A shift in working patterns implies a changed information risk landscape
In a post COVID-19 crisis world, it is obvious that a significant number of employees who used to work from the office will telework more frequently. It has largely proven feasible during the crisis. However, companies have to adapt. The good thing is that they will probably spend less on facilities. But they will have to spend more on remote-work IT and security capabilities.
Teleworking, also known as telecommuting, means working remotely, usually from home. The teleworker uses communication tools to remain in touch with his/her supervisor, colleagues, clients, partners…, and uses various remote-work IT capabilities to carry out duties.
The COVID-19 crisis has forced an unprecedented worldwide increase in teleworking. The consequence was a significant strain on the organization’s communication infrastructure: VPN capacity, VoIP capacity, audio/video conference (e.g Zoom, Webex, ..) and collaboration (e.g MS Teams, slack, …) capacities/capabilities.
However, having at least some employees working remotely is not new. The shift away from traditional network perimeter security began years ago, thanks to cloud solutions, easy to deploy and to manage, and enabling swift responses to business demands. So even before the pandemic, organizations had to figure out ways to manage the security of their businesses considering such things as untrusted networks, unmanaged computers, partially outsourcing their business operations and their security, coping with data privacy laws and security standards…
So actually, the COVID-19 has not forced new working patterns, but it has dramatically accelerated 2 existing trends: Work-From-Home and reliance on Cloud Services.
COVID-19 Risks Outlook, A Preliminary Mapping and Its Implications
Source: World Economic Forum
According to a survey from the World Economic Forum (WEF) published in May 2020, “Cyberattacks and data fraud due to a sustained shift in working patterns” rank third among the greatest COVID-related business concerns.
Indeed, more Work-From-Home ”increases the attack surface exponentially and multiplies vectors for cyberattacks through the heightened dependency on personal devices and residential networks” says the WEF, especially considering that ”Social engineering tactics remain very effective on a workforce that is distracted and vulnerable”.
In addition, more Cloud Services implies risk of unauthorized access to customer, business or Personally Identifiable Information (PII), compliance or legal risks, risks related to lack of control, or even availability risks.
Fully mitigating these information risks may require a fundamental change in the way your organization manages Cybersecurity, and major efforts to achieve total Cyber Resilience, fully secured critical capabilities and services, with each and every business initiatives balanced by risk-informed decisions.
Nevertheless, on the way to better Cybersecurity management, here are a few areas that you might want to (re)visit.
Work you Resilience Plans
With the general lockdown due to the COVID-19 crisis, some organizations (and sometimes some employees on their own) have decided to go in a rush for the eye-candy off-the-shelf Zoom videoconferencing solution to support their internal and external communications. Unfortunately, the popularity of Zoom led to increased cyber risks such as the theft of 500,000 Zoom user credentials stolen and sold on the dark web. To avoid the recurrence of such threats, it is time to revise your Business Continuity Plan (BCP) and make amendments to its operating procedures for remote workers, in order to specify when and how to use company-approved communication and collaboration platforms.
In addition, your BCP should also carefully prepare for managing a crisis such as a pandemic, with a detailed plan of what goal your organization is going to achieve. The plan should cover all major aspects of the organization such as your critical business services, your main support processes, your technical and human resources, criticalities and priorities, clearly assigned roles and responsibilities, and key contacts with authorities and legal experts.
In order to ensure the effectiveness and efficiency of the resilience plans, the organization should continuously test and improve incident response, disaster recovery, crisis management as well as overall business continuity.
