Key industry group urges federal officials to quickly share risk-management best practices with businesses

April 27, 2020

The massive shift to work-at-home amid the COVID-19 crisis is leading to insecure work-arounds that emphasize functionality over security, while managers in many businesses lack training suitable to the current risk environment, according to the Internet Security Alliance in comments filed with the Department of Homeland Security.

“Due to the near-immediate switch to unplanned online business, most managers have no idea how to run their operations using remote workforce and online tools in a secure fashion,” the ISA said in a submission to DHS. “The federal government needs to provide immediate managerial best practices on a ubiquitous basis to contain the cyber risk from growing exponentially.”

DHS issued a request for input from the private sector on priorities – including on cybersecurity – for the next 30-, 60- and 90-day intervals. The Cybersecurity and Infrastructure Security Agency since mid-March has issued guidance – updated twice – on essential workers as states and localities implement stay-at-home orders. It has also been sharing risk-management tools.

Under the 30-day timeframe, ISA noted that “Currently infrastructure is unable to scale to a full pandemic event, forcing people to seek alternatives away from corporate standards and security by using services such as Zoom and Google Docs for sharing, which may not have the enterprise-ready security controls present. … As the crisis wears on, the economic pressure to elevate functionality and efficiency over security will grow. Moreover, organizations that historically rely on ‘perimeter-based’ security models are left even more exposed to malicious actors when the workforce adopts a fully distributed telemetry for working practices.”

According to ISA, “The private sector could be greatly supported by government-developed tools to help organizations get a better picture of their network exposure and supply chain risk. Government can support such moves either directly or through alignments with the private sector. Systems and tools initially designed for military operations, which assume mobile operations that need to be secured, may need to be aggressively ‘lent’ or transitioned to the private sector. The government should facilitate the adoption of multifactor authentication, as it is the single most important control for all critical business systems such as e-mail, databases, OT/ICS systems, VPNs/remote access points, etc.”

Looking to the challenge facing corporate managers, ISA pointed to “toolkits” released at the recent RSA conference by ISA, the National Association of Corporate Directors, and Department of Justice and said “DHS needs to get these basic tools out to all corporate managers.”

Also within the 30-day timeframe, ISA called on the DHS cyber agency to help develop “a more aggressive approach to information sharing.”

“CISA should lead the effort to break through the barriers in the USG bureaucracy that prevent timely information sharing by leveraging the crisis … which can then hopefully become the new normal for higher-quality information sharing even after this is all behind us,” ISA said.

The filing also suggested specific steps aimed at the healthcare supply chain in the first 30 days.

Within 60 days, ISA called for tying future stimulus funding to security among other steps, and within 90 days “develop a response plan with an emphasis to improve vulnerabilities and allow for greater redundancy that is difficult under current regulation or capitalism. The federal government should commission a study that accesses modern economic analytic methodologies and existing data, such as in the insurance industry, to model systemic risk. This analysis will need to be sector by sector, and given current environment, the health care sector would be a likely place to start.”

The Internet Security Alliance is a thought leader on cyber issues and its “sponsors represent some of the largest companies in the world. They’re primarily chief information security officers of Fortune 100 firms, executives whose day job is one the front lines of cybersecurity. Their insight and vision underpins everything the ISA does,” according to the ISA website..

| Key industry group urges federal officials to quickly share risk-management best practices with businesses