In 2020 many organizations, to allow continued operation, were forced to rush to work from home wherever possible, in the largest global proof of concept (POC) we are ever likely to see, truly testing their business continuity and resilience planning. Whilst cybersecurity was not a primary concern for business leaders more focused on “keeping business afloat” and employees safe during unprecedented pandemic challenges, this did become a concern soon after as security and data governance issues presented themselves.
Now as the world’s reliance on the advances of science paints a picture of success with ever increasing confidence of vaccine deployments, the days of individual and continual COVID testing for significant swathes of the population could be coming to a halt. Concurrently many businesses in countries where the vaccine deployments are at an advanced stage – as of 24 May there have been more than 1.68 billion vaccine shots administered (Bloomberg.com) - are now planning to return to the office, but does this introduce the need for a new type of COVID testing regime?
At BSI, we are engaged with a number of organisations who have sought our support as they realize that it is now both timely and indeed essential to put cybersecurity and data governance at the forefront of their thinking. The key activity they require support with is testing the cybersecurity of the new operating model as they seek to avoid experiencing any exposures from the work from home (WFH) environment, and a move back into the office landscape.
Such security testing allows organizations to identify and address any security gaps in the trilogy of people, process and technology that combine to create the business operating model. The intent of the testing is to identify and address those gaps before the cyber-criminals find and exploit those exposures.
In looking back over the past 12-15 months and the changes brought by the pandemic ways of working, organizations returning to the office need to consider four key areas:
- Security testing of external assets
- Security testing of internal assets
- Employee awareness and security training
- Establishing resilience to cyberattacks
Before enabling a wholesale return to traditional office-based ways of working, all external remote access services should undergo security access testing to ensure that they have been appropriately configured in line with corporate policy and industry leading practice. Ideally solutions like Multi Factor Authentication (MFA) should be enforced to offer enhanced protection. Should the services no longer be required once the business returns to the office-based ways of working, then organizations should ensure that they disable these solutions to minimize the external attack surface. Security testing should therefore be conducted prior to the commencement of a return to normal and at regular intervals thereafter, to ensure the continued security of the external assets.
Whilst most businesses have adopted home based working, a significant number of unused assets on the network have consequently fallen behind on patching and update management. It is therefore essential that businesses consider how to best invoke a rapid program of discovery to firstly identify the exposures through testing and then mitigate through effective and rapid vulnerability and patch management. Additionally, as employees bring their own devices (BYOD) into the office and connecting them to the network to recover information processed whilst working at home, the reduced state of security, prevalent on home networks should be considered. Consideration also need to be given on how to minimize the risk of other exploitable exposures. A system for device testing and sanitization should be established before allowing unvetted devices on to the corporate network.
Since the start of 2021 ransomware has become the most prevalent tool in the cybercriminal’s arsenal and phishing attacks remain an easy route into corporate networks for threat actors. Working from home for a prolonged period of time will inevitably have led to a culture of complacency in part. With work volumes increasing, on screen fatigue and digital exhaustion omnipresent, threat actors are taking advantage of more than ever with their highly sophisticated and hugely damaging phishing campaigns.
BSI therefore recommends to clients to consider conducting periodic simulated phishing campaigns and deploy employee awareness training in the run up to the planned and phased return to office. Other variants of phishing include smishing (SMS fraud), vishing (voice fraud) and business email compromise (BEC). If used appropriately and in published training mode, this can be a highly effective culture change tool to help ready for the return to traditional office-based routines. Some organizations are even considering using gamification to help promote the benefits of the awareness training and creating highly effective phishing campaigns, thereby empowering employees to identify and avoid such attacks and malicious content from entering the corporate network.
All these tests and security actions aggregate to aid the overall cyber resilience of the organization, and this brings to the fore the fourth consideration – assessing and improving as necessary, the organizational detection and response capability. What would be your organization’s response if an attacker was to be successful in gaining access to your corporate network? Without visibility of your assets, both internal and external, including remote end-user devices, protecting against the latest tactics, techniques, and procedures (TTPs) of threat actors is near impossible.
Furthermore, without rehearsal and safety testing of the cybersecurity response team, ensuring their preparedness for dealing with an incident, only serves to reinforce the lack of preparedness for such an event. Such testing can be conducted through attack simulation exercises, either red team or purple team (includes both offensive and defensive techniques), which simulate the activities of real-world attackers in a risk-controlled manner.
In summary, organizations should take this opportunity to reinforce security as a core risk management topic through proactive security testing. As with everything security related, this should not just be a one-off activity being conducted because of the return to office event but be more representative of a continuous process where security testing is conducted on a more regular basis. After all, “failing to prepare, is preparing to fail” and as we have seen with COVID testing, a failure to test adequately and regularly can lead to dire consequences.