It has been an odd few weeks for businesses across the country. Working from home is now the new norm. Organizations that had already embraced a remote workforce transitioned smoothly, while more traditional offices struggled to buy laptops, upgrade their networks, and train their employees on new applications.
Safe and Productive
Now that your employees are safe and productive, it’s a good time to reflect on (and document) what’s different. To some degree, everything that has changed introduces some level of risk to your organization. In this article, we are going to focus on the information security risks—and the people that can help you strengthen your security posture.
Policies and Plans
It’s pretty safe to say that prior to a few weeks ago, many small and midsize companies didn’t have a “Pandemic Plan.” Organizations that worried about resiliency felt their Business Continuity and Disaster Recovery Plan was sufficient. For everyone else, sometimes it takes experiencing a catastrophe to get the resources allocated to build these plans and the policies. It would be interesting to see how many organizations wrote their Remote Access, Work from Home, and Bring Your Own Device policies in the last few weeks.
An Incident Response (IR) Plan is another essential plan that has varying degrees of executive support and investment. Before the COVID-19 pandemic, a cybersecurity breach was one of the most anticipated events with the potential to devastate a business’s operations, data, and reputation. However, only 23% of enterprises have an Incident Response Plan, according to IBM. They also noted that 54% of these organizations failed to test it.
If your organization is struggling to put “pen to paper” to document these plans or need an expert to review (or test) what you wrote in the last few weeks, this is a great project to outsource to an information security consultant.
In the flurry of equipment purchases, application installations, and new account creations over the last few weeks, there is a very good chance that not every “t” was crossed, and “i” was dotted when it comes to information security. A typical hacker needs just one vulnerability to enter your network unnoticed.
The “open door” could be a previously-infected home computer now accessing a corporate network, a newly installed application missing a required update, or as simple as a user needing credentials for a new application and using a username and password that was previously compromised.
No matter the case, now is probably a good time to consider running a vulnerability assessment, risk assessment, or penetration test. An information security consultant can help you determine which assessment is best based on your risk profile, recent changes, and budget.
When a problem is identified, most organizations will rush out to buy something known to fix it. However, there may be more to it than that—especially if you are using a risk-based process to manage your security investments. For every risk in your environment, there should be a process to measure it against other known risks using a standard set of criteria. Risks that exceed the organization’s threshold of acceptable risk will require treatment. These treatments can include mitigation, avoidance, transfer, and acceptance. Having a consistent process for managing your risk will make sure that your resources are focused on fixing the most critical issues first.
There are some basic security tools such as antivirus software, virtual private networks, and firewalls that most IT people can install and manage. Then there are security controls like policies and more advanced tools that require specific cybersecurity training and experience. While most organizations have IT people to install, configure, and troubleshoot their technology, not all have dedicated information security professionals. For organizations without internal resources, managed security service providers and information security consultants are great alternatives.
Security events are happening on your network all the time. Without advanced cybersecurity tools, threat intelligence, and trained security operations people, persistent threats can go unnoticed for months. Using a security information and event management (SIEM) platform helps a security operations team centralize the logs from all your security controls, correlate the events to find patterns, and research the patterns to identify anomalies that may be active threats. If a data breach occurs, your Incident Response plan will help you manage the remediation process.
Most security controls align with one or more functions (identify, protect, detect, respond, and recover) of the NIST Cybersecurity Framework.
When properly trained to recognize security threats, phishing attacks, and other suspicious activities, your users can play an active role in your cyber defense. Security Awareness Training helps users understand the attacker’s motives, techniques, tactics, and procedures. With a security awareness platform, you can disseminate new corporate policies, quickly train the users, and track employee acknowledgments for compliance. Phishing tests implemented both before and after a security awareness course will help you determine if the training is working.
Continuous improvement is an integral part of any information security program. Taking time to jot down what you learned and how you may handle it differently in the future helps develop your program’s maturity. Tracking your security program’s controls, policies, procedures, tasks, owners, and metrics in a cloud-based portal is a great way to stay organized, collaborate with the team, and produce reports on key metrics. Here are some other ideas that you can consider as you develop your new Work From Home security procedures. Be sure to run all process modifications through your established risk management and change management processes.
