Working within dispersed teams is often part and parcel of a CISO’s job. In fact, before COVID-19, 7% of Americans were working remotely either part or full-time, according to the 2019 National Compensation Survey from the Bureau of Labor Statistics. But in the wake of social distancing, almost all organizations are operating 100% remotely.
Other members of the C-Suite might elevate the importance of productivity with remote teams. But as security executives, we should approach the issue from a cybersecurity angle. This is not the time to take our eyes off security in trade-off for expediency.
By Martin Littmann, CTO, CISO, Kelsey-Seybold Clinic and Steve Moore, Chief Security Strategist, Exabeam
For IT professionals in industries not well-versed in remote work, this notion is especially true. The sudden shift to remote work across entire organizations has highlighted faultlines in some professions, with industries like health care, education and service/production feeling the pressure. CISOs within these industries are called to expand on already successful security strategies with their teams — who are often already dispersed to some extent — in a potentially unexpected way.
These CISOs are pressed to weigh operational efficiency with security, forced to manage risks while maintaining “normalcy,” and ease up on employee end users in order to allow for more productivity across the company. They also might be having conversations with the COO/CIO or even the CEO about which processes impact operational efficiency the most. But this is actually the time to be just as strict, if not stricter, with end users and policies than before.
A Virtual Workforce Changes Everything
This remote work scenario means several things for security teams — from shifting the way they handle day-to-day remote access to narrowing in on potential insider threats — CISOs and their teams have to stand their ground by advancing wise business and security decisions before convenience.
Insider Threats
Some organizations have discovered their own stress test of their remote access systems, both virtual and even more traditional like VPN. While they’re licensed appropriately, they’ve figured out that their hardware can’t keep up, so they have the provision outside of the VPN and direct access to certain systems in the cloud. This is where employees may circumvent existing security procedures in order to access something they need.
When employees are operating under the notion that their activity on company networks is flying under the radar, organizations can run into the issue of insider threats, in both proactive and passive scenarios. Employees may be deviously searching and accessing privileged information, or they can be letting down safeguards involuntarily, which can lead them to fall for phishing scams on company devices. Both types of insider threats are dangerous and will experience spikes during the months of mandated social distancing.
To use health care as an example, COVID-19 heightened interest in things such as testing, and vaccine research; mean health care might be especially susceptible to these malicious threats. If there is somebody who might be tempted to profiteer from privileged data within an organization that has let down certain safety measures, things can go sour quickly. They perceive themselves to be in a position where they’re not being monitored as closely because they’re physically not in the office.
On top of that, we know that humans tend to make cloudy judgment calls during crises or emergency situations. End users might be more susceptible to follow a spam link to free N95 masks if they are desperate enough, for instance.
Being a Resource from Afar
The new work setup also impacts how CISOs and their teams relate and work both as an internal entity and with their organization’s end users. Even in industries that operate primarily on-prem, there will be individuals working remotely. In health care, that’s administrative staff, IT and support people. In these professions, people often aren’t technically trained or conceptually prepared to work remotely. So, they need security teams to be accessible. They’ll have questions like, “Is it safe for me to work from my home computer?” or “How can I access this resource now that I’m away from the company network?”
Technical personnel will find that they’re called to interact much more with end users than they have in the past, yet they can’t simply sit down and coach someone through a problem. Technical teams will need to strategize how they’ll handle the increase in tickets and service requests flowing in, even in the face of fewer team members on call, slower internet speeds or unknowns in process and protocol. They’ll also need to deliberate methods of staying connected and communicating amongst each other in order to stay cohesive and efficient while away from their cohort routines and schedules.
