Secure Your Remote Workers: Quick Wins for IT and Security Leaders
The recent shift to a remote workforce increases cyber risk for most, if not all, organizations – even those more accustomed to working remotely. As IT and Security professionals, we need to be thoughtful as we consider how to address these risks, but may be limited by the people and capital available due to the pandemic and economic downturn.
Here are several quick wins that do not involve significant cost, complexity, or time to deploy but can still reduce the cyber risk you are facing.
Review and refresh your Business Continuity and Disaster Recovery plans.
If you don’t have robust Business Continuity and Disaster Recovery Plans in place, you probably immediately recognized that over these past several weeks. Take the time now to review your plans in the context of activities recently performed, and evaluate successes and improvement opportunities. Plan tabletop and functional exercises to further evaluate the plans that are in place. To get started, or as a guide for improvements, Ready.gov provides consumable and practical tools, and NIST.gov has more exhaustive, time-tested materials available.
Security risks could also increase if threat actors decide to take advantage of gaps that exist in our current physical or cyber infrastructure, or another similar or unrelated event may occur in the near future. Preparation and rehearsal will help you maintain (or recover) the confidentiality, integrity and availability of your critical infrastructure and information assets.
Accelerate companywide cyber training efforts.
You likely already have periodic cyber user awareness training in place. But if you only conduct annual cyber training and provide little ongoing messaging, now is a great time to accelerate your efforts and communication campaigns. Tailor content based on department (and technical versus non-technical roles, when possible). Give users a simple mechanism to report a phishing email (preferably a single click in Outlook or another email client). And remember, as I did with this section, keep trainings brief!
Test your users with ongoing phishing simulations.
Attackers are routinely sending malicious emails to compromise your users’ machines and gain a foothold on your network. Deploy ongoing simulations to determine how willing your users are to click a malicious link. It’s far better to fail a test than the real thing. This can be built in-house, but there are many inexpensive off-the-shelf solutions as well. KnowBe4 and ProofPoint (Wombat, previously) are both good options.
Target phishing content based on department and key high-risk employees or groups. Use gamification and reward good behavior instead of publicly shaming or punishing users (though repeat offenders should be given special attention). Capture a baseline to monitor improvement over time, and track successes (reporting rate) as well as failures (click rate).
Keep in mind that events that threaten day-to-day operations will continue to happen. Phishing emails will make their way to our users’ inboxes. But a heavy dose of preparedness, training and testing done properly will reduce the likelihood of experiencing a highly destructive incident. I hope you will implement these recommendations to address the challenges we will all continue to face as we move through and beyond COVID-19.