Aaron Turner
According to the World Health Organization, COVID-19 is now officially a pandemic.
The impact of COVID-19 struck close to home for me this week as at least two attendees at the annual RSA Conference fell ill to the virus. I spent the entire week in San Francisco at the RSA Conference catching up with longtime friends, speaking in several sessions and walking the Expo floor. For myself and our company, HighSide, I’m grateful to have no symptoms two weeks post-conference and that our company enables employees to work from wherever they have an internet connection to stay productive.
As the virus continues to spread, new regions are quarantined and companies begin their work from home contingency plans, our customers handling regulated and sensitive data have begun asking us how they can ensure continuation of operations from home.
This can be a tricky question for organizations that deal in PII, PHI and other sensitive, controlled data. An effective, secure and compliant, remote work strategy is critical.
Legacy Collaboration Tools Create Risks for Remote Workers
For many organizations, this can be a challenge as legacy infrastructure such as Virtual Private Network (VPN) systems are often bottlenecks and both traditional collaboration tools like email, and “modern” collaboration tools like Slack or Dropbox, have insufficient security capabilities to protect sensitive information.
This is especially important as knowledge workers need to access and share data which could be subject to GDPR, CCPA and even Export Controls such as those associated with ITAR. Most of those tools use IP address restrictions to protect sensitive data and everyone who has bypassed a GDPR-protected news site knows that a free VPN can achieve that goal.
I’ve been asked by many clients about what organizations should be doing to be better prepared to deal with cyber risks associated with COVID-19 and here are key priorities to focus on.
Focus on Email Hygiene
The US Department of Homeland Security released a warning on March 6 outlining how cyber criminals are using the COVID-19 situation to take advantage of people. Most enterprise email services such as Office 365 and G-Suite have basic email hygiene capabilities, but many email administrators have not enabled them.
Now is a great time to begin tightening email policies and creating awareness campaigns for employees to let them know what is and is not appropriate to send through email. This is not merely an inbound email problem from phishers and scammers, but is also an outbound problem with what people are sending to each other and to business partners as attachments.
Remember that every email sent can be read and inspected by potentially dozens of intermediaries without the sender’s or recipient’s knowledge, this includes any attachments sent with emails as well.
Create Clear Policies and Controls to Protect Sensitive Data
With many organizations using Software as a Service (SaaS) platforms like Office 365, G-Suite, Zoom, Slack and others, employees need to understand the vulnerabilities in those systems when they are sharing data while working remotely.
For example, Slack has been very transparent in their government filings that they cannot assure the security of information flowing through their system. Every bit of information sent to Office365 or G-Suite can also be intercepted, manipulated and altered with relatively simple attacks by anyone who has access to network infrastructure which lies between the user and those SaaS services.
In a talk I delivered at an IANS Research Forum in 2019, I outlined three key areas organizations relying on SaaS systems should focus on:
1 – Root of trust hygiene on all systems connecting to SaaS systems
If an attacker is able to inject a root of trust into a laptop or mobile device, then they are able to get every username & password and every bit of data sent to SaaS platforms. You can read more about the details of how to protect your organization from these risks in my IANS Research report on how to Ensure Traveling Users Understand and Mitigate Potential Infosec Risks.
2 – Use secondary encryption on sensitive data stored in SaaS platforms
Most large organizations have very poor privileged user management for global administrators who have access to every SaaS user’s data. To avoid global administrators gaining unauthorized access to data, independently-generated and managed encryption keys should be used. Remember that everything sent through SaaS services such as Microsoft Teams, Slack and Zoom is visible to the platform administrators and the platform operators.
3 – Use multi-factor authentication (MFA) for all SaaS interactions
The number of incidents we’ve been called to help clean-up due to cloud service compromises has been significant over the last 5 years and the number keeps growing. Only strong MFA can help reduce those risks, and as Georgia Weidman and I spoke about last month at RSA, it’s extremely important to choose an MFA solution which really solves the problem, and getting real telemetry from endpoint devices about exactly where users are located is becoming more important every day for regulatory compliance capabilities to protect export-controlled or GDPR-protected data from unauthorized cross-border transfers.
Shadow IT used by Remote Workers Creates Compliance Headaches
Additionally – companies need to help users avoid Shadow IT: Sometimes users’ best intentions can expose sensitive data to third parties when they’re just trying to be productive.
The use of consumer messaging and collaboration systems such as WhatsApp, iMessage, Facebook Messenger, Hangouts and others all allow for the operators of those platforms to have full access to all information shared through those systems.
It is important for organizations to create channels that are just-as-easy-to-use as those consumer-grade systems, but assure the confidentiality and integrity of the data shared through them.
As we all deal with the uncertainties around COVID-19, we hope that business leaders remain rational, help avoid large-scale economic impacts and create a secure and productive environment to keep their organizations productive.
Our mission at HighSide is to protect people, applications and data from the most-sophisticated attackers, and the current situation is one where we’ve been successful helping many organizations achieve these goals.
If your organizations needs help with email security, geolocation-controlled MFA and secure collaboration, or has any questions about work from home continuity and compliance, please do not hesitate to contact us today.