Enhance your Identity and Access Management (IAM)
One of the main goal of cloud-based environments is that they are going to provide access to applications anywhere, anytime and on any device. So the only barrier between the end user and the application is the identity of the user (try googling “Identity is the new perimeter”), hence the necessity to implement a strong IAM:
- Ensure that you Access Control policy and processes fully take into account cloud platforms;
- Don’t use built-in privileged accounts in order to preserve maximum traceability;
- Define and implement an approach to restrict access to authorized users. Several models exist such as Mandatory Access Control (MAC) or Discretionary Access Control (DAC). You might opt for a Role Based Access Control (RBAC) model where roles bear access privileges, not individuals. Roles are assigned to individuals. This will make it a lot easier to understand and manage actual user permissions;
- Automate user provisioning and de-provisioning based on the least privilege principle (i.e access as per business needs);
- Review and recertify access on a regular basis
- Leverage cloud provider tools and existing cloud service roles / profiles, and map those to your RBAC roles;
- Centralize identity management using a provider that can integrate cloud, SaaS, and on-premise applications;
- Implement Single Sign-On (SSO) and strong authentication so that you can make access decisions based on multiple factors, including such things as the current security state of the user’s device;
- Monitor users’ behavior. This can be done by so-called Cloud Access Security Brokers or CASBs. They usually sit between the user and the cloud applications, and provide security functionalities such as anomaly detection, threat detection, DLP and encryption.
Train your users
In addition to social engineering, phishing/SMiShing/vishing, passwords, public WIFIs and USB keys,… Cloud and Work-From-Home should be topics at the agenda of your information security awareness training.
Regarding the use of cloud services, even though many people may have heard of, and may even use on a daily basis such services as Google Drive or Dropbox, Spotify or Deezer, it’s likely that many people have no idea what the cloud is, and certainly have no clue of what risks it involves. Is cloud allowed at all? Which cloud services? For what business purposes? Access from professional or private devices? Using professional or private account/email? What data may be processed or shared? With whom?
Regarding Work-From-Home, your user base may be a mix of regular and green remote users. So it is important to clearly establish how to securely use services and software, how to log in and out of the audio and video conferencing system, how to securely and efficiently make use of your collaboration platform, how to access internal resources, whom and how to contact in case of security incidents or suspicion of…
Strengthen your endpoints
Work-From-Home has led to a rise in the use of personal devices for business operations. Processing sensitive data and business documents on unsecured devices could result in data leaks or even data loss. If that is not the case already, your organization should issue remote workers with dedicated laptops. In addition to centralized management and configuration in accordance with the information security policy through a Mobile Device Management (MDM) solution, endpoints should be adequately protected. Several solutions exist, ranging from typical anti-malware software through to more advanced Endpoint Detection and Response (EDR) solutions, focused on threat detection, response and unified monitoring.
Improve your Cyber Hygiene
Cyber hygiene refers to all the actions and practices taken by organizations and users in order to maintain the health of their systems, devices, and improve online security. An effective and consistent implementation of strong cyber hygiene would have mitigated most cyberattacks over the last decade, including those perpetrated during the COVID-19 crisis. Indeed, exploiting known vulnerabilities on servers, applications or endpoint devices are among the most common ways to undertake a cyberattack.
Maintaining an inventory of all digital assets starting with the critical ones, and establishing an effective vulnerability management strategy is essential in protecting critical systems against cyber threats.
One step further: a global Cybersecurity focused assessment
These areas will definitely need attention in the near future, but your organization may want to go one step further and perform a global Cybersecurity focused assessment.
If your organization seeks to assess its security posture with regards to laws and regulation (e.g GDPR, CSSF) or with regards to security standards (ISO 27001, PCI DSS), then a maturity-based assessment is the best way to proceed. It focuses on achieving a specific maturity level in order to match the defined requirements, and consists in designing and implementing the appropriate security capabilities and controls.
Although this achieves the intended purpose, it kind of misses an important goal: measuring and managing the company’s Cyber risks. In order to do so, your organization should opt for a risk-based assessment. As the name implies, its primary purpose is to reduce risks. It provides the organization with insight regarding actual enterprise risks, with ways to prioritize investments and with cost-effective risk reduction action plans.
So which kind of assessment to choose really depends on your organization’s actual Cybersecurity objectives.
The challenges of Work-From-Home and Cloud Services are not going to disappear. There are Compliance challenges (e.g business and private data protection, Bring Your Own Device (BYOD), outsourcing to cloud service providers, …). And there are cybercrime challenges (e.g inexperience with remote working, crime and fraud are going to increase dramatically in the upcoming economic recession, …). Both should be considered in your Cybersecurity program. Therefore, the recommended approach is to build your Cybersecurity program on a both maturity-based and a risk-based assessment.
Written by Sébastien Wagner – CISO at Excellium Services