Enriching thoughts unfolded at the panel discussion on ‘Cybersecurity enabling businesses in COVID-19 situation’
- March 22, 2020
- Posted by: Subham Paul
- Category: Blogs
In light of the pandemic that has taken the entire world by storm, starting with China and then the European Union turning out to be the new epicenter, businesses have suffered big blows. The negative disruption brought forth by the global outbreak of the COVID-19 virus (or popularly known as the novel Coronavirus) has led to most organizations enabling their employees to work from home to ensure the continuity of their business. However, this brings with itself several implications from the cybersecurity perspective, along with people management issues in general. To throw some light on these issues, top security and risk management leaders took part in an intriguing virtual panel discussion on the topic ‘Cybersecurity enabling businesses in COVID-19 situation’ on 21st March 2020, hosted by CyberFrat – an enterprise risk management community.
As we write this, India’s count of people infected with the novel COVID-19 virus is far lesser than others, yet the rise is alarming. The unprecedented change in the working styles of almost every employee today has received mixed reactions. However, it is of utmost importance to ensure that security protocols are thoroughly observed to minimize losses to businesses in these testing times. As a step to spread awareness regarding the best practices in this regard, CyberFrat hosted a diverse panel involving exponents in technology, cybersecurity and risk management from multiple industry domains. The distinguished panel consisted of:
- Mr. S V Sunderkrishnan, Chief Risk Officer, Reliance Life Insurance – an industry veteran with over 3 decades of experience in Risk Management, Compliance, Claims, Information Security & Fraud Prevention.
- Mr. Kalpesh Doshi, CISO, FIS – an InfoSec and Compliance expert with CISA, CRISC, CEH and over 20 years of experience in ERM, Cyber Security, Project Management & BCM.
- Dr. Aditya Mukherjee, VP-JSOC, Synchrony – an Information Security Leader with more than 14 years of experience in leadership roles across InfoSec domains such as Defence & Law Enforcement, Financial Services, Communications, Media and Technology.
- Mr. Ajay C Bhayani, Director IT Security, AmbiSure Technologies Pvt. Ltd. – who lent the right direction to the discussion as the moderator. He is a technology evaluator and evangelist, and has consulted and delivered several projects in Phishing Protection, PKI, Application & Network Security in his career spanning over a decade.
Views mentioned during this online panel discussion are purely situational and advised from learning and sharing from the experience of the fellow practioners on the CyberFrat platform. The views expressed by the speakers are their own personal views and do not represent the views of the organisations they represent. Its advised to all readers to practice discretion before the application of any resolution advised during this discussion.
Analyzing the Status Quo
The panel kick-started the discussion with an understanding of the impact that the COVID-19 situation has had on the current state of affairs, admitting to the fact that social isolation has helped but the worst might be yet to come. Drawing similarities with how the WannaCry ransomware had impacted the world in 2017, the esteemed speakers spoke about how the impact of the current crisis has been very serious, with India being on the tipping point. Lockdowns shall jeopardize the Business Continuity Planning (BCP) of organizations and have large downstream impacts. Looking at the bigger picture, there is a rising need to combat the increasing fear, mass hysteria, and risks by exploring possibilities where technology can intervene to solve the crisis. The obvious solution amidst social distancing is effective and efficient remote working, for which CISOs have a huge role to play along with other business leaders in understanding the organization’s investments in security and Work-From-Home (WFH) capabilities and the readiness of its employees to adapt to the inevitable transition smoothly. Fortunately, many organizations have been able to survive because of timely precautions taken.
“The impact on the business is very high, but things will change for the better. It’s a good lesson learned.”Mr. S V Sunderkrishnan
Challenges in managing employees working from home
It is quite a logistics puzzle for companies to properly implement the temporary shift to WFH for the safety of their workforce. Barring the additional costs in procuring hardware, a lot of security software needs to be installed on the laptops that employees shall use at home. Moreover, with laptops getting scarce in availability, the trend of employees carrying their office desktops to home is likely to continue, bringing with it the challenge of monitoring changes made in company desktops outside office premises. While working on the Cloud is a good option, cost factors and managing shared responsibilities in the Cloud environment can be challenging. The new work culture has increased the chances of security threats by 4 times, with added responsibilities in enforcing policies on personal devices, filtering out genuine and malicious activities, giving special attention to critical mechanisms and to spread awareness about phishing, spam mails, spear phishing, social engineering, and fraudulent calls. The panel also discussed how employees usually show erratic behavior while working outside the office, often due to distractions at home, impacting business applications. However, organizations must tackle multiple problems strategically instead of rushing into forming solutions.
