Category Archives: Security Risk Assessment

Cybersecurity in the Age of the Coronavirus: The Impact on Business Operations

Cybersecurity in the Age of the Coronavirus: The Impact on Business Operations

As the global workforce shifts to remote work, business operations and management face a number of obstacles. As mentioned in the previous article, the line between our work lives and our personal lives are blended now more than ever. Pre- pandemic predicted cybercrime will cost companies $6 trillion globally. According to research, last year, governments and government organizations were attacked most often, followed by industrial companies, healthcare, education, and finance. 

Business networks are now accessible from home, posing a risk to the security of business operations. We’ve seen changes in the way leadership makes decisions for business performance. During these unprecedented times, the movement to cybersecurity concentration is rapid, with little to no room for error. Cybersecurity is built in layers and it is impossible to protect a network forever. However, leadership must conform to a balance between risk mitigation and business efficiency.

In this day and age, business leaders are getting a daily lesson in large scale systematic failure during COVID- 19. They see and read how quickly COVID- 19 spread around the world and how it affects economic, social, political, and business systems. It is imperative to provide real- time capability and adaptability of the company’s cybersecurity defenses. The gap between cybersecurity risk and defensive effectiveness is as wide as it’s ever been for most companies, and experts warn that it could get even worse once the pandemic subsides. New cybersecurity risks will emerge and defense has to continue to be ahead of them.

Board members often ask “Are we spending enough on cybersecurity?” rather than “What do we need to protect, what is the value of what we need to protect, and how secure is it for what we’re spending?”. Digital success and failure start at the top, so they need to have a deep understanding of how cybersecurity complexities work. Some say the pandemic is actually helping companies by urging executives to focus on cybersecurity and their digital business system, calling for a structural reform for some companies. 

IT teams who once had physical access to employee machines now lack the time and accessibility to address commonplace issues. The absence of onsite diagnostic teams calls for automated threat reporting and diagnostic tools such as endpoint detection and response. Business Continuity Plans and Disaster Recovery Plans are important to the flow of business operations by ensuring that resources are available, to keep employees online, and to guarantee constant communication.

Additionally, the way employees access data is now heavily reliant on VPNs. As a result, VPN gateways are running at or near capacity. This means that corporate IT departments need to leverage all the tools at their disposal to keep loads manageable so that the VPN gateways aren’t overwhelmed and unable to provide the necessary access for remote workers. Because of this, just one DDoS attack can take down an entire company. Cybercriminals know that employees are more exposed and less cautious when working from home, so it is important that IT stays up to date with software patches and take appropriate actions to mitigate risks. 

Along with higher VPN precautions, companies have been increasing the use of advanced concepts of threat hunting, including detection and incident responses. It is not possible to keep the threat out of the perimeter forever, so it is important to seek out the target and actively address it without giving up a basic layer of protection. Organizations have also invested in educating employees on cyber threats and their impact. Organizations have reported higher victimization of phishing emails, prompting the adoption of more innovative approaches.

Security teams are now emphasizing employee security awareness and training. Doing this while providing a basic layer of protection can create a more effective prevention and defense strategy. Organizations that do not practice cyber hygine have reported higher phishing victimization.

The risks of entering networks through third- party vendors have also increased. There is more evidence of attempts to insert malicious code, exploit external suppliers and outsourced technologies, generating higher threats and more vulnerabilities. Organizations have shown a higher dependency on outsourced tools to maintain ongoing operations such as marketing and communication tools. This may result in the higher exposure of sensitive data, expanding the potentials for supply- chain attacks. There are also more consumer- oriented online services such as E- commerce websites that are open to public access. These websites are overloaded with requests, and many of the financial processes are now made as online procedures. Phishing through these E- commerce websites is aimed at victims as both individuals and professionals.

Experts urge companies to proceed with caution. Reducing reliance on office VPN and migrating to a cloud solution is a must. Also, lock down the supply chain, as they can be an entry point for hackers. Ask your suppliers what they do to maintain security. Scale up benefits of cloud migration to virtualize the workforce. CISOs must switch their focus to four main points, rather than sticking with the traditional viewpoints.

  1. Focus: Focus on supporting only those technology features and services that are critical to operations. Focus on employee safety on the frontline.
  2. Test: Test the company’s incident response plan, business continuity and disaster recovery plan, and vendor requirements right away. Eliminating risk is impossible, but you can reduce the risk associated with a poor response.
  3. Monitor: Monitor all resources, including collaboration tools and endpoints.
  4. Balance: Cybersecurity teams are likely to receive a flood of urgent requests for cybersecurity. Allow policy exceptions that will allow teams elsewhere in the organization to get work done.

