Most of the organizations, where feasible, have adopted telecommuting or work-from-home options for their employees to keep businesses running during the COVID-19 crisis. While this is a good practice to adopt for ensuring the good health of employees, it does call for unwarranted cyberattacks after the crisis. Thus, organizations must start identifying the lapses in their cybersecurity measures taken during this crisis and address them during business as usual (BAU).
It is highly probable that cybercriminals are gearing up and preparing themselves to take advantage of this vulnerable situation. They understand organizations will focus more on getting the business running rather than putting the resources on strengthening their cyber resiliency. The greater risk we are facing now is an attack on the organizations that cater to the requirements of the government bodies. The last thing organizations want right after attaining BAU is to face a cyberattack.
Here are a few measures organizations need to take to ensure minimizing the risk exposure and securing their data:
Revoke Business Continuity
The first and foremost step will be to revoke the business continuity invoked to tackle the crisis. This must be done following the steps documented in the organizational business continuity plan. If the organization follows any specific standards for organizational resilience such as ISO 22301, ISO 27301, or others, it is advisable to stick to the recommended process to ensure minimal impact on attaining BAU. Associated security risks should be noted in the IT security risks register for verification and remediation.
Enforce Password Changes
InfoSec teams of the organizations must enforce password changes for all the user accounts and administrator accounts by following the documented change management process. Organizations catering to multiple business customers must come to agreement with the customers to enforce this password change activity for protecting their IT environment. This is required to avoid any unauthorized access to sensitive information via shoulder surfing or accidental password leak that could have happened during the lockdown period. This will also help minimize the risk of brute force attacks to gain access to company data.
Initiate Internal Security Audit and Self Declaration
Organizations need to identify and assess the post-crisis IT security vulnerabilities and security risks. Thus, it is a good idea to conduct an internal security assessment to identify popped-up security risks and system vulnerabilities.
The identified outcomes of the assessment must be captured in the risk register with a mitigation plan. This will be a humongous task requiring cooperation from all the operations tracks; thus, the InfoSec team should use the current crisis time to prepare and educate them for post-crisis audit requirements. Figure 1: IT Security Risks and Vulnerabilities to be Addressed
In addition to this assessment, organizations must take signed self declarations and voluntary disclosures from the employees about the safe and secure use of IT assets during the crisis. This will help to identify any misuse of assets accidentally.
Validate Access Permissions and Check Asset Inventory
First, while initiating business continuity, it is a standard practice for companies to provide access to the company environment via VPN/VDI to enable work from home (WFH). Organizations might also allow BYOD to support critical business tasks. This opens the organization to a spectrum of cyber risks and thus require close monitoring and action.
Once BAU is attained, the security team must follow up on the provisioned access and revoke any unnecessary access to company/customer data.
Second, asset inventory before and after the crisis must be tallied. To enable work from home, organizations must have provided various devices such as laptops, data cards, cell phones, etc. These assets must be revalidated to check for safe and secure usage by authorized individuals only. If there is any discrepancy, the InfoSec incident should be raised and the asset must be blocked.
Check Compliance to Regulations and Data Security
Organizations may cut some slack on security measures while provisioning WFH, however, the regulators will not. Regulations such as GDPR, CCPA, LGPD, etc., exist to ensure that customer or citizen data is always protected. Thus, upon attaining BAU, the organizations need to check for any compliance misses or data leaks. Control measures taken according to the regulations should be verified and any compliance misses must be reported to the regulator. Remediation should follow to ensure the controls deployed are effective again.
Data security is an important aspect to be checked as part of this activity. Probably, some data would have been compromised unless organizations have a robust data security program. Data breach not only causes data loss but also leads to levying of hefty penalties by the regulatory authorities. Thus, a comprehensive check should be carried out to find out any possibility of data leaks. Leaks, if any, must be communicated to the concerned stakeholders, and countermeasures should be identified and actioned.
These are a few security measures for the bare minimum to minimize the impact of the pandemic on the IT security regime of an organization. More stringent measures and checks are always welcome; however, it will be time- and resource-consuming. Keeping that in mind, organizations can start preparing themselves for the future and create road maps to tackle their IT security requirements.