Lessons in Information Security: Post COVID-19

Article by Stuart Walsh, Chief Information Security Officer (CISO).

A recent survey found that 84% of organisations anticipate broader and permanent working from home (WfH) programmes.

With the expectation that WfH will increasingly be accepted as a reality by many organisations in the post-COVID-19 world, there are some valuable lessons relating to information security that can and must be learned in order to avoid the potentially increased risks associated with it.

Some of these increased risks include:

Cyber criminals have embraced the opportunity that the virus has presented them, with reports of phishing attempts and malware attacks increasing by as much as 30,000% from January to March this year, and the registration of 130,000 new suspicious domains featuring COVID-related keywords.

BEC/CEO fraud is where a threat actor impersonates an organisation’s executives in order to deceive employees into sending money or sensitive information to a fraudulent third party. Mimecast’s global customer threat intelligence data highlights the fact that impersonation fraud increased by 30% in the first 100 days of COVID-19.

Increased use of an organisation’s devices for personal activities when WfH – and, conversely, when using personal devices for work activities – further exposes an organisation’s assets.

According to the 2020 COVID-19 State of Remote Work Survey Report, employees are practising poor information security while WfH, with 33% having downloaded a personal application without approval, 36% accessing work applications from personal devices, 45% having shared their work device with their spouse, partner or children, and 17% visiting adult sites on a work device.

Insecure devices, technologies and remote connections increase the risk of being affected by malicious or inappropriate actions and the damage they cause.

Organisations should be wary of rushing to implement new or unproven technologies, such as cloud storage and collaboration tools (which are increasingly being targeted by threat actors), in order to adapt to changes in working practices, as these technologies could compromise their security posture.

When WfH employees will often have a relaxed sense of security, as well as facing numerous distractions that could cause issues with confidentiality and data integrity.

Tripwire’s Remote Work and COVID-19 Cybersecurity Impact Report found that 49% of organisations felt that they were not able to effectively secure employees’ home environments.

Something that is often overlooked is that increased financial pressures, difficulty finding a work–life balance and concerns about loss of employment can have a negative effect on employees’ health, wellbeing and performance.

They may also be more susceptible to being coerced, persuaded or exploited by competitors into disclosing sensitive information. The following actions can help reduce, if not entirely prevent, many of these risks:

• Create secure working environments by: implementing a clear desk policy, locking screens, having privacy screens, using web cam covers, using headphones, establishing strong and unique passwords, implementing two-factor authentication (2FA) or multi-factor authentication (MFA), securing Wi-Fi access points, ensuring antivirus and firewall software is up to date, using tried, tested and trusted cloud technologies and collaboration tools, encrypting data at rest, and using a virtual private network (VPN) connection.

• Increase information security awareness training and advice on COVID-related fraud and phishing attacks.

• Take a disciplined approach to using work and personal devices for their given purpose.

• Maintain contact between an organisation’s management and employees, providing updates and reassurances that the situation is being managed.

Unfortunately, many organisations were ill-prepared for the scale and nature of this unprecedented event, as evidenced in the recent Gartner Business Continuity Survey, with just 12% of the 1,500 respondents feeling that their organisation was adequately prepared to deal with the uncertainty that the pandemic presented.

Perhaps even more alarmingly, only 2% of those responding said that they expected their business to be able to continue operating as normal.

Although it is impossible to accurately predict how and when every conceivable scenario will develop, this highlights why establishing a business continuity plan (BCP) that is regularly reviewed, updated and tested can be hugely beneficial when facing even the most unexpected of challenges.

Business continuity planning is the process of establishing methods of prevention and recovery to deal with possible threats to an organisation.

In addition to prevention, the objective is to enable continuous operations before, during and after the execution of disaster recovery. A BCP typically functions in four phases:

Prevention is built on the principles of identifying, analysing, evaluating and treating risks.

Preparedness focuses on analysing the impact of events on an organisation. It helps prioritise key functions, employees, equipment, offerings and activities that could be impacted by a critical incident.

Response is a plan detailing the list of steps to take immediately before (if possible), during and after an incident in order to contain, control and minimise impacts.

Recovery planning is the organisation’s roadmap to minimising disruption and reducing the amount of time it takes to return to business as usual.

A BCP should do the following:

• Detail the purpose and scope of the plan

• Establish objectives

• Detail responsibilities

• Provide guidance on how and when the plan should be implemented

• Identify and prioritise the organisation’s key operations, functions, products and services

• Assess the potential impact that different scenarios could have on the organisation, suppliers, employees and customers

• Detail the actions required to protect the organisation

• Establish contact lists for suppliers, alternative suppliers, employees, customers, interested parties and stakeholders

• Be regularly reviewed, updated and tested.

The BCP must be published in a location that is available to all employees, especially those directly involved in its implementation, and it should be available in all appropriate formats (digital, hard copy, etc.).

A BCP enables organisations to manage an incident and minimise the disruption to itself and its customers; it can reduce or even avoid loss of revenue.

It also demonstrates that an organisation has the foresight and capability to handle a crisis, providing trust, confidence and a potential advantage over competitors.