Duplo not Technic

It is a time to go back to basics – cyber security in times adversity

These are strange and challenging times for us all. As security and operational resilience practitioners these are periods in which stripes are earned and lost, times during which we need to dig deep into our armory of skills, and days in which we need to be surgical with our advice and support to our respective organisations.

There will be time in the future during which the necessary ‘wash-ups’ will take place, lessons learned and corrective actions for the future laid down. It will be difficult for some to not say “I told you so” when discussing pandemic incident response plans. I for one have sat at the executive management table where there is little oxygen in the room to discuss pandemics, where the topic is persistently de-prioritized off the agenda and where such talk of shutting offices was viewed as fanciful. A black swan event.

Hello!

However, this should all be in the past. Businesses will now have global pandemic sat in their Board risk registers and top right of the impact / likelihood matrix. It is what we do now in going forward, not looking back at past mistakes, that will future proof our organisations.

You would be forgiven to think that this article is about pandemic response. However, this post is about, as the title suggests, going back to cyber security basics when protecting our organisations. This article is a brief insight into the work I have been doing since voluntarily leaving my last organisation and setting out for ventures new.

That I have been so quiet on LinkedIn is a reflection of the level of engagement I have been involved in on a company-to-company or peer to peer basis over the last 8 weeks. What this pandemic has done is shone a light right through our remote working models. With literally millions upon millions of employees now working from home, striving hard to keep business-critical functions operational and at the same time, cyber security teams trying to maintain the required level of security.

What COVID-19 hasn’t done is reduce the threats organisations face from cyber criminals. Funnily enough, these individuals do not have a corporate office that has been shut, where their management has told them to work from home and self-isolate. Remote isolation is a hackers modus operandi – everyday!

Recent figures show that in the UK alone there has been an exponential growth in phishing. Approx. a 650%+ in the month of March, compared to February. COVID-19 has raised awareness among cyber security experts that the internet, local networks, communication platforms, applications and devices that we so readily rely on are not quite ready for the global digital society we seek. 

One of the main challenges faced by organisations I am supporting is the time factor; the pace at which this hit organisations and the time to scale the required resources to forward mount all employees to home working has caught everyone off guard. Some organisations were mid-multi-factor authorization programs, switching from on-prem to cloud or switching VPN provision. Even the most senior leaders in a companies I have been working with have been caught out (I’ve an example of a senior exec handing over work equipment to enable children to home school and in doing so enabling his daughter to click on a phishing link in her school email).

The message is simple: back to basics. This is Duplo level security guidance; follow the policies and procedures that are distributed by the cyber security professionals within your companies and use common sense (not necessary common for all). These are the policies and procedures that some senior leaders have given little time or effort to familiarise themselves with in the past.

There are some simple messages for leadership and employees that I have been sharing and working on with SME’s. These are listed below;

Be mindful of your online hygiene

• Do not click on suspicious links, especially if related to coronavirus, as attackers are using fear to prompt victims into clicking. Company policies should be consistently applied at home; report suspicious activity to support desks.
• With your own personal IT home equipment, ensure antivirus and malware are up to date, security patches complete and conduct regular scanning

 Only use the approved company storage solutions

• Do not start using local or cloud storage solutions that are not company approved. Storage locations should be approved and accessible to approved users

Do not allow your work devices to be used for family reasons

• As tempting as it might be, keep work IT and family IT separate.

Avoid using personal devices to connect to the corporate network

• If you have to use a personal device, ensure you consult with your IT function. All devices must have strong passwords and only utilised on your home network.

For the cyber security teams and CISOs I have been engaged with, the following applies;

• Where possible, implement MFA on all VPN connections and critical cloud services to increase security. If MFA is not implemented/possible, require home workers to use strong passwords.
• Ensure white listing and marking external emails as ‘EXTERNAL’.
• Distribute short ‘info-mericals’ on the threats of COVID-19 phishing and related topics and ensure they do not to click unknown or suspicious links.
• Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and security configurations.
• Closely monitor privileged access by optimising the behavioural analytics tools for detecting suspicious activity for admins and those who handle critical data.
• Adapt security monitoring systems and strengthen the log monitoring rules for triggering alerts. Security operations teams should manage the increased number of alerts, sorting them by risk and detect false-positives from real suspicious events
• Ensure web and email protection by implementing web filtering technologies to prevent employees from visiting malicious websites. Implement email filtering rules to block spam and phishing emails.
• Limit privileged access and activities to only what is strictly necessary. Administrative activities should be closely monitored and controlled.

I wrote in a previous article about what doing the basics can mean for an organisation, how collectively all employees play a part in reducing the security risks faced by companies. Much like always wearing a seat belt to save lives and brushing ones teeth to prevent poor oral hygiene. COVID-19 has demonstrated more than ever the need for basics to be followed by all employees and the need for companies to invest in a multi factor bio-metric approach to security, which can efficiently safeguard sensitive employee and customer data whilst future-proofing their business.

When we all come out of the other side of this difficult period we will see that flexible working for many more companies will be more accepted and that in turn, security will matter more. Pandemic incident response and enterprise operational resilience will matter more.  

That will be the time for the professionals among us to step up. Time to have the right people holding the right conversations. Time for CSOs, CRO's and CISOs to step into the Boardroom and have the data and lessons learned from this difficult period to build on the security mind-set and resilience required to face the next pandemic.

Because there will be another.