What’s your post COVID-19 crisis security cleanup checklist?

As organizations recover and employees prepare to return to work, security leaders are liable to face the  challenge of restarting their operations and helping teams adopt a “new reality.” They also are likely to realign and prioritize budgets within the context of a changed business context, as well as clean up risks that may have been inadvertently introduced during the crisis period.

Recent research published by EY and The International Association of Privacy Professionals (IAPP) indicates 60% of organizations either abbreviated or totally dispensed with security checks in and around new capabilities introduced to support their business. So, I’ve penned a checklist of the top areas and remediation priorities that organizations should address, in the hopes it can act as a useful and practical reminder that the process of laying the groundwork for post-pandemic recovery begins with a post-crisis cleanup.

What should we worry about?

It’s a long list. As we consider opening for business again, the required expansion of remote working makes it more likely that people have:

·       Been granted local admin privilege on their laptop

·       Synched and stored corporate data to personal cloud storage accounts

·       Synced corporate passwords to personal browsers or keychains

·       Enabled printing from home devices

·       Stored sensitive data into open team rooms

·       Stored data on a USB memory stick or USB external hard drive

·       Re-configured/mis-configured local security settings (such as personal firewall/VPN/wireless/Bluetooth/anti-virus and software updates/automatic storage synching)

And there are other potential areas, due to the disruptions in “business as usual,” that can make organizations vulnerable. They include:

·       Supervisors/managers may have collected personally identifiable information on people to track their health and status

·       Employees’ endpoint devices could be “infected” with malware via successful phishing campaigns – and, as a result, malware has found residency within your network, resident in data stores, collaboration sites, or other systems and servers

·       Patches and upgrades may have been deferred

·       Quality assurance processes associated with software development were abbreviated, resulting in statistically more defects per line of code that can be vulnerable to exploit

·       Access controls have been relaxed, additional remote login accounts or credentials have been granted to teleworkers, partners or outsourced staff

·       Privileged access has been granted to service providers and/or backup staff

Where do we start?

Here are a few simple steps to take as we prepare for “business as usual”:

·       Update security policies and educate employees on how to expunge information that has inadvertently been stored to personal accounts

·       Use configuration management tools to remove or re-configure features or functions not ordinarily permitted by policy (compare configuration against the golden image, if possible)

·       Review directories for grants of privileged access during the infections period, ensure that access is required/revoke excess privilege

·       Perform a “spring cleaning” of devices and networks – assess devices and networks for evidence of malware infection/command and control communication. Review logs created during COVID-19 period for anomalies – such as unexpected behaviors, gaps in the record, and more

·       Assure endpoint protection packages are up to date and configured correctly

·       Run enhanced network vulnerability scans across

·       Review and re-prioritize patches and upgrades

·       Make sure your incidence process can cover ransomware-related events

I look forward to hearing your thoughts, so please feel free to add them. And as we move along in the process of going back to business, I’ll share more perspectives on how we can do so while being proactive on the cyber front.