This guest blog post is by Liviu Arsene, Global Cybersecurity Researcher, Bitdefender.
The COVID-19 pandemic has exposed a severe problem with businesses today. Half of organizations lack a contingency plan to overcome an unforeseen crisis. As often happens, dealing with the aftermath of an event costs much more than prevention, and too many companies learn this valuable lesson the hard way.
To solve a problem, companies need to understand it. In many cases, organizations don't have a firm grasp of the dangers they may encounter in the digital world, with leaders underestimating their business' attractiveness to threat actors.
The hard truth is that businesses face attacks all the time, but they're not always the devastating kind. Some companies might get hit by ransomware, which has the power to cripple operations for a long time. Others could face waves of phishing attacks. While the scope of those two problems differs widely, they are both cyberattacks, and there are a host of other types of security issues between those two extremes.
Any corporate security analysis has to consider that many employees now work from home. And while this new work-from-home paradigm is still in the honeymoon phase, with organizations realizing lower administrative costs, the security issues this unique situation uncovers will soon catch up. Lower rent for smaller offices and less on-site staff seems great, but it's actually a bad deal if cybersecurity investments don’t reflect the risks a new remote workforce presents.
However, when it comes to planning the numbers don't lie. A recent Bitdefender survey shows that half of infosec professionals said their organizations have no contingency plan in place for emergencies like COVID-19. Even worse, some of them didn't know if the company had such a plan in place.
More than one threat per organization
It's easy to think of companies facing a single type of attack, but they usually have to deal with a variety of attacks that outline an unique organizational threat model. For example, 26 percent of the surveyed infosec professionals say that phishing and whaling is on the rise, and another 22 percent believe ransomware follows a similar trend. Comparable increases are visible across the board for other threats: social media threats/chatbots (21 percent), cyberwarfare (20 percent), Trojans (20 percent) and supply chain attacks (19 percent.)
Data shows that the work-from-home ecosystem is at least partly responsible for the increase in attacks, but employees can't – or shouldn’t - be blamed. It's the organization's responsibility to prepare for situations like this and ensure people don't get caught unprepared.
Employee training can avert most situations infosec professionals describe, but it's not enough. Companies have to match the cybersecurity investments so that people don't shoulder the entire burden of security.
Planning and prevention
Contingency planning should be, for all intents and purposes, the cornerstone of risk management, but while companies have traditionally taken malware attacks and data breaches into account, they did little to plan for a global pandemic like COVID-19. If done right, the same contingency planning should also act as a protective blanket for an organization even if the expected critical situation never arrives.
Companies are very different, and contingency planning needs to be tailored to specific threat models. There's no silver bullet, but a few general measures could apply to all organizations and ensure their survival and resilience.
The first step is to identify all business-critical functions and the resources that would help them continue in case of trouble. Uncovering all these functions, isolating them, and increasing the security around them is vital for any organization.
Companies have to create policies and procedures for the current status quo, but they must be adaptable in the face of change. The policies and procedures must be regularly updated to reflect the present reality, and they are the primary tool a company has to fall back on when facing a new situation.
IT and security departments have to stay updated with the latest threats and prepare for them accordingly. Relying on automation is useful for day-to-day operations, but the human element has to remain informed as well.
Security and risk analytics collected by the IT security team can be used to find weak spots in the organization, while more granular information, such as digital forensics, can help identify what attackers are going after and where they were coming from.
Get the right stakeholders aboard and create drills
Contingency planning is a serious endeavor that should bring stakeholders in different business units and departments to the same table. And, while IT Security should be the main driver of the task force, the PR and Legal departments are equally important for containing an incident and minimizing the associated financial, reputational and legal costs.
Security is everybody’s business
Lastly, but definitely not least, comes employee training, arguably one of the most powerful, yet most underused, security tools. The COVID-19 pandemic revealed just how vital training is. One day people are at the office, and the next day they are setting up shop in the living room. Any contingency plan has to include employee training, even when they are physically isolated from headquarters, so they can make the best security decisions unguided and unsupervised. Of similar importance is teaching employees how to correctly report security incidents or attacks, so the IT security team can minimize the vulnerability window or issue an internal heads-up for the rest of the organization.
Change is not the end
Sudden shifts in the business paradigm, like the sudden movement of the workforce from the protective umbrella of the corporate network to the unsecure network of the living room, often means the end for some companies. With proper plans in place, backups, security solutions, the right policies and employee training, organizations can recover from seemingly impossible situations. But the harsh reality is that contingency planning requires extra resources that some companies are unwilling to spend. And by the time they are forced to spend money to deal with the aftermath of a critical situation, it might be too late.
About the Author
Liviu Arsene is a Global Cybersecurity Researcher for Bitdefender, with a strong background in security and technology. Researching global trends and developments in cybersecurity, he focuses on advanced persistent threats and security incidents while assessing their impact in critical public and private infrastructures. His passions revolve around innovative technologies and gadgets, focusing on their security applications and long-term strategic impact. When he's not online, he's either taking something apart or putting it back together again.