Summertime, and the living is, once again, easy—sort of. Just a few summers ago these were the days of occasional remote work, long weekends, holidays, vacations, and for some companies, shortened “summer hours”. As our work routines have made the separation of office, work, and personal time a fluid continuum, our risk perimeter and footprint have become increasingly complex, and flexible. The constraints of COVID-19 isolation throughout most of 2020 and into 2021 masked some of the vectors and prevented some of the situations we all commonly attended to in prior years. When you are predominantly home, so are all your mobile devices. And episodic journeys for food or other supplies rarely required hoisting an assembly of mobile devices along for the journey—a mobile phone, smart watch, or maybe a tablet, at most.
Now, we are “out” again—sort of. Working remotely at coffee shops, on beaches, travelling through airports, on cruises, aloft in airplanes, sleeping in hotels, meeting in restaurants and cafes. And, since much of our knowledge worker staff were part of that “work from home” crowd of the past year’s sequester, we are out and about with all our portable tech, connecting via public WIFI, and perhaps not being in practice to pay rigorous attention to the rules, policies, and best practices so many of our firms worked to instill in the hearts and minds of those of us who can be remote. This presents a rich opportunity for malicious actors who see a population whose guard may be temporarily down, who may behave in ways that open doors to all sorts of vulnerabilities. These could include ransomware, hacks and breeches of all sorts, stolen devices containing sensitive or proprietary data, malware injections, and phishing attacks, and more.
A Proactive Approach
There are four (4) actions to take at a minimum to address these concerns.
- Revisit your related policies
- Republish key policies, re-educate your workforce and promote best practices for remote working
- Review and reassess your controls and monitoring methods
- Monitor your third party partners, vendors, and suppliers
Let’s look a bit more in detail at each, and see how your best practices for managing cyber risk can be applied to this somewhat unique moment in time not anticipated by anyone in the recent past.
Revisit your related policies
You may have completed a cycle of review at the beginning of the 2020 pandemic. Still, that was with consideration to a substantially remote-in-place workforce. The attention then was to remote device management, WIFI connectivity, access controls, phishing, and perhaps data management practices. In addition, now the best practices for handling those devices in travel situations, use of flash storage devices, physical security when working in public areas, and best practices for storing devices in vehicles or hotels while on the road become concerns again. Small, portable storage devices such as flash drives have become convenient, and somewhat ubiquitous parts of everyday mobile computing. Do you have policies and monitoring practices to manage the use of only authorized devices, ones that are encrypted and only applied to machines under your mobile device management control? Is business use of personal computing devices permitted by policy? What other provisions for remote, but relatively isolated and stationary working were made during the height of the pandemic? Were they temporary or permanent policy adjustments? What exposure does the return to mobility create while these policy and practice adjustments remain in force?
Republish, Re-educate, and Promote
There’s never a bad time to remind everyone of important policy provisions—particularly during periods of frequent, substantial change. Those are times when confusion is at its peak, and clarity is particularly valuable. Use this opportunity to refresh awareness of policies that seemed irrelevant during the constraints of living and working under a pandemic’s restricted mobility. People’s attention may have contracted substantially during that period, and security practices, provisions, and cautions unexercised may have become weak over the past year.
This offers an excellent opportunity to offer a fresh round of end user training to remind staff of basic policies and practices, care for mobile devices while traveling, rules for remote data handling, and so forth. It’s also a good idea to test how well people respond to potential phishing and social engineering scenarios. The feedback and test results of these efforts can be factored into your overall cyber risk and security assessments; comparing current results with past cycles to identify weaknesses and prepare to address/reinforce vulnerable behavior.
Internal promotion of security and cyber best practices, warnings about phishing and malicious social engineering efforts aren’t often recognized as effective cyber risk strategies. But well crafted, short, focused and direct messaging can be effective educational tools that support learning. Such messaging, whether delivered by email, through wall posters, or short videos posted online can effectively sharpen staff attention to security practices and skills that may have been overlooked in the past year.
Review, Reassess Controls And Monitoring Methods
While looking at your policies, also examine the effectiveness of your controls. Are you following a framework such as NIST Cyber Security, COBIT, or HITECH, to name a few? If so, are there new control or revisions to the framework you follow that require incorporation into your risk program. Some frameworks issue guidance on how to handle certain controls. Examine these frameworks to identify controls most likely to have been attended to in a lax manner or seemed less important in the last year. Look at the data from your most recent controls assessment. Were there controls that were frequently left aside, replaced by ad-hoc compensating practices, or frankly ignored? If there are some that many areas reported as unpracticed, you might want to look at their appropriateness to your business processes.
Do your monitoring processes and tools give you the coverage and real time alertness you need to identify and respond to threats as soon as they are detected? How have you adjusted your monitoring devices and alert filters to detect and identify low frequency anomalies? Have you deployed procedures and tools to support remote users’ access to your network via VPN services? Are these appropriately sized to service growing demand? How are you monitoring confidential information flows? Have you deployed a data loss prevention (DLP) solution? And, how are you monitoring the activity and access of your third parties—not just the “vendors”, but the professional service providers, logistics services, and more subject to consideration. And, in some regards, the remote working environment has evolved since the pandemic began. Services such as Amazon’s Sidewalk are now present, offering a blended, and further blurry determination of connection points and the boundaries extended by staff working at home. The continued proliferation of IoT devices has created new vulnerabilities and opportunities for malicious actor entry to your world. Such dynamic change cannot be ignored.
Monitor Your Third Party Partners, Vendors, And Suppliers
When people mention third parties, they often presume vendors. While that’s true, it’s an incomplete description of the categorization. Do you include your service providers, from building maintenance, gardening, HVAC, and general repair in this category? How about delivery services where you have some online interaction? Do some of the services, including professional services, rely upon sub-contractors to fulfill commitments to you (of particular importance if you are subject to HIPAA or HITECH compliance)? Virtually any service that provides electronic invoicing, or provision of services that includes communication through electronic means, even if there is no authenticated access to your network, or exchange of data, should be subject to some measure of care and monitoring to effectively protect your own business. As the world begins to reopen, vigilance of travel, transportation, and hospitality services that were all but eliminated from necessary consideration now must be restored. The category of third party is widely larger than material or service providers alone.
Knowing Where You Stand
So, how do you know where you are with regard to all that’s noted above? It can seem like a lot to track, to monitor, to review, and to analyze. And, it’s why for the growing or well established concern, the acquisition and deployment of a GRC platform becomes an asset rather than an expense. A quality platform can offer the means to function as an information “manifold” to serve as an authoritative point of reference for information, status, and planning for all your risk activities, while relating and leveraging other processes whose information products inform your risk management, whether it be focused upon cyber, financial, third-party, IT, operational, or more. Most importantly, a quality GRC automates routine tasks, reduces the labor footprint needed to manage and coordinate all the activities necessary to manage company risk, while keeping executive leadership informed of current issues, vulnerabilities and opportunities so resources can most effectively be made available. It can also extend these benefits to related practices, such as Audit, and Compliance, further increasing the value/expense benefits provided. Such a platform supports the reuse and leveraging of data gathered through one process area, such as Audit, in areas such as Compliance or Risk. This capability represents an expression of value that exceeds any base monetized calculations of operating savings. It represents real efficiency offering more timely access to reliable information. As the world grows more complex, and the pace of change increases, quicker access to reliable information will become an increasingly valuable strategic and operating advantage to your business and the clients and customers you serve.
About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.