In the spring of 2020, IT teams had a matter of days to retool their environments to handle entire staffs working from home. Under normal circumstances, that shift would’ve been rolled out meticulously over years. What security lessons have we learned in the two years of this great experiment? In this recap, we check in on lessons learned about the human and cybersecurity implications of scattering data and workers to any location with a solid internet connection.
The work-from-home revolution work introduced a host of new data security threats overnight. Employees working remotely log in through unknown WiFi connections, including vulnerable public networks in places like coffee shops. Data moves off corporate servers and into cloud settings. Personal vigilance wanes without the peer pressure of nearby co-workers.
All this gave many IT leaders the motivation (and executive support) to step up security programs during the pandemic. A December 2021 survey from software company MalwareBytes showed that 74% of IT decision makers had implemented new security tools since the spring of 2020, and 71% had implemented new cybersecurity training. As a result, 56% of IT leaders say their environment is slightly or significantly more secure than before the shift to work-from-home. If your security posture looks basically the same as it did in January of 2020, you’re probably leaving a lot of doors open to attackers.
Even if your team rose to the security challenge, your larger data ecosystem could still pose a problem. Jim Pray, chief technology officer at the Iowa law firm BrownWinick, says many of the cyber attacks his office saw during Covid came in through clients’ systems.
“We saw a big influx of our clients being hit because they weren’t prepared to go to work-from-home. They were getting Office 365 phishing hits, and then the hackers were trying to phish us by using the client accounts,” Pray says.
He’s describing a type of business email compromise scam, a category of cyber crime that exploded over the last two years. In these attacks, hackers take over someone’s email account and pose as a trusted partner. Many of the schemes have fooled workers into sending hundreds of thousands of dollars to fraudulent accounts. And people working from home make easier targets. In the past, an employee may have walked down the hall to confirm a message from a colleague. If that person is working at home, they may just click the link to speed things up.
These attacks illustrate a core fact of cybersecurity: Most cyberattacks start with a social engineering fail, such as an end user opening a malicious email attachment or unknowingly giving their login credentials to a hackers’ site. That means every cybersecurity program rests on enlisting every employee as a frontline defender.
But remote work and the pandemic have heavily eroded users’ cyber wariness. Working off-site can introduce distractions that chip away at anybody’s vigilance over things like fishy-looking emails. Security experts regularly discuss how to overcome the “fear fatigue” that has maxxed out the number of things we can worry about at any given moment.
Pratum vCISO Ben Hall urges open conversations about these challenges. “Encourage people to speak to managers about the issues they’re having, whether that’s having trouble accessing things remotely or just feeling like they’re being watched all the time,” Hall says.
Hall points to “shadow IT” as one big issue. Even if you don’t know the term, you know the situation: Numerous security safeguards make your company’s official technology tools a pain to use. So you just put a file on Google Docs and send the link to your co-workers. Hall says companies must face this reality and either make the official tools easier to use or embrace the shadow tools and make them more secure. “If employees are going to keep using Google Drive, consider a business subscription so you can apply some controls around what’s there and how it’s stored,” he says.
“Make it easier while maintaining security,” Hall adds. “Encourage everyone to be vocal and polite to work on the solution together."
The best security cultures have learned to stop referring to employees as security vulnerabilities (a common IT attitude) and start viewing them as security assets. That’s not just a matter of semantics.
Many employees see phishing tests “as a gotcha,” BrownWinick’s Pray says. That’s understandable considering that some companies have posted lists of employees who fail the test or threatened to fire anyone who fails three tests.
That’s sending the wrong message, Pray says. “We want them to know that we don’t want them to click the tests. We want them not to click the test.” Instead of taking a punitive attitude toward those who fail the test, identify ways to improve their performance next time. “If a lot of employees fail a phishing test, I have to see that as a failure on my part, not the employees’,” Pray says. “So we’ve ramped up our training.”
If you’re looking for simple ways to gauge your IT program’s security maturity, check how you’re handling these basic policies:
Pratum’s Hall encourages leaders to embrace the inevitably of a changing workforce and find ways to handle it successfully. “We have to control it without being controlling,” he says. “It seems like a hybrid model is going to be a popular one. Encourage your staff to do whatever they need to do their work.”
For help identifying your work-from-home risks and opportunities, contact Pratum to talk with one of our cybersecurity consultants.
Every effective cybersecurity program includes regular tabletop exercises where your team gets to practice dealing with a security incident. And realistic exercises start with choosing a scenario that’s appropriate to your actual security risks. In a recent blog, we shared tips for conducting the tabletop exercise itself. In this post, we share three basic scenarios to get you started on creating the right situation for your exercise.
Note that the scenarios shared here don’t come with answers to each problem. A tabletop exercise isn’t a fill-in-the-blank exam. It’s a convincing simulation that lets your team practice working through your incident response plan and a key way to identify needed changes in your incident response plan. Use these sample scenarios to start dreaming up situations that will give your team the most realistic experience.
