Businesses are eager to open their doors, many remote workers are ecstatic about it, but reopening will not be as simple as flipping a switch and returning to “business as usual”. A variety of social restrictions will continue to disrupt our traditional way of doing business. Although organizations are finding new ways to run business operations, there is much to learn from this global crisis. Greg Franseth, Director of Professional Services at Cadre, shares insightful strategies on reopening post COVID-19.
Reflect on Rushed Decisions During the Wake of the Pandemic
It is only human that when we do things in a rush, we make mistakes. This was certainly true when businesses were unexpectedly turned upside down by COVID.
I think the main weakness for most organizations is the same weakness that creeps up over and over again when it comes to any sort of security. We make changes very quickly in an emergency situation. We overlook important steps in our rush. We fail to do our full due diligence. Then it's hard to go back later and say, “We need to spend a few weeks dealing with this.”
But it's important that we do go back and perform those steps. We build time in for the detail work when we make project plans for a reason. So, we can expect to invest some time and effort in getting things right when we have to do it after the fact as well. And the truth is information security is as important as anywhere else to make that investment.
Finding Resolve in Your Network Security Ecosystem
Replace temporary structures with permanent ones
Take this time to look at temporary structures, and replace them with permanent structures.
If you think about it, it's parallel to construction. If we have an emergency and we need to build large temporary facilities, we don't keep those as permanent, right?
We may have implemented certain controls just to get things off the ground. VPN is a great example. There's all kinds of levels you can build VPNs. Maybe something that was done with low cost solutions is better integrated with existing hardware and network infrastructure. Don’t just fix what you put in place, assess what the most appropriate long-term solution is.
When COVID hit the fan, we scrambled to get people out and working. We didn't understand all the ways people would behave and use the technology.
Analyze the traffic and use that to reconsider firewall configuration. Did we log all the traffic? Do the rules make sense now that we understand how people are actually working remotely? Maybe we created rules to get people going. Let’s get more specific in our rules and harden those controls.
Expand your Threat Hunting
Security is a funny thing, we tend to think it is like a bouncer that must always be at the door. The truth is, our security doesn’t have to be limited to staff in our offices, we can have security staff or security partners anywhere in the world. Large organizations may even have multiple SOCs that have specialty functions in different offices and locations. Now is a great time to consider what we are logging, our SIEM tools for analysis and the opportunities not just within our organizations but in our larger partner ecosystems to increase the robustness of our response and analysis.
And you don’t have to be a large organization. By leveraging security partners, smaller organizations can gain some of these same benefits without having to build oversized security departments.
Engage a partner to hunt the silent breach
What concerns me most is the more sophisticated cyber criminals who have taken this opportunity NOT to do anything. What they'll have done is found vulnerabilities, gotten inside our networks, gotten access to accounts, and are waiting to see what we do, waiting to attack us from the inside when our guard is down.
Although they’re silent in that these actors may not be exploiting the vulnerabilities yet, they're working hard to find higher value opportunities. Why lock up some office worker’s PC when they can wait until they can get ransomware onto a core accounting system. Then a company is much less likely to say, “To heck with it. We'll rebuild it from scratch.”
We want to look for abnormal behavior inside our networks. We want to have vulnerability assessments and penetration tests sooner than a regular cycle. As we go back to “normal”, now is a good time to have an outside organization come in and advise us on this, and to test our networks looking for vulnerabilities and silent breaches.
Build a Crisis-Proof Business Continuity Strategy
Many organizations have done the work of having disaster recovery plans, but at varying degrees of effectiveness. Some have them but don't test them, while others create them and then don't update them. What’s more, many were designed to handle disasters such as an earthquake or a tornado. Most organizations would not consider COVID as a disaster, because the equipment and data centers weren’t directly affected. So, businesses stopped at the obvious disasters, and they didn't develop a proper business continuity plan.
One of the differences between disaster recovery and business continuity is that disaster recovery defines a clear set of steps to be taken – we're going to activate a remote location, we're going to spin up these servers, we're going to restore these backups.
Business continuity and crisis response plans on the other hand define more general ways and methods for how we will respond, not specifically what we will do. Business continuity is concerned with how we will respond when normal processes and controls are disrupted or where normal processes and controls are ineffective or inadequate in responding to a crisis. How do we keep the business operating successfully in times when the regular operating procedures won’t do?
A properly implemented business continuity plan provides clarity that says when your regular channels are dealing with a crisis and unavailable, these processes will be temporarily suspended, this department will provide you direction, these things will need to be documented for future review.
Improperly implemented plans create chaos. I've found the IT help desk fielding all kinds of calls that had nothing to do with it, because it was the only place people knew to call. Consequently, the help desk became overwhelmed with questions they couldn't answer and the entire organization was failing to get correct answers communicated. Good business continuity planning can avoid this scenario.
One of the things that often gets lost in all of this is sometimes we can be good at the execution of the task, yet fail at putting it into the organization. We can create a disaster recovery plan. We can create a business continuity plan. Then we fail to communicate those to the organization. I’m certain that many organizations have been learning the importance of communicating and testing their plans.
Learning from a Global Crisis
Even the sophisticated security organizations that were already equipped to provide advisement on information security have learned a lot. They're collecting information from all over the world on what is working and what is not that will better prepare us for the future.
Not only is the world an integrated organism, but so are our businesses. We must understand that these things are not discrete, but go across the entire organization. This is our opportunity to learn from our partners but also about ourselves. Systems have been tested like never before. What have we learned about our security needs? About integrating our solutions? About comprehensively training our people? About the actions we took and the way we communicated them?
The days when you could just buy the right hardware and software and be done with it are in the past – but that’s okay as long as you are prepared.
If you’d like to learn about Cadre’s vulnerability assessments and penetration tests, or any other cyber security solutions, please contact us. We’d love to help you find a solution that fits your needs and budget as you reopen your doors!