From a cyber security standpoint, the move back to a work setting for employees should not be the challenge that moving to “work from home” may have been for many organizations. Network security in the workspace is already in place, and employees are quite familiar and at ease working in the work environment.
By now, businesses should have already addressed issues of remote access, the use of multifactor authentication and virtual private networks (VPNs). But in the wake of COVID-19, as businesses return to the workplace, organizations should take some lessons from the COVID-19 pandemic. We recommend they use this information to shore up potential weak spots in their cyber security program’s incident response plan.
The greatest lesson to take away from the pandemic has to do with preparedness. What has been witnessed over the last three months is crisis response, on a global level, taken to its extreme. Every business and local, county and state government, and even individuals were forced into some form of crisis management. Some were able to respond better than others.
“Something like this will never happen”
One of the reasons that many were not prepared for the pandemic and did not respond well was because they believed that “something like this will never happen.” It’s a phrase that is heard often by those in the cyber security industry. Organizations often rationalize they are able to live with less than optimal cyber security because they feel they are too small to attract hackers, or they don’t have anything that anyone would want to steal. We know now that "something like this" can happen, and the results can be catastrophic.
Additionally, an organization does not have to possess something that a hacker wants to steal, to be a desirable target. All it has to possess is an opening; some vulnerability that allows a bad guy entry to exploit the opportunity to interrupt business and maybe even demand a ransom.
See also: How to Fight Rise in Cyber Criminals
Lessons from the COVID-19 pandemic
As businesses begin to return to workplace operations, now is a great time for them to reevaluate their approach to cyber security as a whole, and cyber resilience in particular, while drawing some comparisons to what the world has experienced in the pandemic.
1. Identify assets
Using the National Institute of Standards and Technology (NIST) Cyber Security Framework as a guide, consider the first risk category of IDENTIFY. The first objective of cyber security is for an organization to understand its assets. A business must ask itself, “What do we have that needs to be protected? What are our high-value/high-criticality assets? What are the risks and vulnerabilities associated with those assets? Where are those assets located? Are they on the cloud? On the premises? Do we have all of our assets accounted for in an inventory? Do we verify that inventory regularly?”
When the pandemic hit, many entities found themselves without a full understanding of the assets they possessed and what they still needed. Assets including hospital beds, ventilators, usable test kits and procedures and personal protective equipment. In many cases, the result was a scramble over a long period to acquire the necessary assets.
2. Protect assets
Following the NIST framework, once assets have been identified, and risks assessed and ranked for criticality, what protective controls are in place to protect those assets? In the towns, cities and states that we live in, there are healthcare systems, networks of healthcare providers, nursing homes, pharmacies and other components all geared to providing protection to our countries’ most valuable assets: people.
What about in the business community? Are businesses providing their most critical assets, such as data, hardware, software and even business processes, with the protections aligned with their importance? Do these businesses segment their critical assets or encrypt critical data? Do they educate their employees about cyber security and the roles they play in maintaining it? Do they provide their employees with the proper amount of access to IT assets?
3. Detect the problem
The third risk category in the NIST framework is DETECT. How can businesses know when something bad might be happening? How do businesses monitor for indicators of compromise within their networks? In the pandemic, the World Health Organization has been acting as a parallel to a managed security services provider (MSSP) or a security operations center (SOC) for the network of countries around the world. The job is to detect the initial outbreak and alert the rest of the world to the danger.
4. Respond to the crisis
Each business needs to assess its ability to detect potentially malicious activity in corporate networks. Is each organization engaging a third-party MSSP? Is it performing up to expectations? If a business is doing its own monitoring, is that monitoring complete and effective? Is the business monitoring the most valuable or risky assets closely enough? Is it processing all the right information? Does the business even know what malicious behavior looks like or how to find it?
5. Find a path to recovery
With these steps developed, businesses can finally consider what response and recovery will look like. NIST suggests considering how to handle response and recovery in our networks compared with how the various government agencies have handled theirs.
See also: 10 Tips for Moving Online in COVID World
First, businesses should have a documented incident response plan for their networks and should make sure it has been reviewed recently for adequacy. The incident response plan needs to clearly define roles and responsibilities for all participants. It needs to include procedures for identification, containment, eradication, recovery and lessons learned. The plan should also state how the business will communicate information about the incident to internal and external audiences. In developing the incident response plan, it is key for businesses to line up and perhaps even contract with third parties for technical response services that they don’t have in-house.
Businesses also should make sure their incident response plan is designed to consider a “black swan” event, which is an unexpected, catastrophic event that forces a complete shutdown of a company’s network and its services. As rare as black swan events may be, they do occur. Many remember the first outbreak of ransomware just a few years ago and how it caused the complete shutdown of some global networks. Even some companies with what might be considered very good cyber security were severely hurt. Why? Because they did not contemplate such an event and therefore did not build their response plan for effectiveness against a black swan event. The development of an incident response plan is not complete until it contemplates and prepares for such a rare and devastating event.
Finally, with respect to response and recovery, testing plans is incredibly important. Plans that are in place, but have not been tested for several years, are likely to be missing some details that will limit their usefulness when it really counts – in a cyber event. Businesses that test their plans regularly – minimally once per year – and update the plan based on lessons learned from both tests and actual events will have experiences in actual cyber events that are probably much less painful than if they did not plan and test the plan regularly.
The COVID-19 pandemic of 2020 is real – it’s not a test – and the lessons learned from the event are substantial and painful. The phrase “Never let a good crisis go to waste” has been repeated in a cynical manner many times, but it does have value in the context of current events. City, state and federal governments will certainly be revisiting their pandemic crisis management policies and procedures in the near term. It’s also a good time to revisit cyber risk management and incident response procedures.
Visit Zurich’s COVID-19 Resource Hub for more information.