As enterprises everywhere brace for the impact of COVID-19 on their day-to-day business functions, I’d like to remind information security and business continuity practitioners to specifically think about the impact nonstandard operations could have on their security programs.
In my 30-year-long security career, I’ve never seen a nonstandard operation yield the same level of overall security as standard operation procedures. In some cases, a more manual approach combined with a reduction in volume and increased scrutiny resulted in a higher level of security overall. In other cases, nonstandard operations resulted in a lower overall level of security due to circumvented controls (intentionally and unintentionally), expedited processes, a “crisis mentality,” and other human factors.
In general, nonstandard operations scenarios are not effective—or even possible—indefinitely. Mass work-from-home, supply chain disruptions, and event cancellations cause minimal disruption over the span of a few days, larger disruptions if they span weeks, and significant, potentially catastrophic disruptions if they span months.
With this in mind, now is the time for security teams to develop contingency plans that emphasize process resilience. You can start to identify breakpoints in your nonstandard operation planning by asking questions such as, “What happens if we’re running like this for 10 days, 10 weeks, or 10 months?” or “How does our process and/or business need to change to avoid disruptions?”
Prepare for Issues With Large-Scale Remote Access
Remote access procedures are usually designed to simultaneously accommodate a small proportion of the workforce. Expanding a system that typically accommodates 2% of the workforce to suddenly accommodate 90% or more requires planning and testing. IT leaders must consider how they will manage bandwidth, VPN licenses, network hardware and IP address pools.
Several years ago, I worked with a company to conduct a remote work exercise in preparation for the H1N1 flu. They found that the Class C IP address pool allocated to their VPN clients (256 addresses) was quickly exhausted when 4,000 clients attempted access. This illustrates the importance of conducting testing and exercises as early as possible to prepare for such issues.
When you have an unprecedented number of people logging in remotely, there will also be more opportunities for security breaches to occur. Employees who are concerned about accessing systems remotely through saturated VPN links may be tempted to take copies of confidential information with them, email data to their Gmail accounts, or copy sensitive data to a laptop or USB stick. Circumventing controls in this way almost always results in a reduction in overall security. If possible, plan a work from home trial run now by having segments of your company’s staff work remotely on an assigned day. This will give you the opportunity to make sure staff are trained on conferencing tools and appropriate conferencing software clients are installed on the machines they are taking home.
Create a Contingency Plan for Business Critical Staff
As more communities are asked to exercise social-distancing, adults will not be the only ones working from home. Older children who cannot go to school will be asked to log in to virtual classrooms, and increasingly bored children of all ages will be streaming entertainment services, music, and online games. Local, residential ISP links will quickly become saturated, so companies must have a contingency plan for business critical staff to ensure they can still gain access. Companies will need to plan for alternate (non-residential) workplaces and work with local authorities to ensure that these critical staff members can still access those workplaces in the event of quarantine or other travel/access restrictions.
Identify Security Gaps Ahead of Time
To prepare for broad-based, work-from-home scenarios, IT leaders should review their adaptive authentication schemes and user behavior systems. Why? Because when employee Jeff, who has logged-in consistently from the company office building during normal business hours for the past 2 years is suddenly logging in from home irregularly, there will be security alerts, additional authentication requests, and possibly account lockouts. Meanwhile, help desks will be overwhelmed by employees that rarely (or never) use VPN and other remote technologies. To avoid cyber criminals from capitalizing on these scenarios, companies must ensure that password and MFA reset procedures are compatible with mass work-from-home scenarios before they occur.
IT leaders should also be prepared for scammers to use COVID-19 and nonstandard operations as a pretext for phishing. Look out specifically for messages such as, “You need to do something to continue accessing this system remotely” and “List of confirmed COVID-19 cases in [COMPANY]” and “Are You OK?” These types of emails are likely to convince employees to click, and attackers will be able to exploit the “crisis mentality” by insisting tasks be done immediately. Training staff to be vigilant to these sorts of scams is imperative for continued security. Likewise, companies should also be aware of physical security threats from individuals impersonating unfamiliar sanitization vendors or wearing masks to avoid cameras.
At this point, no one can be sure how long COVID-19 will impact our lives and the way we work, but we do know that forewarned is forearmed. If you have any questions about how to prepare your company for the challenges ahead, please contact us for guidance. There are things you can do now to ensure a better outcome, whether it takes days, weeks or months.