Our panellists from CISO Live, US share their tips on developing an information security strategy for the post-COVID-19 era
The swift changes brought about by Covid-19 – including the movement of a large portion of the workforce to remote working – have caused several challenges for CISOs. Not only has the sudden shift to a dispersed workforce dramatically increased organizations’ potential attack vector, but security teams have also had to re-think how they train and support employees based from home.
During a panel discussion at CISO US Live, we discuss how the impact of an unpredictable 2020 has changed future planning for the cybersecurity industry, and how organizations can continue to support the security of their workforce – whether back in the office, staying at home, or a mix of both.
- Jason Elrod, Executive Director of Cybersecurity & Investigations, Sutter Heal
- Raj Badhwar, SVP & CISO, Voya Financial
- Andrew English, BISO, Humana
- Rick Myers, Engineering & Information Security Senior Director, Ultimate Medical Academy
The COVID-19 Challenge
For many organizations, the COVID-19 pandemic bought a number of benefits, from the acceleration of digital transformation projects to increased productivity as a result of shorter, virtual meetings. However, this shift to remote working has also brought about a host of cybersecurity risks that CISOs have been forced to tackle outside of the office.
For many, one of the biggest challenges was preparing their workforce for this new way of working, be it ensuring they have access to secure hardware and internet connectivity or making their employees were aware of the expanding threat landscape.
Raj Badhwar, SVP & CISO, Voya Financial, said: “We made sure we shored up VPN and VPI capabilities, and we also wanted to make sure that we added a few things like dynamic host checking, end-to-end encryption, and more multi-factor capabilities across the board.
“Also, when people went home, they didn’t have laptops, so they took their desktops with them. So, we had to make sure that we were able to ensure drives were encrypted, and that employees had secure internet connectivity,” he added.
For Rick Myers, Engineering & Information Security Senior Director, Ultimate Medical Academy, the biggest challenge was ensuring everyone had access to the necessary equipment, as prior to the pandemic, just five percent of the Academy’s employees worked remotely.
“Our challenges started early,” Myers said. “When we heard about Covid approaching, we activated our emergency management team, and we were talking every day about what we were going to do if there came a time we had to evacuate our buildings.
“Our main challenge was with staff members. They don’t have computers, so we had to figure out what we were going to give them,” he continued. “We sent surveys to them asking about their home environment and internet speeds, and based on that, we were able to go and acquire equipment such as cables and headsets.”
While organizations acted fast to ensure employees were equipped for remote working, they also had to move to protect these employees from the increasing threat landscape. The FBI reported that the number of complaints about cyberattacks to its Cyber Division increased 400% to as many as 4,000 a day during the pandemic, Microsoft observed that that COVID-19 themed attacks, where cybercriminals get access to a system through the use of phishing or social engineering attacks, have jumped to 20,000 to 30,000 a day in the US alone.
Jason Elrod, Executive Director of Cybersecurity & Investigations, Sutter Heal, also saw a surge in cyber threats as his company’s workforce shifted to remote working.
“We experienced a 200% increase in alerts, and probably around 30% more actionable incidents,” Elrod said. “We had to adopt an idea that everyone is working from an assumed hostile network. Things that you would normally see from a business email compromise were shifted to personal email addresses, and people started clicking on those.”
Andrew English, BISO at Humana, also observed an uptick in cyber threats, in particular the use of tried-and-tested spear-phishing attacks.
“Spear-phishing, and campaigns related to news uptakes, was a big one for us,” English said. “Threat intel, and how we were able to start looking out for those things, has been the big shift for us. We had to get ahead of these spear-phishing attacks, and figure out how we communicate to our associates that they need to be mindful about these attempts.”
Badhwar, who works in the ever-lucrative financial industry, witnessed a 37% increase in cyberattacks during the pandemic and says his biggest concern was vulnerabilities in the video conferencing software his company had adopted.
“Besides phishing, we saw a bunch of spam and spoofing, and we also observed a number vulnerabilities in video conferencing platforms, such as Zoom,” he said. “With everyone working from home, these exploits became critical.”
He continued: “A lot more malware infestations were also seen throughout the industry, as well as an increase in DDoS attacks and investment scams.”
With the number of threats increasing, and with employees granted access to potentially sensitive information on personal devices and home networks, organizations have had to move quickly to ensure their networks remained secure.
“Dynamic host checking was a big one for us,” comments English. “We’re also looking at how we can empower that for our vendors and third parties down the road too, so we can get a more holistic snapshot of how to secure our ecosystem.”
Badhwar also turned his attention to dynamic host checking to ensure that the company’s networks remained free of compromise.
“We have done something called dynamic host checking, so when somebody is coming onto our network using VPN or VPI, a host check happens. It checks if they have malware, that they are fully patched, and it does other integrity checks. If you fail that, you are not allowed to connect back into the ecosystem until the issues are remediated.”
“We also did dark web monitoring,” he added. “When unauthorized access occurs, a lot of that data ends up on the dark web,” he said. “We also shored up our threat intelligence capabilities – we built our own platform, and started ingesting various sources so we were in the know about what was going on.”
Jason, who has been faced with regulatory challenges due to his position within the healthcare industry, moved to ensure that new remote employees weren’t using devices that hadn’t been vetted by the organization’s security teams.
“I like to call it shadow security. When people are at home, they’re going to use whatever is at their house, and those tools aren’t necessarily vetted,” he said. “By selecting a security tool you think you’re doing good, but, it creates other regulatory issues too. In some cases, I think shadow security in the remote environment is a problem as it can give people a false sense of security. It might be secure, but it isn’t private.”
For Myers, a zero-trust strategy – a security concept centered on the belief that organizations should not automatically trust anything inside or outside their perimeters – was key to ensuring robust security during the pandemic.
“Having our desktop machines out in the field, rather than being in between the four walls of our building, saw the threat landscape expand greatly,” he said. “We implemented zero trust within our infrastructure to prevent people who do not have access to our databases from getting into to them. We enabled this to everybody that’s supposed to have access to the systems through an internal firewall, and we keep locking it further down.”
While it’s been a big challenge for Myers, whose educational institute has had to rapidly adapt to new ways of working, it has also enabled the Academy to diversify its cybersecurity teams.
“We have increased our DevOps and security teams, those are the types of skillsets we needed,” he concluded. “From the experiences we’ve had with Covid, now we’re much happier to hire people remotely from all across the country. The talent pool has opened up immensely.”