- Authentication: any enablement of remote access exposes systems to credential driven security risks. Password strength must be maintained, defunct accounts removed etc, but above all – as has been the best practice advice for some time – 2FA should be in place
- Network: use of properly implemented VPN’s to minimise risks of network enabled intrusions
- Device: IT staff will have to ensure that users are aware of rules on maintenance of malware protection/ keeping up to date versions of software/ control of approved software – and that those rules are somehow enforced. NCSC also mentions the enhanced risk of device loss (possibly less of an issue with everyone confined indoors), and also of USB drives or other removable storage devices – the use of which has in most cases been eliminated from usage on corporate devices, but is much harder to control when BYOD is in play
Crisis is opportunity for some
The UK NCSC has also issued advisories on the enhanced phishing risk which comes from the current circumstances and the heightened sensitivity which users have to any communication around Covid-19 related matters. (So far as we know there have been no phishing campaigns exploiting the great British toilet roll crisis – but one can see how it might be done.) Organisations are advised to make users aware of these risks and increase vigilance. Security measures are as much organisational (such as user education) as they are technical.
One thing leads to another
Clearly, the problem is not just potential access to systems or data located locally on remote devices themselves, but risks associated with access to a corporate network. Even if the initial intrusion is a single email account hijack, this can readily lead to broader intrusion through use of effective spearphishing. Remote access by IT admin personnel carries a higher level of risk, given the potential for lateral movement which this offers attackers.
Change generally bad for security
Any change in IT usage should always be seen as a danger from a security perspective – and should always have a security assessment associated with it. Some organisations will have had to implement significant technical changes at the “back end” to enable remote access. The temptation – at speed – may be to shortcut these processes or “take a view” on security risks identified in implementation on the basis that “needs must”. If this is the case there should be a robust mitigation strategy in place to manage those risks, and regular review of whether they remain appropriate as time moves on. In addition, change need not always be technical in order to introduce risks – historic security assessments may have permitted certain features or usage on the basis of types of user permitted, or volumes involved. Any change in those factors should drive a new security risk assessment.
Sensitive systems/ sensitive uses
Some systems clearly carry heightened levels of risk from a security perspective – and some organisations are of course subject to higher standards and higher levels of scrutiny because of this, including any which process financial information, could be used to enable fraud, or underpin continuity of key infrastructure such as financial services, or OES under the NIS Directive. Indeed, the crisis is broadening the concept of what might be considered de facto key infrastructure for these purposes (think supermarket websites/apps, and those toilet rolls again). Any change to these systems or how they are accessed clearly requires a heightened degree of scrutiny and/or mitigation strategy.
Crisis management vs hygiene
As a more basic point, the stretched resources which organisations have in IT or information security may well be focusing their time right now on the issues above – managing risks associated with the current circumstances. Obviously, it’s also important that they do not take their eye off the ball on key security basics – these are the kind of issues (such as effective patch management) which cause significant regulatory action if they lead to security incidents. A balance is therefore needed between responding to the crisis and minding the day job.
Supply chain issues
No organisation these days relies only on its internal resources for IT – there are inevitably suppliers, and those suppliers are under exactly the same pressures. They are asking for the ability to vary normal processes – and normal security rules – in order to continue service. Customers should be reluctant to grant those approvals without some comfort as to what security features will be in place for supplier remote working, and the potential impact which those have both on continuity of service and data security. Liability waivers are likely to be requested, but looked at closely by customers – to ensure that they are not a “free pass” to suppliers to do whatever is needed (security be damned) to keep service running.
Is leniency available?
The somewhat good news is that some of the mood music is encouraging from this perspective. The UK ICO has said that it recognises that the crisis is introducing some unique challenges in meeting data protection obligations, and offered some suggestion that any failings will be looked at in that light.
That being said, it seems likely that any leniency is will apply primarily at the SME end. Larger organisations will most likely be expected to cope without material failings. Those in the critical infrastructure sectors are, of course, expected to have had a robust business continuity plan in place for the current events, which should be capable of maintaining cyber security in a crisis.