In my previous blog post, I promised more guidance on the next steps to consider taking now, while the pandemic is still upon us. Here are eight actions CISOs should consider taking.
This first piece of guidance should not be anything new, though the attackers continue to up their game and use the fear, uncertainty, and doubt of the pandemic for leverage. The advice is to focus significant operational, training, and policy resources on stopping email and social threats (phishing, vishing, smishing, and business email compromise), remote access threats (brute force, man in the middle, password sprays, and credential theft), and ransomware (awareness and education via continuous testing and simulations).
Gartner and CSO Magazine report that COVID-19-based phishing attempts are up 667% since the end of March. Further, social engineering to bring about ransomware-based compromises for remote workers has increased by 47% over the course of the pandemic. Clearly, phishing emails remain the top vector. Ransomware is being combined with a newer breed of extortion: the confiscation of records with the threat to expose them on the internet. This indicates a level of sophistication and contemplation that is typically shown by “nation-staters” (i.e., adversarial government-sponsored attackers) rather than the opportunistic sorts looking for a quick payday.
Know that these expert cyber-criminals are now capitalizing on the opportunity presented by the pandemic with phishing campaigns, sending out emails inviting employees to click on links to malicious software that purportedly presents health safety measures, and that your employees may also be misled by emails appearing to be from their own IT departments requesting credentials.
Tip: Create an alias account for your IT department and inform employees that any IT communication will only come from that account. Show them an example of how to locate the full domain name and the mailbox owner, so employees can verify sender authenticity.
It pains me to say this because it is foundational in nature, but please make sure you have a written remote worker policy that indicates what is permissible for your employees. Mention sensitive data in it. Indicate that even family members should not have access or visibility to Personally Identifiable Information (PII) or electronic Protected Health Information (ePHI). Make working from a distinct and private area of the household an additional guideline. Do not make that part of the policy, as it is not possible to enforce that concept, and policy statements should only appear if they can be enforced with consequence management.
This next piece of advice is very important: Reach out to whomever handles risk and insurance in your organization, and demand to see your cyber-insurance policy. Maybe you are already familiar with it and know what exclusions or exceptions exist in it. You should look for a few key elements:
I’ve already mentioned policies. Know this: You need to review each of your existing policies and do one of three things:
Many companies quickly moved to the cloud in early and mid-March. There are free cloud-based services and there are commercial cloud-based services. However, free services are not free. If you're using a free service to run a business of any size, you are putting your customers, your employees, and your critical intellectual property at risk. If you're going to use the cloud for business, you must pay the money and use commercial services. If you have any free cloud-based services, switch them to commercial as soon as possible. Inventory all the cloud-based services, make sure you understand the exposures and risks, and implement the appropriate commercial grade that has security and proper monitoring built in.
There are very good tools for assessing and evaluating your cloud-based cybersecurity. There are also ones that have variability in effectiveness or do not work at all. Know this going in and contact organizations who know this landscape. We know it well at ConvergeOne and supply insight and recommendations to customers who are making this transition so that they do not introduce risk to their organization.
As the head of cybersecurity, you must show resolve in evaluating the perception of risk management in your organization by doing the following:
Doing these four things will transform the perception of your security team. You will go from being seen as a necessary IT function to being a business-enabling component.
We live in vastly changing times. Individuals and organizations have scrambled to remain productive while working remotely. New tools have been introduced for communicating and sharing information while off the company network. Your IT teams have delivered, providing what was necessary with what was available.
Now, security leaders, that dust has settled and it’s a good time to review your security posture knowing that remote work introduces security concerns different from on-premises concerns. Know your employees may have turned to a wide variety of publicly available online applications.
ConvergeOne is here to help with everything from understanding how to monitor network security with such a large footprint to assessing your risk of data breach or potentially violating privacy legislation and all domains that sit in-between. We can be your virtual CISO, DPO, or your information security management office.
There is much more to discuss, but I leave you with this: You are accountable as a CISO or head of security/security operations. Of that, there is no doubt. Failure to do your function well can result in an existential disaster for your firm. Cybersecurity and privacy are as much an art as they are a science, so your keys are founded in this question: Am I prepared to recover, and do I have the resilience to run my operation properly in the face of a major cyber event?
Recovery is the key to success. Stay safe, stay well, and stay secure.
The ConvergeOne Ransomware Readiness Workshop focuses on your organization’s readiness to withstand a ransomware attack. During this workshop, ConvergeOne experts will analyze your environment in areas like user awareness training, network security and segmentation, testing and monitoring, incident response plans, and disaster recovery.
Schedule your complimentary Ransomware Readiness Workshop today.