Prashant Shroff (name changed), the CISO of a leading consulting firm had many sleepless nights last week owing to the ongoing cyber threats that have rapidly increased amidst the recent coronavirus outbreak. If the IT threat landscape was already huge and complex, to secure IT in the Covid-19 era has amounted to hitherto unthinkable challenges for him.
In the wake of the pandemic-induced lockdown, Shroff was tasked with the responsibilities of further securing the complex IT infrastructure of his organization at a time when 95% of the workforce was working from home. The business continuity had to be maintained. He had to also prepare a dependable and secure exit strategy in advance for the scenario when lockdown was, first partially and then fully, resumed in due course of time.
The mettle of the CISOs has been tested like never earlier. Like Shroff, CISOs across multiple sectors and industries are facing several challenges to ensure the line of work continuity while reducing the threat of data breach. The obvious apprehension is that the existing security policies may not withstand the new challenges that have suddenly developed. Security has become even more vital for organizations to enable remote workers operate efficiently.
Based on multiple informal interactions with CISOs, we have identified five key gap/focus areas for CISOs in the post-COVID era.
- Employee trainings: While in many cases business operations have been suspended, mission-critical assets are faced with the risk of being exposed and getting compromised. Security practitioners did not get enough time to train their large workforce on the best practices for accessing the remote applications securely. Understandably, given the announcement of sudden lockdown around the world, not many organizations had enough time for such a large-scale work-from-home (WFH) transformation. This could impact the businesses when normal operations are resumed. In the post Covid environment, organizations are expected to design best practice tools, resources, and applications that better support remote working and provide essential practical trainings to employees for malware and phishing preventions.
- Modernize VPNs: For a CISO, the second biggest challenge would be to modernize their organization’s virtual private networks and ensure that these are designed for extended usage, and that the networks were further equipped to support any large-scale WFH scenarios. The practical and effective strategy that works to address this challenge is ‘zero-trust’ network security approach—a contemporary lens that treats everyone who access organizational network as suspicious and distrustful. (See: Covid-19: Reimagining work with a zero-trust lens). There is also a significant interest in implementing high-end secure DNS servers for online protection. Yet, like theirs C-suite peers, CSOs will be under pressure to create this new security approach, priorities, and workflows with a lesser budget, in view of an imminent economic downturn.
- Unverified software and endpoint security: When offices start reopening, organizations may witness scenarios of employees downloading unverified software and instruments to facilitate their work, without obtaining approvals from the IT team. Also, at times, there may be no option but to allow WFH users to install and use applications that may not be fool-proof. Working from home for such a long time may have also relaxed the use of company-approved laptops for purposes such as entertainment and accessing various utility websites. This could be putting IT assets at high risk or even throwing compliance to the wind. CISOs need to ensure that their endpoint detection and response solutions (EDR) are able to record and detect all suspicious system behaviours and block malicious activity when employees are back to their offices later.
- Risk from unknown and new devices: In the post-Covid phase, CISOs will need to run a marathon scanning of all the new and unknown devices that employees may have used for work during the Covid-19 emergency. Many of the employees’ personal devices may have been sanctioned for work by organizations in view of the lockdown situation for ensuring business continuity. When these devices would later be connected to the corporate network for data transfer or other such purposes, they will present a grave security risk. CISOs and their teams will need to be careful that these devices were updated with latest security patches and operating systems before reconnecting with the network.
- Remote onboarding and offboarding: This is an interesting yet delicate area for the CISO to reflect upon. Many global organizations and SMEs continue to hire and witness employees exits during the ongoing pandemic. In order to ensure business continuity, IT departments have approved both employee onboarding and offboarding remotely. For new hires, approving access to all the tools and systems remotely needs a well-equipped security strategy. It should focus on the best ways to provide authorization to the network and other infrastructure, thus enabling employees to use their personal or approved devices for network access. It also requires establishing and maintaining a powerful remote domain controller set-up to ensure the safety of corporate network.
On the other hand, employees who are exiting from an organization may have been asked to hold the office approved assets with themselves until there is a further travel advisory. In such cases, organizations need to have a mechanism to remotely turn off access to every system to which the employee may have access. CISOs are expected to enable the best identity and access software and policies that could timely prohibit any access even when an employee holds a company approved IT asset for many days after his exit.
After the pandemic is over, it may be difficult to fully reset to the past. However, if not applying these security measures immediately after the Covid-19 situation, organizations may face the risk of the threat vectors impacting the otherwise secure IT landscapes.