You’ll find a few common aspects in every good scenario:
With any scenario you use, structure the exercise so that participants have to answer the following questions:
Backstory: You’re a midsize professional services firm with 100 employees, which includes a three-person IT team.
Day 1, 7:05am
After a long holiday weekend, a couple of early birds arrive at work and report to IT that they can’t access files on their workstations or the network drive.
Day 1, 7:35am
IT team members rush to the office and find that numerous files on the server and workstations appear to be encrypted.
Day 1, 7:55am The only file anyone can open is one that has appeared in every directory. It’s called RECOVER-FILES.txt. Upon review, the team discovers that this is a ransom message and decides to notify the IT leader.
Day 1, 8:05am
The team realizes that the IT leader is on a cruise and unreachable.
Day 1, 3:50pm
Upon further investigation, 80% of your workstations and 50% of your servers and applications were encrypted. Forensic analysis found evidence of data exfiltration and indicated that the threat actors were actively in your network for months before the attack. Recovery will probably take several days or weeks. Not all data is recoverable.
Backstory:You’re a family-owned, 60-person company that builds components for large agricultural equipment manufacturers.
Day 1, 4:05pm
The CFO receives an email from the CEO, who is traveling in China. The CEO’s message shares greetings from his wife and mentions how much they enjoyed their time in Beijing. He goes on to say that he has decided to proceed with the purchase of a large piece of equipment that the team has been discussing for weeks. He gives the CFO a bank account to use for the $400,000 payment, and the CFO makes the payment.
Day 5, 8:05am
When the CEO returns to the office, the CFO mentions the purchase to him, and the CEO responds, “I never told you to make that purchase. What are you talking about?” The C-suite calls IT in to investigate whether the CEO’s email has been compromised and where the money went.
Backstory:Your company runs a cloud-based sourcing service. Customers log into your portal to order the parts they need to conduct operations each day.
Day 1, 10:02am
A customer submits a support ticket saying that they can’t get into the Admin Console for your service and can’t query data from their database for custom reporting. Your support team attempts to use the service and discovers they can’t get into it either.
Day 1, 10:10am
Your internal team sends the issue to your offshore software development team—and they can’t get into the service either.
Day 1, 3:45pm
Forensic investigation finds a ransom note and also discovers that the threat actor was able to capture cached admin credentials and pivot to other systems and resources.
Day 1, 4:59pm
You realize that the attacker successfully exfiltrated critical data and is threatening to disclose it if ransom isn’t paid. You haven’t yet determined what data they exfiltrated
Clearly, each of these scenarios can go in a lot of directions and will give your team plenty of things to discuss. If you’re just starting to use tabletop exercises, you’ll usually benefit from having an experienced third-party expert help develop the scenario and lead your team through the exercise.
Contact Pratum to talk with one of our cybersecurity consultants.
Leading a business means deciding which risks are worth taking, and a business impact analysis (BIA) provides a critical resource for making informed risk management decisions. This blog explains how to conduct an effective business impact analysis that will point you toward the right investments for your overall risk assessment strategy.
Let’s start with a few fundamentals: At the basic level, your risk management goal is identifying the likelihood and impact of any given risk. You’re looking for answers to questions such as, “How likely is it that our ERP platform could go down? How long would it take us to restore operations? How much does it cost us every hour that our ERP is down?”
A risk assessment helps you identify your vulnerabilities. With that information in hand, you can then conduct a business impact analysis to help you determine what will happen to your organization if you actually take a hit in a vulnerable area. The business impact analysis assigns actual costs to each risk, which then guides creation of plans and policies that let you prepare accordingly.
Your budgeting process becomes much more clear when the business impact analysis puts a price tag on specific operational interruptions and points to whether you should invest in preventing or mitigating those interruptions. (For help making sense of all the terms used in the realm of incident response, read this blog summarizing the relationships among incident response, disaster recovery and business continuity.)
Your team assigned to the business impact analysis will need to set their minds to “glass half empty” mode. Think about all the bad things that could befall your organization. Common scenarios include:
For each disruption, you should account for special timing that could amplify the situation’s impact. Think about your critical production times in any given year, or even in a given week or day. An issue that shuts you down for two hours at midnight on a holiday weekend is one risk level. It’s quite another if that shutdown hits at 1pm on a weekday.
Also be sure to consider dependencies within your organization. Identify where problems will start cascading to other areas, ramping up the business interruptions and costs.
Now that you’re thinking about worst-case scenarios, stay in the zone and start calculating the costs from the various disruptions on your list. Account for factors such as:
Knowing the costs will help you start to establish recovery time objectives (RTOs) and recovery point objectives (RPOs) in each risk area. The RTO sets expectations for how quickly you need to get running again in a specific area. The RPO identifies how far back in time you must go to recover the data you need. For data such as training materials, an RPO of a week or even a month ago may be fine. For other situations, such as market-driven financial data, your RPO may be more like 30 minutes.
Your business impact analysis team will follow these common steps:
For help with BIA and all other aspects of risk assessment and incident response, contact us today.
Get our blog articles delivered
to your inbox: