in order
to access something they need.

When employees are operating under the notion that their activity on
company networks is flying under the radar, organizations can run into
the issue of insider threats, in both proactive and passive scenarios.
Employees may be deviously searching and accessing privileged
information, or they can be letting down safeguards involuntarily,
which can lead them to fall for phishing scams on company devices.
Both types of insider threats are dangerous and will experience spikes
during the months of mandated social distancing.

To use health care as an example, COVID-19 heightened interest in
things such as testing, and vaccine research; mean health care might
be especially susceptible to these malicious threats. If there is
somebody who might be tempted to profiteer from privileged data within
an organization that has let down certain safety measures, things can
go sour quickly. They perceive themselves to be in a position where
they’re not being monitored as closely because they’re physically not
in the office.

On top of that, we know that humans tend to make cloudy judgment calls
during crises or emergency situations. End users might be more
susceptible to follow a spam link to free N95 masks if they are
desperate enough, for instance.

Being a Resource from Afar

The new work setup also impacts how CISOs and their teams relate and
work both as an internal entity and with their organization’s end
users. Even in industries that operate primarily on-prem, there will
be individuals working remotely. In health care, that’s administrative
staff, IT and support people. In these professions, people often
aren’t technically trained or conceptually prepared to work remotely.
So, they need security teams to be accessible. They’ll have questions
like, “Is it safe for me to work from my home computer?” or “How can I
access this resource now that I’m away from the company network?”

Technical personnel will find that they’re called to interact much
more with end users than they have in the past, yet they can’t simply
sit down and coach someone through a problem. Technical teams will
need to strategize how they’ll handle the increase in tickets and
service requests flowing in, even in the face of fewer team members on
call, slower internet speeds or unknowns in process and protocol.
They’ll also need to deliberate methods of staying connected and
communicating amongst each other in order to stay cohesive and
efficient while away from their cohort routines and schedules.

Mitigating the Complications of BYOD

With children out of school and many spouses working from home,
employees will be pulled in many directions. They’ll be distracted
more than ever, which means they’ll likely be tempted to place
convenience over security when it comes to keeping personal and
professional separate. We can all imagine a scenario where an employee
is away from his or her corporate phone but needs to access a network
to review, say, a shared file or an urgent email. Nine times out of
ten, they’ll use whatever device they can get hold of and circumvent
security rules. Over the many weeks these employees are at home, this
might happen several times on multiple personal, shared devices. When
it’s all said and done, this employee may have authorized three or
four unsanctioned devices to access company files. Even after we
return to work, those devices might still have access to company
information. Allowing convenience to trump safety and letting down
walls won’t stay isolated once employees return to work. If a CISO
wouldn’t allow unsanctioned devices to connect to the company network
before, it shouldn’t allow it to happen now.

Keep Security a Constant

It is possible to maintain a healthy security posture through an
emergency. In fact, the current situation could even allow for a
unique learning opportunity for a CISO’s team: how to stay on guard
during any situation.

Monitor Activity

At Kelsey-Seybold, we have different tools in place to monitor
behavior, access rules, generate alerts and evaluate alarms through a
log management system or other intelligent systems like SIEM. Looking
at and evaluating those alerts and evaluating whether there’s
something really going on is a constant process that’s shared across
our security organization. Because we have that technology in place,
we can keep a greater eye on the information being accessed by
employees while they’re at home. In addition, while the majority of
people can connect to the network through VDI or Citrix, we limit
certain activities that can be done from home. For example, employees
can’t print from their local session to a local printer at home. This
can keep us from losing valuable data.

Keep One-on-One Time

In the time of crisis, CISOs must maintain efficiency with inbound
user queries as well as ensure greater communication among security
teams. Use collaboration software to create quick touchpoints,
replicate meetings and quick chats that would have been done in the
office. Employees, especially those that are not as technologically
skilled and unfamiliar with a work-from-home structure, are going to
appreciate having access to experts that can answer questions for them
in real time.

Stand Firm on Existing Policies

With more people attempting to keep patients, customers, and
constituents happy while working from home, they might be tempted to
ignore policies that were in place before. But CISOs need to play the
long game and focus on consistency first. For example, Kelsey-Seybold
has always required a phone interview between IT and a physician that
might want to download our EMR application to their computer. Since
this is such a high-touch process, we want to verify with the
physician that they installed it and talk through any questions. Not
only is this quicker for the physician than filling out a form, but
it’s more trustworthy for our purposes. Even through recent changes in
the day-to-day, we have kept that process in place to protect our
staff and our patients.

When world health and political leaders first began urging the
practice of social distancing, it took quite a bit of persuasion
(nearly pleading) to get people to stay home. Press conference after
press conference convinced most Americans that if they stayed home,
they could save lives. CISOs are in somewhat of a similar role: they
have to talk through the impact an end user can have on the safety of
the entire organization and what each individual’s contribution to
that is. With end users, it’s focusing on security awareness and
education when it comes to phishing threats and personal cybersecurity
practices. At a leadership level, the CISO can inspire healthy
attitudes toward security processes with executives by creating a “not
if, when” narrative.

The world is certainly changing by the day, but security has to stay a
constant. Some businesses lead with expediency and accessibility, but
we believe cybersecurity should remain an issue at the forefront, or
we risk compiling one emergency with another.