Lessons Learned (so far): COVID-19
The past few months have been fraught with challenges for American organizations. We’ve seen governments react to the COVID-19 threat by closing non-critical businesses and mandating social distancing measures, forcing organizations to adapt. Those wishing to continue their operations have had to deal with challenges arising from the rapid shift to remote work and the increasing number of phishing attempts. As cybersecurity professionals, we’ve been tested throughout this series of events. While things may have been bumpy at times, there are important lessons to be learned and carried forward to strengthen the security posture of the organizations we protect.
1. Don’t overlook dependencies on people
It’s easy to take for granted the ability for personnel to work onsite, especially in areas with a low likelihood of natural disasters. Consequently, many organizations were unprepared for the rapid shift to remote work in terms of their policy, processes, equipment, and infrastructure. Not only should we consider personnel redundancy—we don’t want operations to come to a halt if a single person is out sick or on vacation—but we must also identify the mission/business functions that would be affected by an onsite disruption and find ways to ensure continuity of operations. This might mean, for example, digitizing files, implementing teleconferencing software, or configuring remote desktop access via a secure VPN connection. If there’s one thing we’ve learned thus far in 2020, it’s that employees won’t always be available to work onsite, and we need to plan for that.
2. Business continuity planning and “the next-best thing” mentality
The importance of maintaining a comprehensive, current, and battle-tested business continuity plan. The BCP plays a crucial role in an organization’s security and risk management program. At the risk of sounding dramatic, a well-designed BCP can be the difference between floating and sinking in rough seas. Of course, it’s worth noting that it’s impossible to plan for everything, and as far as I’m concerned, organizations that didn’t have a pandemic-specific contingency plan shouldn’t catch too much flak. However, one doesn’t necessarily need a pandemic contingency plan to maintain continuity of operation through times such as these. For example, a disaster plan designed to address the onsite facility being unavailable (e.g., fire, flood, structural failure) could be adapted and/or used with relative ease because it largely addresses the same issues as would a pandemic contingency plan. We won’t always have a perfect response to challenging situations in which we find ourselves, but we can always commit to doing the next best thing.
3. Security awareness training remains one of the best defenses against the phishing onslaught According to the 2020 Data Breach Investigations Report, phishing remains the top attack vector used in network intrusions. Not surprisingly, email is used in 96% of phishing attempts and is the most common delivery method for malware. It should come as no surprise that threat actors have increased their activity level during these turbulent times. Bolster stated in their most recent report that phishing attempts increased by 30% in Q1 2020, leaving organizations and their stakeholders more exposed than ever. The fear, uncertainty, and doubt surrounding COVID-19 is being exploited to steal credentials, spread malware, and compromise organizational networks. Now more than ever is the time to preach vigilance to remote personnel and double down on security awareness training efforts.
In our experience, adversity can be a powerful tool if we’re willing and able to use it properly. Very few people could have confidently predicted how the COVID-19 situation would unfold, but that’s not to say that preparations could not have been made. Relying on the fundamental concepts of continuity of operations and using them to assess the mission/business functions can go a long way in ensuring that your organization is equipped to handle situations such as the one we’ve experienced in the first half of 2020.