The Covid-19 coronavirus is a reminder (if one were needed) of our interconnected world and the ease with which an occurrence in one region can rapidly become a global phenomenon.
An enterprise’s employees, contractors, third-party partners and suppliers can all be affected. In recognition of this, many large global or regional organisations have processes in place to establish the threat to them if an event, such as a natural disaster or terrorist attack or – as is currently filling the headlines – the outbreak of a virus, occurs.
The result is that reports detailing impacted individuals and disrupted operations can often be available within minutes and, from there, plans formulated to mitigate outcomes and protect people.
IT security’s role in planning
Input from the CISO and his or her team when these plans are being drafted is hugely beneficial because it ensures that appropriate concerns are taken into account and security is considered from day one (rather than being an afterthought). Security-related disciplines such as threat intelligence can also identify key processes or potential targets within the organisation that might be at risk, so that all viable events are considered at the planning stage.
Cyber threat and security intelligence analysts and researchers are permanently plugged into real-world socio-political developments that potentially pose a threat to, or increase the risks faced by, their organisations. They therefore have a high awareness of incidents such as the current Covid-19 outbreak and the resulting security issues.
They are also concerned with the non-technical paradigms of emerging security incidents, and so are able to provide much-needed “context” to this type of event. This can help CISOs with explanations that avoid technical jargon and resonate with employees.
Good business practice
Mitigation plans don’t have to be complex and many activities fall into the category of day-to-day good business practice. For example, a remote working policy and procedure document should be in place and regularly updated to ensure that both management and employees understand how to work effectively and securely without being in the office.
From a technical perspective, mobile device management (MDM) software is important for all devices, whether they are organisation or employee-owned. These can track mobile equipment, push out new applications and software updates and help to prevent the installation of malware.
Virtual private networks (VPNs) are also a key tool. They provide an encrypted link (multifactor authentication reduces the risk of it being accessed inappropriately) that enables employees to access safely the elements of the network they require to do their job.
Business teams will define critical functions and employees; security’s role is to balance this by ensuring appropriate controls are in place. For example, staff members who are ill or unavailable may need to be replaced on a temporary basis, and issues such as whether these interims are appropriately trained and the likelihood of urgent requests for privileged access to key systems need to be determined in advance.
It may also be essential to override existing security checks and controls during a crisis, making it critical to establish, before the event, the risk this poses to the organisation.
The same situation presents itself for third parties and suppliers. If new organisations are brought in to provide a stop-gap service, the business needs to know that they have undergone sufficient checks to ensure they will not cause a cyber incident through mishandling data, or misuse their system access to cause unexpected outages.
It is also possible that the security organisation itself might be impacted. If critical functions such as the 24-hour monitoring provided by the security operations centre (SOC) are located in one place, there is a risk that they may all be unavailable.
It is not always practical or cost-effective to have multiple redundant teams spread around the world to account for a once-in-a-decade event, but practical steps can be taken, such as using automation to make sure that key tasks are still performed in the event of an emergency. Granting access to key systems remotely may also mitigate some of the risk if people are forced to work from home for extended periods.
As with all forms of business continuity activity, plans and events should be tested where possible – and as often as possible to make sure there have been no changes that could render the planning useless.
For example, if critical individuals have left the organisation, a backup site no longer exists, or the replacement for an application that was retired a year ago cannot print off required details in the event of an emergency, the plan cannot be executed.
Guarding against the rise in phishing
Disruptive global events usually see increases in phishing emails – requests to help fellow colleagues, donate to a non-existent charity, spread disinformation, and so on – as criminals look to take advantage of them.
Social engineering is aimed at making people provide sensitive information or perform an activity before they have a chance to process the request, and the fear caused by events such as viruses or terrorist attacks is the perfect cover for bad actors. There are real-world examples of criminals posing as the CEO and updating employees on a global event with an email containing an embedded link to a site that steals their credentials.
Mitigation activities include ongoing education to ensure employees recognise malicious emails.
Organisations need to be prepared for any number of globally disruptive events. Effective handling of these requires security teams to be embedded in crisis and business continuity planning sessions throughout the enterprise.
This ensures that the business understands the cyber risk, and that the security team has full visibility of the real-life scenarios that will occur, so that processes and controls can be adapted to mitigate the resulting risks.