When COVID-19 began to spread beyond the original epicenter in Wuhan, China, calls for social distancing reached a fever pitch. Governments in hard-hit areas imposed stay-at-home orders and shuttered non-essential businesses. Faced with a rapidly evolving crisis, the private sector scrambled to implement work from home arrangements while securing their IT systems and data.
Inevitably, criminals began to capitalize on security vulnerabilities created by COVID-19. Shortly after the novel coronavirus struck the United States, the Department of Justice reported that fraudsters were sending phishing emails to unwitting recipients pretending to be from the World Health Organization and the Centers for Disease Control. Hackers also capitalized, creating malicious websites and apps that purported to share virus-related information, only to lock devices until payment was rendered.
The stakes for securing IT systems are particularly high for companies in financial services, healthcare, and other industries that process highly sensitive information. To ensure that data is safe, adopting these five security measures will build an IT security program that has the capacity and resilience to withstand even the most extraordinary of circumstances.
Develop, Implement and Maintain Comprehensive, Up-To-Date Contingency Plans
Waiting until something happens to develop appropriate response procedures is a recipe for disaster, and business continuity and disaster recovery plans should be in place well in advance of an emergency. What’s more, they should be reviewed and updated on an annual basis. When reviewing contingency plans, remove and replace any team members who have moved on from the company and make sure the updated contact information for every member of the incident command is included.
Once the plans have been created and updated, it’s time to test them. At least once a year, bring team members together to work through different emergency scenarios. Use a variety of exercises, from walkthroughs and tabletop exercises to functional tests that give team members hands-on experience reacting to scenarios in real time. Once the exercises are completed, it is good to conduct a “lessons learned” retrospective. Remember that the point of these exercises is not to pass the test with flying colors, but to identify any vulnerabilities in the program so corrective action can be taken before a real emergency goes down.
Train Staff on Security Awareness and Assigned Security Roles
Having contingency plans in place won’t be much help unless your staff is trained to implement them the moment a disaster occurs. Employees with assigned emergency response or security roles should be trained on the company’s contingency plans when they receive their assignments and at least annually thereafter. Staff who don’t have assigned security roles still require training in general security awareness. The training program should address common social engineering scenarios. It is not recommended to rely on recycled, one-hour annual trainings either. Base the company’s training on current, real-world situations and include phishing simulations to give staff practice in responding to security incidents. Lastly, familiarize the staff with mobile computing, bring your own device (BYOD), and other security policies.
Implement Security Controls Appropriate to the Work Environment
Whether your staff is working from home or coming into the office, the company’s security controls should address the unique requirements of your work environment. If the company is relying on teleworking, implementing robust endpoint protection and a VPN for remote access is essential. Conduct regular reviews of access privileges and suspend or terminate inactive user accounts. When establishing user privileges, grant only the minimum necessary and the least amount of privilege required to perform assigned duties to comply with applicable data privacy requirements like the Health Insurance Portability and Accountability Act (HIPAA). Take even greater precautions for users with elevated privileges by adopting ISACA and SSH communication guidelines to properly manage SSH keys.
Adopt effective technical safeguards for the IT systems, including proper malware protection, encryption, multi-factor authentication, intrusion detection systems (IDS), firewalls, and 24/7 network monitoring using a layered approach. Establish a multi-layered approach to facility security as well. Restrict access to areas that process or store sensitive information and install CCTV, motion detection sensors, and other mechanisms to monitor access.
Track User Activity
According to a 2019 report by the Ponemon Institute and IBM Security, the amount of time to detect and contain a breach was a massive 279 days! Ideally, the organization will be able to detect an incident well in advance of that, but if an unauthorized party does gain access to the organization’s systems and data, being able to reconstruct their activity will be essential to mitigating breaches and other damage and to preventing future occurrences.
To detect and mitigate unauthorized access, log and review access to the organization’s IT systems, networks, and facilities. Anything that can be logged should be logged. If it hasn’t already been done, invest in automated log management tools so that daily reviews of IDS, firewall, and system activity logs can be conducted without overtaxing the IT Department.
Build a Resilient Supply Chain
An organization’s supply chain is only as strong as its weakest link, so evaluate the security of the third-party service providers and vendors with the same level of care given to the organization’s own security operations. Check for suppliers who have validated their security programs through independent third-party certifications and attestations such as HITRUST, ISO 27001, PCI DSS, and SOC1 and SOC2 reporting. When evaluating suppliers, verify that they have their own contingency plans in place and implement stringent controls if their employees will access your networks, systems, or facilities.
It's often said that emergencies are a true test of character, but they are also a test of the resilience and capacity of a company’s data security program. Knowing what to look for and implementing the appropriate controls will help you survive the next major crisis and bounce back stronger than ever.
Scott Stephens is President of DATAMATX, one of the nation’s largest privately held, full-service providers of printed and electronic billing solutions. For more than 40 years, companies in the financial services, healthcare, insurance and other industries working with DATAMATX have benefited by leveraging the latest in technology and security to enhance the value of every customer communication produced and delivered. Find DATAMATX at www.datamatx.com