Cyber-criminals, nation states and other actors are exploiting the COVID-19 crisis for their own gains. The US State Department official Lea Gabrielle recently told Congress that the “entire ecosystem of Russian disinformation is at play.”
However, the most prevalent threat so far is from cyber-criminals who are conducting phishing attacks while posing as credible organisations such as the World Health Organisation, the NHS or UK Government. These fraudulent emails offer fake test kits and cures, scarce supplies, false advice and financial benefits trying to get their targets to click links, open attachments or pay for the promised services.
Organisations are more vulnerable to these attacks as a result of the fundamental changes in our personal and professional lives, not least the rapid increase in people working from home and increased isolation from friends and colleagues. These risks mean that CISOs are now in the front line of the responses to COVID-19 and need to address both the immediate issues and prepare for longer term opportunities and challenges.
Protect your people
One of the first steps CISOs need to take is to provide or refresh cyber-security training which focuses on phishing identification and response as well as secure remote working practices. This should be reinforced with clear guidance on securely working from home. The NCSC provides good advice on this and many web-based training packages are available. Employees should also be given access to credible information sources through the organisation’s intranet page and provided with regular updates on malicious actors’ methods, enabling employees to play their part in detecting phishing attacks and misinformation.
Secure your remote working solutions
Many organisations are struggling to provide enough remote working capacity to support their entire workforce working from home. This is leading to the need for rapid improvements in systems and to employees using their own devices, both of which can lead to increased security risks to organisations if not managed well. The CISO must sign off on, and log, these changes to systems and ensure that the information security team is represented on organisational design authorities, change authorities and crisis response teams.
They also need to assess and improve the security configurations of remote working solutions including VPNs, cloud working solutions and endpoints. This should be underpinned by a review of information sharing and information protection capabilities, including data loss prevention and security controls.
Maintain the security of your procurement process
There are other potential risks in the way organisations are having to procure products rapidly to enable new ways of working and it is vital that all this new equipment meets required security standards. While the need to get solutions in place quickly may mean some security standards are relaxed this should only be temporary; any security waivers granted now should be reviewed as soon as possible after the initial crisis response and risks carefully recorded. A temporary flex in the identity and access management or bring your own device policy needs constant monitoring and active management.
Maintain your cyber-security protection
It is clear that there will be pressure on both internal and third-party security operations teams’ capabilities and capacities. Staff shortages, increased change demands and the need to respond to increased incidents will all bring additional burdens. CISOs need to ensure that these limitations on capacity are well understood and reflected in security processes and that key person risks are known and managed.
Clarify your incident reporting processes
While working remotely, it is more important than ever that people should report incidents. CISOs should make it easy for that reporting to take place, by, for example adding an obvious link on the intranet site. Senior leaders should also underline that there is a no-blame culture and actively encourage reporting. This could start with an email to all users to remind them of the approach as well as an incident reporting button on the organisation’s intranet. A simple FAQ for all staff that answers basic security queries (eg password changes, key contacts) will also help people to help themselves.
CISOs have a clear opportunity in this crisis to proactively demonstrate their team’s value in a world of increased online and remote working. This will create greater awareness of their role across the organisation and make integration with other departments easier. This could then enable much more effective cyber-transformation programmes in the future.
Another benefit of the CISO’s involvement in coronavirus crisis response will be the way it can lead to better integration of information security into design, change and procurement processes in the long term. This could then be the foundation of security-by-design processes in the organisation, something which many CISOs have historically had difficulty implementing.
As people work from home and become more dependent on accessing information remotely, they can be supported to be more cyber-savvy. This will then improve information security across the organisation and could lead to a more fruitful and engaging relationship with department heads and pave the way to embedding security in the minds of the whole organisation for the future.
Chris Goslin is a cyber security expert at PA Consulting