Cybersecurity Lessons From Coronavirus

Coronavirus & Cybersecurity
I’m sure you’re probably either deathly afraid of the Coronavirus disease (COVID-19) or think that it is the biggest over-inflated media hype since the Swine Flu. Regardless of your instinct on the severity of the COVID-19, we can all tend to agree that the virus is something to be taken seriously. What is of particular interest to me, as the President & CEO of The Penn Group, is how seriously our leadership has taken the threat of a large pandemic. Largely unprecedented, the wide scale quarantine of individuals, coupled with restrictions on travel, commerce, and gatherings is truly something of a Hollywood film. These controls our leaders have placed are designed to keep us safe. An incredible step, given the consequences to the economic stability of the world. Yet, the unbelievable parallels between controlling a pandemic and keeping your organization secure continue to connect dots within my mind. The tradeoff between security and convenience. The continuity of operations with travel restrictions. The control of a rapidly spreading virus. Let’s dive in.
Convenience / Security
When securing your organization, one of the biggest things that must be considered is the tradeoff between convenience and security. The better the security of your systems, usually the less convenient it is for the users. This loss in convenience usually harms productivity, frustrates users, and undermines the reputation of security teams. Security experts have long fought battles with executives to help them understand that, without proper measures, the organization would be at risk. Sound familiar? The same can be said about the coronavirus outbreak. Our leaders have insisted that the cancelation of sporting events, large gatherings, etc. are necessary steps to avoid further losses. The problem is, without adequate information, the assumption is that there has been an overreaction to nothing. To take such a dramatic step, there must be merit to these controls. This is the critical security lesson. The communication of the why, especially when enacting unpopular security controls, is a critical step in ensuring your controls gain traction with stakeholders.
One of the more interesting and sensationalized aspects of this outbreak has been the violators of quarantines that have been put into place. Across the world, stories have cropped up of infected individuals intentionally violating the rules for reasons that may never be fully known. When one person violates the rules, everyone is put at risk of being infected. In information security, all it takes is just one person to click one wrong thing. The whole network would then be infected. You might point out that no one has died from a cyber-attack. The answer to that is: yet. Not all cybercriminals are created equally. Advanced Persistent Threats (APTs) are state funded hacking groups that seek to invade the most sensitive aspects of computing. Nuclear power plants, weapons, and critical systems such as utilities are controlled by aging computers. The security of these systems is paramount. We’ve already seen the CIA utilize hacking to undermine Iran’s nuclear program. The ultimate tradeoff between convivence and security, health and safety, and practicality and reliability will continue to dominate the minds of security experts and health experts alike.
Business Continuity/Disaster Recovery
Disaster recovery plans are one of the last things on the minds of business executives, especially in the midst of economic instability. Usually only required after a natural disaster or major cyberattack, the business continuity/disaster recovery plan has been cracked open by many large organizations. With the looming shutdown of travel, business, schools, organizations are scrambling to take appropriate steps to keep business moving. The business continuity plan focuses on the security goal of Availability. Keeping information and systems available to stakeholders during periods of crisis can cause an enormous amount of pressure on the organization, without proper steps being implemented beforehand. While the Coronavirus disease (COVID-19) is a real challenge facing our world today, more and more events like this will happen in the future. Preparing your organization to stay “online” is imperative.
Practically speaking, several steps should be taken to make sure your organization is ready for the impending shutdown:
1) Implement a VPN solution with strong encryption to allow for offsite access of your organizations systems. This method will allow for your users to continue work, without the risk of transmitting or spreading the virus. A few things to keep in mind about VPN implementation:
- If your users use organization owned property, ensure that you have a information security policy to protect the information housed on the devices leaving your premises.
- Implement a remote wipe feature, in the event of a remote termination. This should be coupled with a process to ensure your organization’s property can be returned during a specified amount of time.
- If a user is using their personal device, but with VPN access, special measures should be implemented to ensure the users personal and work information remain segregated.
2) Ensure your data protection policies and procedures are updated to handle remote work. The classification and protection of your data is a paramount priority for your organization.
- Implement data protection policies and ensure your organization’s employees and contractors agree to these polices prior to remote work.
- Implement a remote wipe feature, in the event of a remote termination. This should be coupled with a process to ensure your organization’s property can be returned during a specified amount of time.
- Establish a clear and secure communication pipeline to ensure all employees/stakeholders receive information in a timely fashion.
The Penn Group offers these services.
The Rapid Spread / Controlled
Coronavirus disease (COVID-19) is spreading like a worm. A computer worm is a type of malware that spreads copies of itself from computer to computer. A worm can replicate itself without any human interaction, and it does not need to attach itself to a software program in order to cause damage. Wormable malware is one of the worst nightmares for information security professionals.
Stopping wormable malware without proper security controls implemented can be a near impossible task. Often, understaffed IT professionals are forced to unplug the entire system, stopping work entirely. In these situations, with drastic measures taking place, it can be difficult to clearly communicate to the general populous within the organization and at large about the consequences of maintaining the status quo. A certain element of trust must be introduced, with the understanding that the leaders of the organization have the best interests at heart. This is exactly what is going on with the coronavirus, and a lesson for all of us in crisis communications. No one would be pleased to come into work, after a frustrating 45 minute commute, only to find that they cannot work because the security team unplugged all of the computers. No executive would be happy to find out that the company would be losing millions per hour in lost productivity as a result of a security issue. No one is happy that sporting events are getting canceled, schools are closing left and right, and a general calm panic is ensuing within the leadership of the world. The point is, we do not all know the real dangers of this outbreak, so we assume that politics are at hand.
Conclusions are drawn in the absence of clarity.
When communicating about a major security issue, take careful note to explain the why, not just the what. These steps are more than necessary to ensure the safety and security of our world. It all returns to the tradeoff between convenience and security, only this time lives are at stake.