Mitigating the Complications of BYOD
With children out of school and many spouses working from home, employees will be pulled in many directions. They’ll be distracted more than ever, which means they’ll likely be tempted to place convenience over security when it comes to keeping personal and professional separate. We can all imagine a scenario where an employee is away from his or her corporate phone but needs to access a network to review, say, a shared file or an urgent email. Nine times out of ten, they’ll use whatever device they can get hold of and circumvent security rules. Over the many weeks these employees are at home, this might happen several times on multiple personal, shared devices. When it’s all said and done, this employee may have authorized three or four unsanctioned devices to access company files. Even after we return to work, those devices might still have access to company information. Allowing convenience to trump safety and letting down walls won’t stay isolated once employees return to work. If a CISO wouldn’t allow unsanctioned devices to connect to the company network before, it shouldn’t allow it to happen now.
Keep Security a Constant
It is possible to maintain a healthy security posture through an emergency. In fact, the current situation could even allow for a unique learning opportunity for a CISO’s team: how to stay on guard during any situation.
Monitor Activity
At Kelsey-Seybold, we have different tools in place to monitor behavior, access rules, generate alerts and evaluate alarms through a log management system or other intelligent systems like SIEM. Looking at and evaluating those alerts and evaluating whether there’s something really going on is a constant process that’s shared across our security organization. Because we have that technology in place, we can keep a greater eye on the information being accessed by employees while they’re at home. In addition, while the majority of people can connect to the network through VDI or Citrix, we limit certain activities that can be done from home. For example, employees can’t print from their local session to a local printer at home. This can keep us from losing valuable data.
Keep One-on-One Time
In the time of crisis, CISOs must maintain efficiency with inbound user queries as well as ensure greater communication among security teams. Use collaboration software to create quick touchpoints, replicate meetings and quick chats that would have been done in the office. Employees, especially those that are not as technologically skilled and unfamiliar with a work-from-home structure, are going to appreciate having access to experts that can answer questions for them in real time.
Stand Firm on Existing Policies
With more people attempting to keep patients, customers, and constituents happy while working from home, they might be tempted to ignore policies that were in place before. But CISOs need to play the long game and focus on consistency first. For example, Kelsey-Seybold has always required a phone interview between IT and a physician that might want to download our EMR application to their computer. Since this is such a high-touch process, we want to verify with the physician that they installed it and talk through any questions. Not only is this quicker for the physician than filling out a form, but it’s more trustworthy for our purposes. Even through recent changes in the day-to-day, we have kept that process in place to protect our staff and our patients.
When world health and political leaders first began urging the practice of social distancing, it took quite a bit of persuasion (nearly pleading) to get people to stay home. Press conference after press conference convinced most Americans that if they stayed home, they could save lives. CISOs are in somewhat of a similar role: they have to talk through the impact an end user can have on the safety of the entire organization and what each individual’s contribution to that is. With end users, it’s focusing on security awareness and education when it comes to phishing threats and personal cybersecurity practices. At a leadership level, the CISO can inspire healthy attitudes toward security processes with executives by creating a “not if, when” narrative.
The world is certainly changing by the day, but security has to stay a constant. Some businesses lead with expediency and accessibility, but we believe cybersecurity should remain an issue at the forefront, or we risk compiling one emergency with another.
About the Authors
Martin Littmann is the Chief Technology and Information Security Officer (CTO & CISO) for Kelsey-Seybold Clinic and is responsible for IT Architecture & Strategy, Infrastructure, Network and Information Security. Littmann holds a Bachelor of Science in Geology and began his career as a geothermal exploration geologist, later transitioning into information technology development and architecture roles.
Stephen Moore has been Vice President and Chief Security Strategist of Exabeam, Inc. since August 2017, and is also the host of The New CISO podcast. Moore has more than 15 years of experience in information security, intrusion analysis, threat intelligence, security architecture and web infrastructure design. Prior to joining Exabeam, Moore spent more than seven years at Anthem, in a variety of cybersecurity practitioner and leadership roles. He was the architect of the new 6,000 square-foot Anthem Cyber Security Operations Center in Indianapolis.
Disclaimer
CISO MAG did not evaluate the advertised/mentioned product, service, or company, nor does it endorse any of the claims made by the advertisement/writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.
