A brief guide to cyber resilience in the post-COVID era
The pandemic has shaken up the corporate world and made remote working not only acceptable but even preferable in many situations.
This is great for employees, providing them with more flexibility in their roles, but unsurprisingly has led to more headaches for cybersecurity teams as they try to adapt their organisation’s security practices accordingly. Going all-in with digital workflows means having to deal with significantly different risk profiles, making cyber resilience a giant pain in the assets.
But, with a little planning and foresight, we can build effective cyber resilience measures that are fit-for-purpose, as long as we understand what’s practical and choose our battles wisely. Which is why we’ve put together an informal guide on what to consider when sharpening up your cyber resilience strategy.
Patch as you go
Many IT teams think about applying security patches to software, which can be a great fix, but there’s also a tendency to overthink and delay patchwork as they consider all the possible IT issues that could come up. It’s far better to stick to a regular patch management routine than to wait around for months for the perfect patch while your attack surface grows bigger by the day. Remember, bad actors know that the pandemic has turned everyone’s IT operations upside down and are aggressively trying to exploit any gaps they can. Patch fast, patch often, and prioritise critical patches, even if they’re less-than-ideal.
Make sure everyone knows how to spot COVID phishing emails (especially you, Office 365 users)
Attackers know everyone’s worried about the pandemic, and that people are more likely to click on COVID phishing emails. They also know that Office 365 is the standard in many workplaces, and even one successful attack can give them access to other Microsoft services like SharePoint, Teams, OneDrive and Skype. All employees should know how to safely handle their O365 credentials, as well as knowing what potential Office 365 scams could look like. Make sure everyone is briefed on what internal COVID-19 communications should look like and who their senders will be. They should also be advised to be suspicious of any unsolicited external emails that claim to provide COVID-19 advice, updates, cures and so on. Cybersecurity teams, this is a good time for crisis-specific testing exercises.
Be extra cautious with emails from the C-suite
Getting illicit access to C-suite data and accounts is a big trophy for attackers. Stealing the identities of the executive team enables scammers to do more damage since employees and customers tend to be more trusting of links and attachments in emails that appear to be sent by senior executives. Users should be trained to look out for emails from colleagues and management that do not ‘feel’ right or seem out of character. Watch out for tone, bad grammar or vague references to unfamiliar projects. If in doubt, call it out. A collaborative culture where employees are encouraged to flag any suspicious emails, even from the leadership team, is a key part of effective cybersecurity.
You can’t secure everything, so pick your battles
The IT footprint of most organisations has changed dramatically. Remote workers, contract work, BYOD policies, third-party software services, all mean that there’s a sprawling network of devices to secure, and not all of them are under the direct control of the cybersecurity team. Something can and will go wrong, so the goal should be to ensure resilience for business-critical operations. That could mean focusing on securing e-commerce services, front-end customer services or making sure critical data is regularly backed up. You have to decide where you want to allocate your resources, even if it means some non-essential operations have to make do with baseline security measures.
Keep a tight lid on network access
Keeping network access reliable and secure is more critical than ever. This means preventing unauthorised users and devices from gaining access to the network, without making it a nightmare for employees to log in and do their jobs. You have to keep an eye on the use of shadow IT - use of unofficial devices, apps and services for day-to-day work. There should also be clear policies in place that recommend best practices for securing company devices as well as personal devices. Encourage employees to use pre-approved apps and services for their work tasks.
Zero trust is the only trust
The old model of ‘if it's in the network, it can be trusted’ just doesn’t work anymore. With company and personal devices asking for legitimate access to data and systems from both inside and outside the corporate network, IT security teams need to consider Zero Trust models that transfer the “trust” from a specific device to a specific user. This means access should be granted when a trusted person with a proven identity requests it, not when a device that just happens to be in the right place makes the same request. Moving to a Zero Trust system where practical is one of the best ways to enhance the security of your network.
Get the humans on board
We’ve talked a lot about how cybersecurity is now everyone’s job, not just the IT department’s. And when it comes to our post-pandemic cyber reality, human error is still, by far, the biggest threat out there. We need to work together to build a cyber-aware culture across the entire organisation. That means regular awareness training, sharing best practices, threat alerts, and empowering everyone in the company through education and agency. We’re all in this together, and we all need to pitch in to build a resilient workplace and a resilient future.