[Posted on Behalf of Pushkal Mishra, AVP IT & CISO HDFC ERGO Health Insurance Ltd.]
While the world is battling with COVID-19, Information security professionals have a double duty to do.
1. Take all the precaution to keep the Coronavirus away on the personal front
2. Manage the IT risks that come along while facilitating Work From Home (WFH) for the organizations they work for
Let’s focus on point No. 2 here. With COVID-19, the organizations have reached an inflection point where things have changed dramatically to facilitate this “new normal” of WFH. Standardized office perimeters disappeared and now anyone can connect from anywhere. The pandemic has struck the organizations around the world like a perfect storm and the onus is on IT to enable the business during the lockdown and facilitate them with necessary tools & technologies to work from home.
Most of the organizations never designed themselves to go mainstream that way. Consequently, there were a Tsunami of things to be taken care of, at times, at the cost of security! As a result, the attackers are now exploiting those loopholes to their advantage. We’ve already seen plenty of unwanted security incidents across the board.
Through this article, I would like to bring your attention to some of the things that could be done to control the IT risks of working from home. You can view them in terms of short term and long term focus.Short term (within 3 months):
First of all, conduct the security risk assessment of the Remote IT infrastructure that includes VPN (Virtual Private Network), VDI (Virtual Desktop Infrastructure), Terminal Services, Public facing applications, and cloud workloads as these are some of your entry points. You need to reassess your risks because pandemic has changed the context, for example, organizations in the pre-COVID-19 era considered VPN as DR measure to support business in case primary connectivity (or office premise) goes down but tables have turned and VPN is now the primary mode of connectivity and has taken the precedence over the standardized office cubicle way of working. So Remote IT infra has climbed up the ladder of asset criticality matrix of the organization. Which means it will now have rather aggressive recovery objectives and SLA than before and it will also be the primary point of attack
Seriously consider phishing risk as there has been an upsurge in the number of phishing emails taking advantage of the anxieties of people during this pandemic. So many potentially dangerous domains have been created for phishing emails. Please educate your users in an engaging way. Try internal phishing simulation as people learn better that way than educational emailers. While you are at it, also educate users on home WiFi and mobile security Initiate vulnerability assessment and penetration testing of your critical applications both in Blackbox and Greybox mode
Check on your brand reputation across cyberspace for any potential business risk of dark web threats, brand infringement/intellectual property leaks, rouge applications, fake campaigns/scams, PII data exposures etc
Long Term (6 months or beyond):
Review your data loss prevention program & associated technologies. Think this through from unmanaged endpoints accessing the managed network. Reorient it to suit the current situation
Review your security incident and event mgmt program & associated technologies. Add use-cases that are pertinent to today’s context (e.g. more use-cases on VPN if that is your primary mode of corporate connectivity)
Develop capability for endpoint incident detection and response as we are living in the times where perimeters are fading fast and traditional corporate endpoints are now “internet endpoints”. These endpoints may be subjected to a variety of security issues owing to software security, configuration issues, backdoors, etc, and can eventually lead to disruption of services. So isolating, containing and recovering capabilities at endpoint can be a good strategy
Strengthen your business continuity mgmt program as it is now needed a lot more than ever before
By no means is this an exhaustive list. You can add to it as per your risk mgmt program (such as ZeroTrust/SASE, Data-Centric security etc). Although these are few good points, to begin with.