THE CIA INGREDIENTS FOR COVID-19

At this point in time, businesses around the globe have been empowering people to work away from their office desk. Did we think this would ever be the case a few years back or as recent as last year? For some, yes, it was a possibility to work at home, and for others, the paradigm of working from home was something unachievable recently as last year. Yet, here we are, in April 2020, where businesses have enabled the work from home plan in just a few days. Is it possible that a few days have been enough to plan the work from home strategy? 

Often in Information Security, we invoke the CIA factors which are Confidentiality, Integrity and Availability. These factors help in guiding us for the implementation of policies to protect the company data. Confidentiality is defined as the access to data by authorized people only. Integrity is the accuracy, trustworthiness and completeness of data during its entire life-cycle, while Availability is achieved by keeping all the required systems online so that data can be accessed whenever needed. The most common list of proprietary information to protect is but not limited to Client/Partners/Vendors Information, Unpublished Financial Information, Patents, Formulas, New technologies, Data from external sources, Documents explicitly marked as confidential. But how do we implement those factors into the work from home plan?

The Confidentiality Factor - Any security professional will tell you that we cannot only rely on IT systems to keep information safe. They will need the cooperation of users also. The latter will have to be asked to store and lock confidential information in a secure device, they will have to shred any confidential information to avoid sharing those. For IT administrators, they will have to implement Multi-factor Authentication, make use of biometric scanning if possible, or enforce strong passwords. Antivirus software should also be installed on the employee’s desktop to prevent the download of malwares and viruses. Additionally, and most importantly, a proper email protection schema should be implemented as this is the easiest way to hack users nowadays.

The Integrity Factor - Data should be encrypted before being sent over the Internet. This will avoid tampering. It can be implemented by providing L2TP/IPsec VPN access to users to work remotely. An L2TP/IPsec is a kind of secure tunnel used between a desktop and the enterprise network for accessing information over the Internet. The data within this tunnel is highly encrypted so that nobody on the Internet can intercept and change the data.

The Availability Factor - Data should always be available and there are two options to keep it that way. The first one is a High Availability/Replication mode and the second is the process of backup and restore. Businesses who cannot afford downtime at all should ensure that their system is in a High Availability mode so that if the system crashes, they have an exact online copy of the primary system as a redundant option. In this process, data is copied between the primary and secondary system in real time. But sometimes it is expensive and some companies, who can afford one- or two-days downtime, prefer the option of having an offline backup and they do the restore in case of a system crash. But this mode could result in a small loss of data, such as in the case where the backup is done every night, and the crash occurs in the evening before the next backup, they could lose all data of the present day of work.

Businesses thrive on data and if the data is compromised, the businesses could be affected deeply. These are only the examples of how basic CIA could be achieved in a few days. The more in-depth processes involved in a CIA scheme could take several months to be implemented.