Many organizations never really take cybersecurity projects seriously because they are lower priority, but the Coronavirus has pushed cybersecurity projects to the forefront. Management has acknowledged that things will not go back to the way they used to be. This transition period marks a point in time where there are distinct opportunities for a new and more aggressive type of cyberattack to damage or slow business rather than the traditional goal of attaining money from many parties.

The Importance of IT Security Policies

The Importance of IT Security Policies

IT security policies are necessary in organizations as they define who has responsibility of what information within the company. Policies are the baseline of all procedures and should be maintained regularly.

Why Do Organizations Need Security Policies?

IT security policies outline rules for user and IT personnel behavior. These policies also identify consequences for not adhering to them. Policies are also crucial in ensuring compliance with regulations such as NIST and HIPAA. Policies should define risks within the organization and provide guidelines on how to reduce these risks. They should be modified to fit the company’s need.

Writing an Effective IT Security Policy

  1. Conduct a Security Risk Assessment to identify all your critical assets, vulnerabilities, and controls in your company. Use this assessment to determine ways to reduce or eliminate these risks.
  2. Determine the scope of the policy including who the policy will address and what assets will be covered.
  3. Ensure your policy is written to be easily understood by employees and enforced by management. Employees need to be explicitly aware of the consequences of not complying with the policy. These policies will help with the development of procedures, so it is important to write the policies clearly.
  4. Update your policies at least once a year to keep them up to date with your company’s procedures and security concerns.

Common IT Security Policies:

  • Access Authorization
  • Acceptable Use
  • Breach Notification
  • Change Management
  • Data Backup Plan
  • Employee Screening
  • Employee Training
  • Encryption and Decryption
  • Media Security
  • Network Security
  • Password Management
  • Secure Development
  • Security Incident Response
  • Vendor Management
  • Vulnerability Management

The need for certain IT security policies is dependent on the company data itself. For example, if a company handles customer health data, they should consider implementing a HIPAA Acceptable Use Policy.

How to Prevent Phishing Attacks Against Your Organization

How to Prevent Phishing Attacks Against Your Organization

What is a Phishing Attack?

In recent news, several large companies including Microsoft and Facebook have been affected by phishing attacks. Phishing is a type of cybercrime that happens when an attacker poses as a legitimate company or website in order to divulge sensitive information from the victim. This can be the victim’s social security number, credit card number, or login credentials. Phishing attacks can take place over the phone, instant messaging, or email. Phishing differs from other cybercrimes as it requires human interaction; attackers target end- users rather than the actual computer systems. These attacks can be damaging to a company; however, they can be prevented.

How Does a Phishing Attack Work?

A common example of phishing occurs when a company employee receives an email prompting them to change their company password. This email usually includes a link that brings the victim to a legitimate looking website. Here, the victim inputs their credentials. The attacker now has the victim’s login information and access to the company network. After gaining access to the company network, the attacker may be able retrieve confidential information to hold as Ransomware or find other security holes to exploit.

How Can I Prevent a Phishing Attack?

1. Use Web and Email Filters

Applying web and email filters can help filter out spam content from legitimate content. See examples of web filters.

2. Compose New Hire and Annual Security Training for Employees

Many times, attackers can bypass web or email filters, so it is vital to provide comprehensive security trainings to employees. Educate employees on the different methods attackers may use and the consequences phishing attacks may have on the company. Send a fake phishing email to employees to familiarize them with illegitimate emails and webpages. Train them on ways to identify a phishing email. Also, have a well- written Acceptable Use Policy and Security Awareness Policy.

3. Stay Updated

It is crucial to frequently update your anti- virus software, firewalls, and operating systems to prevent an attacker from exploiting any security holes. Run routine security scans on all machines and perform regular Security Risk Assessments. Additionally, check that your Disaster Recovery Plan is updated frequently and working.

4. Review Company Website and Information

Phishing attacks require the attacker to research the company such as employee names and contact information. Attackers may also look into the vendors the company uses such as types of machines and operating systems. Ensure that accessibility to employee and vendor information is limited.

5. Be In the Know

Be aware of new cybercrime cases and vulnerabilities in the news, blogs, and security bulletins. Often, security cannot keep up with attacks, so it is important to be alert of new types of attacks. Websites such as The Cyber Wire post daily security briefings.

Prevention is Key

Recovering from cybercrime can be rigorous and exhausting, so having preventive measures in place is the most practical solution. By combining technical controls with security awareness, you can mitigate the risk of a phishing attack against your company.