“Don’t put all eggs in one basket. Deal with concentration risk wisely. There is no shortcut to success!”Mr. Kalpesh Doshi
Technology-oriented solutions to ease the situation
Acknowledging the fact that remote access policies are very crucial at this point, the panel discussed how organizations should plan to scale up applications, especially the ones involving regulated data. Some of the key insights from the technical aspects of the WFH culture are:
- WFH has to be dealt with in chunks (phase-by-phase basis) to allow companies to mature into the new culture.
- Thin clients should be provisioned wherever applicable.
- System acceptance tests should be performed adequately before letting employees start working from home using company systems.
- Plans about regression testing, employees printing documents, managing endpoint agents, etc. should be properly laid out well in advance.
- Applications should have single sign-on enabled. There should be strong protocols for following internet policy on laptops. Opening forbidden sites must be monitored.
- User and Entity Behavior Analytics (UEBA) can be used for monitoring the usage patterns of employees, but only after identifying the correct benchmarks. Moreover, the behavior of privileged users has to be monitored carefully.
- Real-Time Asset Management should be deployed that can help in the monitoring system and hardware changes made to the office computers being taken home.
- Managing VPN usage, application access prioritization, bandwidth allocation to different kinds of users, firewalls, secured routers, etc. are some of the other key issues in cybersecurity for adapting to the WFH culture.
Cyber-resilience is the key to sustain
As most organizations struggle to identify critical processes and follow government norms, it makes sense to admit that only a fraction of all business functions can be carried out by employees from home. Processes involving regulated data should be kept inside office premises, otherwise, they shall be exposed to an increased array of cyberattacks. BCP has to be scaled up from the usual coverage of 10-15% of business processes alongside ensuring cyber-resilience and maintaining cybersecurity hygiene. As in most other cases, digital transformation is to play a major role to implement the required strategies, such as outsourcing security functions to specialized cloud service providers, enabling helpdesk teams with remote access, devising multiple backup plans, etc. Only a proactive approach to deal with such unprecedented events and timely mock-drills can provide the required immunity to companies. From a people management perspective, it is essential for all employees to stay connected as much as possible. Employees should work productively from secured areas following all security measures and work schedules, avoiding public unsecured networks. To maintain the right levels of motivation and to avoid legal trouble, the leadership teams must focus on communicating security awareness to minimize human errors and keep employees happy by giving usual attention to them and taking initiatives such as organizing virtual happy hours.
“We are talking about social distancing but in reality, this is just physical distancing. We can still stay social and connected.”Dr. Aditya Mukherjee
Insights from audience engagement
The panelists, apart from engaging in the discussion amongst themselves and busting several myths associated with the WFH culture, also answered the queries of the inquisitive audience. Here are some of the insights that were gained from these engagements:
- Optimizing network bandwidth – Usage of network resources and backing up information must be done in a judicious manner. This can be monitored better with a comprehensive review of all business applications being used.
- Countering data-theft – Employees must be made aware of the repercussions of committing any crime involving data-theft (unauthorized reproduction of data while working from home). Trust plays a big role in this regard.
- Managing 3rd party service providers – Vendor audits and regular follow-ups can help MSMEs ensure that their outsourced security functions are not getting compromised.
- Stay-at-office norms – Critical processes need to be carried out in office premises but only after ensuring that office cleanliness and hygiene are observed and social distancing is maintained.
A learning experience for one and all
The engaging 90-minutes long panel discussion threw light on several key cybersecurity aspects revolving around the BCP standpoint of modern businesses in the ongoing global crisis. It was evident how communication is the major key for the activities to stay in BCP and to keep motivating employees. Security is the main enabler amidst technological enforcements, yet the human factor has to be addressed as well. Moreover, hygiene must be observed everywhere and communicated properly to all stakeholders.
“This is great learning for all businesses that are largely dependent on IT – we have to still remain in touch as human beings rather than just users of technology.”Mr. Ajay Bhayani
The session concluded with the distinguished panelists appealing to the general public to refrain from sharing viral content that can unnecessarily spread panic and to avoid overbuying necessities such as groceries as that can impact us heavily later.
Wishing all our readers a safe journey ahead!The CyberFrat Team