With COVID-19 now revving its engine, I suspect that many of you are reading this article from the kitchen table, perhaps still in your pajamas. But even before the present global virus situation, this casual teleworking image was pretty familiar for many job functions. I mean – let’s be honest: Checking email is checking email – regardless of whether this mindless task is done on the corporate LAN or across your home broadband.
But when an entire company decides to collectively embrace telework at the same time, over an extended period of time, the result is that business processes must change. And whether a given change is good or bad is perhaps beside the point (although most required changes to accommodate virtual work are good). Rather, I choose to emphasize that as a result of COVID-19, some business processes will necessarily change. This is unavoidable.
Which brings me to cyber security. Now, it’s difficult to make general statements about our proud discipline of protecting enterprise that will apply in all instances, but here is one you can take to the bank: Business change creates seams between people, processes, and technology that can be exploited. This is universally true, regardless of how well any business change is managed. The goal is thus to minimize the size and duration of seams.
COVID-19 is especially dangerous for cyber security, because the changes it has prompted already have three strikes against them: First, the situation was unplanned, with little or no advance warning. Second, it is largely unprecedented for most workers (I am in my upper fifties and other viruses outbreaks felt much different). And third, it has no clear end. Virtual operations are being planned, and there is no expiration date I am aware of.
So, enterprise security teams must deal with these exploitable vulnerability seams arising from business process changes. And they must do so for an unprecedented issue that could continue for some time. Sigh. Those are the facts, and if you work in enterprise security, you would be wise (even if your personal politics might suggest otherwise) to take this situation seriously. Below are five recommendations from the TAG Cyber team for immediate action:
Action 1: Provide Common Sense Guidance for Employees on Virtual Conferencing. While most employees already know that Zoom is not just a Seventies kid’s show, they should be reminded to be extra vigilant of scamming, eavesdropping, and other threats. Sending a clear text invitation over email to a conference call that will discuss next week’s reported earnings is just – well, you get the idea. Remind people to not be stupid.
Action 2: Demand Increased Situational Awareness for Security Staff. I know that you already tell your boss that you’re at DEFCON 1. Despite this little white lie, get your SOC team or other individuals tasked with real-time detection, prevention, and response, and push them from DEFCON 3 to DEFCON 2 (I’ll let you fill in the definition). One idea might be a daily stand-up meeting (er, conference call) to discuss real-time indicators.
Action 3: Reinforce Security Policies for Teleworkers. This assumes (I hope, I hope) that you already have a published security policy for teleworkers. If you don’t have one, then have a look at this nice guide. It’s important, for example, that your employees remember that the helpful teenager at the Apple store is simply not authorized to work on your office computer. Make sure employees know your policies and understand their importance.
Action 4: Remind Employees of Heightened Phishing Risk. Everyone knows that when you get stressed, rushed, or confused, you will be more likely to click on something bad. It is your job as an information security professional to remind remote workers freaked out about COVID-19 to please . . . slow . . . down. Remind them that notifications will not come as emails with links. And if some external entity sends such a thing, they should ignore it.
Action 5: Make Sure Your Security Hotline is Working. When someone in the office becomes concerned about a security issue, they have the luxury to ask a colleague what to do. When that same person works from home, they are more likely to say the hell-with-it. You can minimize this by ensuring that your security hotline (you have one, don’t you?) is working. If an employee sees something suspicious, they should be encouraged to report it.
Look – I know that people like Elon Musk are calling this whole thing dumb – and for the average person, it is probably reasonable that they remain calm and go about their lives in a normal manner. But when you are in a position like enterprise security, it is your job and your responsibility to do the worrying so that others don’t have to. The last thing on this entire planet that your company needs is to get hacked as a result of COVID-19.