In recent weeks, organizations around the world have had to quickly get up to speed on how to handle unforeseen events. The coronavirus has affected virtually every aspect of life and has forced many businesses to change their basic operations in ways virtually no one could have predicted.
This has been a lesson in the need for disaster preparedness and can also prove to be a teaching moment to improve preparedness plans at the ground level and for the future.
Building a security preparedness plan
When a crisis such as a pandemic or hurricane hits, CISOs and other security leaders need to consider these factors when helping to create and execute a preparedness plan.
1. Disruption from reduced staff
A crisis such as the current one can lead to a reduction in IT and security staff because of peoples’ inability to get to work for various reasons. One solution for the short-term is to tap outside help such as a managed security service provider until things get back to normal. As such, being prepared to hire third parties when the need arises should be part of the plan.
Help can also come from within. “A new pandemic situation creates challenges with employees or contractors not being able to work in normal working conditions,” says Selim Aissi, senior vice president and CISO at Ellie Mae, a software company that processes mortgage applications.
“Also, some of the employees may not be able to do any work because of illness, family conditions, transportation, or plainly not being able to work remotely because some technology challenges,” Aissi says, adding that the CISO’s disaster task force should identify and prepare for all possible scenarios to prevent business interruption.
Such a task force should be in place as part of the company’s overall cyber resiliency program, which should also include disaster recovery, business continuity and crisis management, Aissi says. “The task force should already have been meeting, discussing their plan, testing against that plan, and updating the senior management of the company way before this specific pandemic crisis,” he says.
2. Need to secure remote workers
Suddenly, countless more people are working from remote sites such as home offices. They all need to have secure access to networks and data.
Keep in mind that remote work might be the new normal, not only for the security team but for peers and business partners, says Drew Osborne, a former CISO and now an independent security consultant. CISOs should review controls and aggressively monitor remote access tools, Osborne says. They should also implement a review of usage behavior, if they have not already, and monitor it closely. Remote access is probably a good candidate for any available capacity IT might have in reserve, he says.
Adversaries, including hackers and organized cyber criminals, take advantage of disasters because people tend to react to their lures when they are working remotely under new conditions, and because humans tend to react to urgent requests, Aissi says.
“We have seen a huge increase of COVID-19 themed malware attacks, phishing attacks and even ransomware,” Aissi says. CISOs need to ensure that all network connections that remote employees use are secure, access to company networks is limited to multi-factor authentication, and monitoring of remote network connections increases.
3. Need to secure new systems
Organizations will need to secure any new online and internal systems and services brought in to address the crisis. They could bring on new services, applications or third parties to meet emergency needs, Osborne says. The security team should expect to be called on to provide security controls, perhaps with reduced staff. Prioritization and efficiency are key.
Security’s role should be not so much to enforce rules, but to provide secure solutions. This is especially true in a crisis, Osborne says. Prioritize efforts where the organization has the greatest risk, the most critical applications, and the most sensitive data.
4. Vulnerabilities that might emerge among partners or suppliers
Organizations need to be aware of what’s happening with their key business partners such as suppliers. Given this, part of the preparedness plan should address communication and collaboration with partners.
“It is critical that the company requests information about pandemic-readiness from all of its critical vendors,” Aissi says. “Typically, the classification of such critical vendors is done by a dedicated third-party risk management program/team in the CISO’s organization.”
The plan should also cover how to deal with customers. “Customers should be informed about the level of readiness of the business against any potential disruption caused by the pandemic situation,” Aissi says.
5. Need to update training programs
Organizations might need to make changes in their security awareness training programs, due to phishers leveraging the crisis, for example. Consider a focused campaign on crisis-related security concerns, such as phishing attacks masquerading as crisis-sensitive communication, Osborne says.
Reconciling gaps
Organizations will undoubtedly notice gaps in the crises they have planned for and the one they are experiencing today, Osborne says. It’s a good idea to keep a journal or otherwise document everything enterprises need to improve on between now and the next crisis.
Good communication between security and the lines of business is key. “CISOs need to stay in close contact with business personnel at all levels of the business to understand how the crisis is affecting systems and people,” says Amy Worley, a managing partner with Berkeley Research Group.
“Are communications networks responding as expected or are they slow or unstable?” Worley says. “Be prepared for ‘bad guys’ to exploit a crisis, and make sure the business is ready for cyber attacks such denial of service or crisis-related phishing scams.”
CISOs will want to continue to educate executives about these risks and how to mitigate them, even as senior leaders may be focused on their immediate revenue concerns, Worley says. “Work with internal communications teams to make sure employees understand how to use security enhancing technologies like VPN connections and two-factor authentication, while working remotely,” Worley says. “With people moving quickly to maintain business processes, coworkers may forget about or deprioritize privacy and security—unless they are reminded about it in the crisis communications.”
Preparing for the future
Security leaders and teams can use a crisis as a learning experience so they can be better prepared in the future. “Learnings could be about providing better communication, enabling the necessary tools for remote employees, or simply dealing with employees getting infected,” Aissi says. “It is always a good practice to perform a ‘lessons-learned’ exercise after a pandemic. The learnings should be openly discussed, documented, and tracked.”
The opportunity in a crisis “is to learn what works and what doesn’t in your crisis plan,” Worley says. “Note what goes well and what needs improvement as the crisis unfolds. Did you need more bandwidth to support so many virtual meetings? Were too many employees without laptops or docking stations? Were there successful phishing attempts?”
Security executives should make it a point to get input from other stakeholders about their experience. “Once things are back to business as usual, take the documentation and turn it into executive education about ongoing crisis mitigation needs,” Worley says.