ISA Board of Directors Offers Cybersecurity Best Practices for COVID-19 Crisis

April 2, 2020

The outbreak of coronavirus globally has created a new reality vastly increasing how much business is done online: While this new virtual reality is essential to sustaining business during the pandemic, it is critical that corporate boards are also aware of the increased cybersecurity threat from this intensified, and often unplanned, utilization of technology.

As the virus crisis extends through the spring and into the fall, boards will increasingly be called upon to coordinate with management not only on how they are maintaining business operations but how they are doing so in a secure fashion. This blog will highlight initial best practices for addressing key cyber risks in the following areas:

  • Employee Practices
  • Risk Management and Assessment
  • Managing Software and Services
  • Strategy and Incident Response Plans

Already Tuesday, the FBI issued a warning that threat actors are seeking to profit from a sudden growth in teleworking, increased use of virtual education systems for online classes a surge in online shopping, public appetite for information related to the pandemic and the criticality of maintaining functioning critical infrastructure.”

The National Association of Corporate Directors-Internet Security Alliance Cyber-Risk Oversight 2020 Handbook (available free of charge here) noted that any technology innovations and transformations that enhance profitability can also undermine security. Successful cybersecurity cannot simply be “bolted on” at the end of business processes. It needs to be woven into an organization’s key systems, processes, and culture from end to end – and when done successfully, it can help build competitive advantage.

Now, however, programs that would typically be carefully planned and tested prior to implementation are being rolled out across entire enterprise systems in what some are calling the fastest and most disruptive shift in working conditions in history.

Prior to the pandemic, most businesses were hesitant to allow widespread telework policies for their employees due to a variety of concerns including technological risk and lost productivity. According to a new Brookings Institution study, less than 25 percent of the U.S. workforce worked some hours from home on an average day prior to the pandemic.

However, the coronavirus threat and the need for “social distancing” has tipped the scales in business decision making toward allowing widespread telework across the board to maintain productivity and profitability through the pandemic.

Even under normal circumstances, boards must strike the appropriate balance between protecting the security of the organization and mitigating downside losses while maximizing profitability, productivity, and growth through digital transformation. Now this transformation is being accelerated at light speed and boards need to be sure they are providing the oversight and vision for their management teams who are operating under unprecedented pressure.

Now is a time when boards who have followed the advice in the NACD-ISA handbooks to have a best practice continuity plan – and have practiced it – will see the benefit of this sort of strategic planning. Indeed, Gartner is reporting that most firms with such a plan are at least initially faring well in the crisis. For organizations who don’t have such a plan in place or wish to assure the one thy have is adequate, the NACD-ISA Cyber-Risk Oversight 2020 Handbook provides a clear four-page guide for incident response.

In particular, two of the traditionally most difficult cybersecurity issues – insiders and supply chain/third-party vendor management – come under increasing pressure as enterprises quickly and massively shift to a dominant online operation. Once again, the NACD-ISA handbook summarizes the questions boards should be considering asking of their management teams in 2-4 clear pages.

In terms of short-term management of the quick shift to online business, a quick survey of the CISO’s on the Internet Security Alliance Board of Directors came up with the following list of strategies and tactics to smooth the transition necessitated by the national emergency. Many companies are adopting some or all of the following tactics:

Employee Policies

  • Allow employees to take their laptops home – but ensuring proper security tech stack is loaded
  • Ensure that the workforce understands the code of conduct and security policies for working from home
  • Heighten communication and awareness for employees including enhanced technical support as needed and providing best practices to deal with added stress
  • Strictly enforce policy exceptions for possible requirements like printing from home (and monitoring that activity)
  • Monitor for “shadow IT” (i.e., unmonitored and unmanaged software and assets without corporate information security and privacy protocols) by users who are unhappy or unfamiliar with approved telework solutions and install their own setup

Risk Monitoring and Assessment

  • Enabling new solutions for areas where traffic patterns are impacting our current conferencing solutions
  • Deploying enhanced monitoring of network identify contractors phishing and network scanning events.
  • Build additional analytics and updated detection and response playbooks
  • Catalog all new risk issues for post-COVID-19 analysis and action.
  • Expect an uptick in fraud, fake health advisories (supposedly from the CDC, WHO, and doctors), extortion threats, tax scams, small business fraud, fake businesses, and targeted attacks against cloud services such as Zoom
  • Understand if and whether there are new targeted threats or social engineering attempts exist within your ecosystem and how their exposure landscape might have shifted due to a remote workforce or greater dependency on third-party/supply chain/outsourced service providers

Managing Software and Services

  • Enhance VPN and data center support including expedited delivery often for all remote workers
  • Carefully use telework tools like Zoom (both from a security and compliance perspective) and stay cautious of Zoom rooms being targeted with adversaries breaking into chat sessions and sending malware links

Strategy and Incident Response Planning

  • Consider compensating controls for working from home in cultures where that is not typical and possible impact on overall infrastructure failures due to weaknesses there
  • Consider how a systemic event could cause direct or indirect impact (e.g., impact on remote workers if Internet service providers went down in the Northeast for 12 hours)