Maksim Kabakou - Fotolia
The coronavirus is now a pandemic and is very much at the forefront of all decisions that businesses are taking. This article examines how this latest pandemic is affecting the role of a CISO and provides recommendations on how they can achieve a sound level of security amidst the panic.
Article 32 of the General Data Protection Regulation (GDPR) requires that companies implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk posed to the rights and freedoms of individuals. In doing so, they should take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the data processing, as well as the risk of varying likelihood and severity for the rights and freedoms of the individual.
This requirement informs, to a great extent, what a CISO’s responsibility should be when it comes to processing personal data. One of the key roles of a CISO is to consistently review and monitor the security measures that are in place to protect systems and information. In the event that such systems and/or information are compromised, the CISO will play a vital role to ensure such compromise is contained and remediated effectively.
Businesses always run a risk of falling victim to a cyber attack. However, this risk has now heightened as cyber criminals are taking advantage of the pandemic and the pressures that businesses are under. An article published by the BBC on 13 March 2020 examined five phishing campaigns in which hackers are purporting to provide information on the virus in an email that is in fact delivering malware to the recipient. This is just one illustration of how cyber criminals are trying to capitalise on the current climate.
On a daily basis, we are seeing news articles stating that various companies have closed their offices in the city and workers will now be carrying out their jobs remotely from home. This alone presents several challenges to CISOs in relation to the security of their virtual private network (VPN) connections and corporate devices.
Some cyber attacks and breaches are preventable if certain measures have been implemented. Here are our top recommendations for CISOs to ensure that their systems and data are secure:
1. Secure your devices, systems and VPN connection
In recent years, we have seen a rapid increase in bring-your-own-device (BYOD). Given that several offices are now closing because of the threat of the coronavirus, CISOs will need to go back to basics and see if devices that will be used to facilitate home working (both corporate and BYOD) have the optimal level of security.
In practice, this means ensuring all devices are encrypted, have the up-to-date security updates installed on them and that appropriate password protection is applied to devices and systems.
Where new devices are being issued to employees to enable them to work from home, guidance should be given to staff to promptly change the default passwords set on such devices because these default passwords are extremely easy for attackers to guess.
With most employees relying on a VPN connection to log onto their work systems, CISOs must give particular attention to protecting the internet connection with an appropriate firewall that can also alert IT security to any unusual or suspicious activity.
The National Cyber Security Centre's Cyber Essentials provides helpful guidance on how device, system and internet security can be achieved.
2. Multifactor authentication
Multifactor authentication is a simple but very effective measure to implement in order to protect your systems and data. Data protection regulators often refer to the lack of its use when commenting on cyber attacks. Multifactor authentication should be used to log in to work-related services, in addition to simply using passwords.
3. Are you ready to deal with phishing attacks?
Given the increase in phishing emails relating to coronavirus, this is an obvious area for CISOs to focus on. Re-train employees, circulate guidance on phishing emails and perform a mock phishing attack to see if employees can correctly identify such emails.
We often see that, despite the right training, employees still fall victim to such attacks. Therefore, revisit your system security (as mentioned above) and implement multifactor authentication, which will be effective in preventing the attacker gaining access to your systems.
4. Test your business continuity plan
Imagine your whole workforce has been advised to work from home and when they try to log onto your systems remotely, they encounter problems – some cannot connect to the VPN while others find the connection too slow. This will put immense strain on your IT helpdesk.
Before instructing employees to work remotely, CISOs should test whether this will work in practice. A method currently adopted by many organisation is that they allocate a time over a weekend when they will instruct all their workforce to log onto the systems via the VPN connection. They will review log statistics and obtain feedback during this time to determine whether their systems can sustain that level of demand and what improvements can be made.
5. Have your incident response team ready to deal with the unexpected
Despite having all the relevant security systems and policies in place, you may still have an unfortunate situation where you fall victim to a cyber attack. Therefore, you must have your incident response team ready to deal with such an incident.
The most obvious and key item here is to ensure that they key actors in your incident response team can be contacted easily in the event of a breach. Don’t just rely on emails to report and escalate breaches because, in the event of a cyber attack where your systems are compromised, these may never get picked up. Companies should look to set up a breach hotline that is managed 24/7 to ensure breaches are picked up.
An equally important point is to ensure that your incident response team is trained to be able to effectively action the incident response plans that you have in place.
6. Ensure teams can still carry out incident response and management plans
Coronavirus will not be an excuse for failing to comply with statutory obligations. CISOs may be tested where business continuity plans have been executed for the coronavirus, and other incidents occur. It will be critical for organisations to understand their legal and reporting obligations in the context of data security and to be capable of implementing their incident response and management plans, even while operating remotely.
Sabba Mirza is a senior associate in Fieldfisher’s privacy, security and information law group. This article was also reviewed by regular Computer Weekly contributor and Fieldfisher partner James Walsh.