The unfolding COVID-19 situation presents organizations and their technology teams with many new challenges as they strive to maintain the continuity of core business functions – while supporting many new ways of working. And, they must do this in the context of a significantly changed risk profile during a very turbulent time.
Of course, ensuring cyber-security resilience in these extreme circumstances is challenging. To help organizations prioritize their efforts to successfully tackle critical security risks while keeping business systems running effectively, Fujitsu’s security experts have put together the following nine imperatives.
1. Don’t let perfect be the enemy of good when it comes to patches
Many IT leaders consider applying security patches to software as something that must be highly governed to minimize the chance of negatively affecting IT operations. However, in their quest to achieve perfection, companies often fall behind in patch management routines, unnecessarily increasing their attack surface.
There was actually a patch available for the EternalBlue SMBv1 vulnerability two months before recent widespread attacks, but the number of businesses impacted because they were still to apply the software update illustrates the importance of regular patching.
IT operations teams are being significantly affected by the COVID-19 pandemic, and we expect to see unscrupulous attackers aggressively trying to exploit the change in working practices. We recommend that businesses patch frequently and manage eventual outcomes, rather than waiting for months to patch perfectly.
2. Ensure all employees know how to spot COVID-19 phishing emails – this is an increasing risk for Office 365 users
With everyone’s heightened interest in COVID-19 and the growing volume of pandemic related emails from both internal and external sources, attackers are using COVID-19 phishing lures to target Office 365 users as part of widespread phishing campaigns.
Once a hacker has successfully accessed an Office 365 account, they also have access to many other Microsoft services such as SharePoint, OneDrive, and Skype. The hacker can then hijack conversation threads for their own purposes such as misdirecting financial transactions, in addition to leveraging messaging applications to validate their requests.
Phishing attacks are all about stealing credentials. Therefore, understanding where and when a user should expect to enter their Office 365 credentials is a key element of user education.
We recommend ensuring that all users understand what internal COVID-19 communications should look like, who their senders might be, in addition to teaching them to be wary of unsolicited external emails purporting to provide COVID-19 advice, updates, cures and so on. Security teams should consider shifting to crisis-specific testing themes.
3. Be extra vigilant around C-Suite email accounts
The sensitive data stored on devices, especially those of senior and C-suite executives are seen as a trophy for many attackers because of the sensitive data they are able to access. By assuming the identity of the compromised executives’ accounts, they can also easily attack other internal and external users, since employees and customers tend to more naturally trust links and attachments in emails that appear to be sent by senior executives.
Users should be trained to look out for emails from colleagues and management that do not feel quite right, for example in tone, where there are grammatical errors, or where specific things are referred to in generic terms (i.e. “the important project”).
Everyone in an organization should know how to detect and report suspected phishing attempts. The protection of high-value senior staff accounts is obvious but total coverage across the organization will go a long way to eradicating this form of social engineering.
4. Targeted security will be required
Current working practices have changed. Corporate networks have far more distributed users, mobile devices, and remote workers using their own devices than ever before.
Consequently, it is critical to ensure that security monitoring systems and processes can quickly identify network anomalies and signs of compromise.
Organizations should take a risk-based approach to prioritize which assets, users, and systems present the highest risk to ensure that these are monitored appropriately. Priorities may have changed.
For example, e-commerce may now be the primary route to market for some vendors that operate brick and mortar stores, while collaboration tools will most likely have taken on greater importance for day-to-day operations.
5. Make cyber-security education a critical element of secure remote working
The familiar surroundings of working from home can have the adverse effect that users are more likely to visit potentially dubious sites and click on links that they would not have in an office environment.
At a time when attackers are actively exploiting remote working vulnerabilities, organizations must ensure that employees do their part to keep the enterprise secure. Businesses must share best practice, provide workers with consistent security awareness training focused on the home office, and allow them to easily report incidents in real time.
6. Ensure reliable and secure network access
Keeping network access reliable and secure is more critical than ever. It is equally important to make sure that all users and devices have access to the resources they need to do their jobs. This means preventing unauthorized users and devices from gaining access to network resources.
It means keeping an eye on the use of shadow IT and promoting the use of approved tools, messaging, devices and applications – for example, approved file-transfer and document-management tools.
Make sure users are aware of their responsibilities when using corporate devices and networks and ensure that they are well-informed about relevant policies, and have clear guidance on which tools and applications are/ are not acceptable.
7. Redefine trust for your people
Secure remote access has become critical to effective operations. This means rethinking the old concept that any device inside the secure network can be trusted and that any device outside the network cannot.
With corporate and personal devices asking for legitimate access to data and systems from both inside and outside the corporate network, IT security teams will need to consider Zero Trust models that transfer the “trust” ascribed to a device to the individual user.
This means access to business systems should be granted when a trusted person with the correct identity and credentials requests it, and not when a device that just happens to be in the right place makes the same request.
Keep your operations and customers secure by giving your people the trust they need to work remotely by implementing a Zero Trust model for devices.
8. Consider the physical elements of cyber-security
By definition, remote workers are not within the trusted secure, physical environment of an office. Consequently, businesses should consider how to help remote users to maintain physical security standards.
Many enterprises provide workspace equipment for remote workers to ensure that they are compliant with health and safety policies – now is a good time to consider adding security equipment to the provided kit.
Consider including privacy black-out filters screens to help ensure data is not compromised, in addition to enforcing session time-out measures for sensitive applications to ensure systems cannot be compromised when employees forget to lock their systems.
These measures are particularly important in cases where employees reside in shared accommodation.
9. Working together for the greater good
The unprecedented nature of the challenges that security teams are facing means that many are constructing new security strategies and formulating responses rapidly and with limited information. Yet we are all facing the same challenges and attempting to solve them alone does not benefit anyone.
Sharing cyber-security challenges, best practices and lessons learned with your peers and drawing on external sources of intelligence and inspiration will accelerate the development of a secure strategy and will ensure resilience throughout your entire supply chain and industry.