- Increase your Virtual Private Network (VPN) management, visibility, and activity tracking
- Increase monitoring of video surveillance feeds from within facilities to prevent incidents
- Review Physical Security automation rules to make sure they are still appropriate
- Review/Write Telecommuting Policies to outline the user responsibilities and ensure compliance
- Consider running corporate EDR software on BYOD systems for improved security, control, and standardization
Depending on the size of your organization, your client requirements, and your leadership team’s risk profile, you may need some help improving your security posture. Here is a quick summary of some available resources and how they differ.
Managed Service Provider (MSP)
Many small and midsize organizations rely on outsourcing their IT functions to local and trusted managed service providers. These companies do a great job of implementing, monitoring, and supporting your technology requirements. MSPs will usually talk about the capabilities and service-level agreement delivered by their Network Operations Center (NOC). They also typically offer some essential security services like antivirus, backup and recovery, system patching, virtual private networking (VPN), firewalls, email encryption, and multi-factor authentication. These basic security services will reduce your risk and protect your organization from known cybersecurity threats. However, most traditional MSPs don’t usually have certified information security experts (CISSPs) on staff. As MSP organizations have grown and matured, many have started to offer additional cybersecurity services to their clients, which is convenient but may introduce a checks-and-balances dilemma. Information security teams play the role of an “auditor” and for that reason aren’t typically from the same organization managing your IT operations.
Managed Security Service Provider (MSSP)
Smaller organizations without a Chief Information Security Officer (CISO) may not know that managed security service providers exist. MSSPs are very specialized organizations. They focus their efforts solely on information security controls, procedures, monitoring, and oversight. MSSPs will usually discuss the capabilities and service-level agreement delivered by their Security Operations Center (SOC). The services they offer are very different from those provided by an MSP. An MSSP manages and monitors specialized information security and cybersecurity tools. When one of their systems triggers an alert, the security analyst will triage the event, correlate it against known threats, determine if the risk is legitimate, and research whether it is an isolated event or part of a more significant security incident. The services they provide a small or midsize client may leverage a combination of the following technologies:
- Endpoint Detection and Response (EDR)
- Intrusion Detection Systems (IDS)
- Business Email Compromise (BEC) / Phishing
- Vulnerability Management
- Threat Intelligence
- Security Information and Event Management (SIEM)
Information Security Consultant / Virtual Chief Information Security Officer (vCISO)
For organizations with less than five hundred employees, the Chief Information Security Officer role is often played by a Consultant on a “virtual” basis. Information Security Consultants help organizations with strategic initiatives, governance, compliance, and risk management. Some important tactical responsibilities may include policy creation, change control management, vendor risk management, user awareness training, and managing the remediation of security incidents. As the vCISO, the consultant will also work closely with the executive team to prepare for quarterly and annual Management Reviews and presentations to the Board of Directors.
- Security Program Administration
- Assessments (Risk, Vulnerability, Penetration Tests, etc.)
- Change Control Management
- Information Security Compliance (PCI, HIPPA, ISO 27001, etc.)
- Incident Response (Forensic Analysis, Threat Hunting, etc.)
- Executive Advisory Services
We understand that the economic challenges of the last few weeks have drastically limited the budgets of every company—big and small. But, cybercriminals see this time of confusion as an opportunity. So while you need to be prudent with your spending, you also need to remain vigilant. Small cybersecurity efforts can pay significant dividends.
Start by enhancing your employee security awareness, documenting and communicating your security policies, and reviewing your existing procedures to verify they are still applicable. As we exit Q3, refer back to this article and see if it makes sense to take that next step towards improving your security posture and minimizing your security risk.
If you have any questions, need assistance, or would like an assessment, you can reach us at firstname.lastname@example.org. Our next post in this newsletter will be in June. Until then, be safe and secure.