As the world navigates its way down what everyone hopes is the end of the long, dark COVID-19 tunnel, organizational leaders are keen to bring their employees and businesses back into the full light of day. But after a year-plus of cyber-scrambling on both operational and defensive fronts, there’s no time to waste: Now is the time to thoughtfully apply lessons learned in the pandemic to a new definition of “normal” in IT security.
What The Dark Taught Us
The pandemic presented every type of business, institution, family, and human being with extraordinary challenges. On the IT security front, organizations in the critical industries we serve, who were on the frontlines of COVID-19, were both victims of the pandemic and simultaneous targets of the most rapid escalation in global cybercrime in history. The upside is that the exhausting lessons of the past year have tremendous value—IF we apply them to better prepare for future crises.
Now it’s understandable that the idea of a “next time” is pretty unsettling, since no one wants to consider another global disruption when we’re still coming out of the present one. But the fact is that, right now, at this juncture, when folks are getting ready to transition into the next chapter of work and life, is an ideal time to shift policies and practices to set new habits and shore up your defenses.
So after over a year on our cyber-heels, what did we all learn that we can apply to our next “normal”?
LESSON #1: They’ll kick us when we’re down.
We knew hackers were bad actors who exploit digital, physical, and human weakness for their own gains, but the criminals who targeted institutions on the front lines of COVID-19 (healthcare, financial institutions, schools, etc.) revealed a deeper level and broader scale of malice than we’ve seen in hacking history.
THE TAKEAWAY: Get your dukes up for cyber resilience. PLAN on similar behavior in the future by cybercriminals, whether in conjunction with another global or national catastrophe, or just a community-based or company-wide distraction. In shifting from an “if” to “when” posture, organizations accept responsibility for proactively reducing risk and actively preparing to handle a serious disruption to enterprise-wide operations. This is cyber resilience. Organizations of all sizes can take steps towards cyber resilience by properly funding critical security solutions and cyber insurance coverage, staying abreast of current cyber attack fronts, emerging threats, and best defensive practices, as well as choosing an IT security audit partner of the highest caliber possible. Such investments quality solutions will far better position your team, environment, and assets when a significant breach and/or long-term crisis ensues.
LESSON #2: Our weaknesses grow exponentially in crisis.
From falling behind on patches, uncertainty about supply chain security, or a lack of an incident response plan, any type of business, local, or world crisis exacerbates your vulnerability. As all focus goes to the mess at hand, what’s been on the side of the security desk falls entirely off, creating a significant opening for malicious criminals and the potential for layering disaster upon disaster. And typically, because of our shifted focus, we don’t even recognize how vulnerable we’ve made ourselves, which further elevates risk.
THE TAKEAWAY: Security assumptions are a slippery slope—we need another set of eyes. Many organizations learned the hard way through the pandemic that cyber hygiene, which has always been a good idea, is actually critical to best prepare for enterprise impact when disaster strikes. Maintaining “healthy” security includes a long list of proactive defenses (think antivirus software, firewalls, strong passwords, MFA, device encryption, backing up, software updates and patches, securing your router, etc.).
And yet it’s just a hard fact that we’re all unwittingly blind to our own gaps and vulnerabilities. That’s where another set of eyes is key. Having a trusted and rigorous third party assessment by seasoned security experts will challenge your risk assumptions and provide a true picture of your security posture. Furthermore, in between such audits, taking advantage of year-round scanning to alert you promptly to emerging threats in your environment will help you minimize negative impact and allow you to safely shift focus should a crisis arise.
LESSON#3: Everyone means well, but…
Even on a good day in pre-pandemic “normal”, adherence to IT security best practices ultimately fell to well-intended, but imperfect beings: humans. Layer on top a crisis, like COVID-19, and the chaos was on. Hackers capitalized on the frenzy, using everyday emails and social engineering to target stressed and distracted personnel at all levels to gain sensitive information and bypass restricted access.
THE TAKEAWAY: Security has to be intentionally habituated enterprise-wide. Any day of the year, your employees are your #1 defense—and also your #1 vulnerability. If you’ve engineered employee security consciousness solidly during regular operations, your human firewall has a far better chance of holding up in crisis conditions.
In addition to awareness training and mechanisms for employees to report suspicious communications or activity, put your team through a real-world test. Expose employees to customized social engineering—not just generic phishing emails, but rather customized phone, email, and in-person simulated attacks that simulate how a hacker would target your particular organization. It’s better for employees to improve defensive habits this way than to inadvertently be the weak link in a breach or part of a domino of failures come crisis time.
LESSON #4: Oh, that perimeter—where DOES it end?
Companies were unprepared for the mad dash to remote work during the pandemic, when security protocols went pretty much out the window for a while. The subsequent intermingling of personal devices across home networks and the IoT deeply complicated a work environment with now seemingly countless endpoints. The result? Sudden, large-scale, non-secured remote work blew wide open the security “perimeter”—and with it, the potential attack surface for criminals.
THE TAKEAWAY: The concept of “perimeter” is shifting with the attack surface. Remote work isn’t going anywhere. Many organizations are moving to blended work models, and some are staying fully remote. So however you think of your “perimeter” going forward, the physical building perimeter or the broader geographic and virtual dispersion of devices and assets, there are steps to be taken now to elevate security.
Be sure remote workers have secure access to your VPN, and that policy clearly dictates what devices, work-issued and/or personal, they are permitted to use and for what. In turn, your IT team needs the means to ensure access for legitimate users only on acceptable devices, to monitor activity for unauthorized personnel or conduct, to enforce software updates, and to implement ongoing security improvements as threats emerge. And it’s highly recommended to do a Remote Worker Risk Assessment to address that which you can’t walk down the hall and validate for yourself.
Also consider your supply chain. As the SolarWinds crisis taught us, you cannot assume your partners are up to snuff in their cyber-defense. So request proof of their compliance, annual audits, and liability protections—because their issues can quickly become yours.
Lighting The Way To Post-Pandemic Security
Periods of darkness tend to yield, in time, to light. And it’s in that newly illuminated space that we can begin to grasp what happened, weigh where we might have responded differently, and strategize how we’ll be better prepared the next time.
With a thorough IT Security Assessment, HIPAA Risk Assessment, or IT General Controls Audit, your organization can clearly see areas of non-compliance and vulnerability, and more importantly receive expert, custom solutions to quickly elevate your security posture.