Guest Post from TETRA DEFENSE
2020 has come with its set of challenges, including information security challenges. In what is a vast understatement to summarize this year, organizations have had to contend with several new obstacles to business as usual. COVID-19 brought about a vast shift from office work to an emergency-fueled workforce from home, strain on organizations in the healthcare and supply chain industries, and arguably, an easier target for threat actors when considering cybersecurity and cyber risks.
In information security, an industry that changes daily, during a time where adaptability is necessary, we value collaboration and communication at every turn. In an effort to provide a clearer picture, and ideally, better insight into what cyber risks may come next, we’ve turned to prominent CEOs and Founders of several organizations. As they manage the operations of their organizations, what can we learn from how their priorities have changed (and how they plan to change)? As Tetra hopes to make stronger connections between IT and C-Suite teams, we’re here to ask: “What’s a CEO’s primary focus for cybersecurity in 2021?”
Policy Priorities
__________________
Manav Mital
The one thing that keeps me up at night is securing access to sensitive information. With the sudden shift to remote employment, every company – including ours – has had to subscribe to many new cloud/SaaS services to be productive. That means employees are often working from laptops and systems that may not benefit from the traditional security controls. With all of our business truly on the Internet, one single error on an employee’s part, whether it be visiting the wrong website, or connecting to the wrong WiFi, or forgetting to apply a critical security patch, or clicking the wrong email link, could trigger a chain of events that leads to loss of our IP and customers’ trust. All it takes is one careless mistake.
The best safeguard against this scenario, in my view, is making sure we minimize the blast radius of any such compromise. And there’s definitely one thing that we all can do more of – making sure that a single engineer or analyst doesn’t have the keys to all our vaults. Instead, everyone should have just enough privileges to do their work without dampening productivity. We are big proponents of “policy-based access control” and enforcing the concept of “least privilege.” If more organizations embrace these principles, I’m positive we’ll have fewer sitting ducks for hackers over the next few years.
Tetra’s Director of Business Development, David Kruse adds, “There’s nothing inherent in a network that clarifies privilege. You need to draw lines in the sand around the systems & data that you want each employee to have access to based on their role.”
Martin Seeley
The COVID-19 pandemic has forced companies to shift from an office work setup to a remote work setup, and with a new setup comes new challenges. With employees having to use their own devices and networks, businesses need to deal with new challenges and new threats to data security. So, it is necessary to strengthen data privacy and cybersecurity.
Within the company, for the remaining months of 2020 and the upcoming year of 2021, part of our focus will be to assure that our company data remains safe and secure. Some of our plans to assure that our company data remains safe and secure are:
- Having clear policies on how to handle data.
- Using an application to monitor data usage.
- Implementing a Two-Factor Authentication or 2FA and using a VPN.
Michael Hammelburger
The increase in cyberattacks has concerned me and my organization a lot. We’ve had multiple incidences where hackers attempted to infiltrate our systems and accounts during this pandemic period. We’ve noticed an increase in phishing scams related to real estate. Most scammers are taking advantage of this period when people are vulnerable and depressed. For instance, they send emails to homebuyers representing as “supposed” real estate agents or worse, legal representatives instructing the unsuspecting reader to immediately wire funds to reserve the property or close the deal.
By ensuring a cybersecurity program in our organization, which includes guidelines on hardware and software security & personnel management and conduct, we’ve been able to mitigate the impact of cyberattacks that would have cost us thousands of dollars in terms of identity theft and lost private data. Normally, our human resource, IT department and executive board review these policies to prevent any attempts at infiltrating our system. Employees are important in disseminating policy awareness to ensure that compliance organization-wide is observed.
Updating What’s Necessary
__________________
James Ryan
Time for Homes is a national nonprofit dedicated to eliminating chronic homelessness through a health-based approach. As we are experiencing growth beyond our original goals, we’re focused on ensuring that we are able to maintain the tools we need for our fully remote environment in a secure, accessible way. Using enterprise-level licensing in Microsoft 365 and enterprise-level Cloudflare plans, we are able to mitigate the risks of growth on cybersecurity. Next year, we will be reevaluating our hardware and authentication methods.
Tetra’s Senior Vice President of Digital Forensics & Incident Response, Nathan Little adds, “A remote workforce should update their individual home routers. I would bet that 99% of people ‘set it and forget it’ and haven’t patched their router in years. Unpatched hardware can have numerous vulnerabilities ripe to for exploitation.”
Scot Chrisman
Though I have hired someone to deal with our IT-related concerns, it is still part of my job to make sure that everything is in order. I am managing an online business, so cyber threats and risks are our biggest enemies. Ever since our operations [began], we continuously improve and protect our internet security system using encryptions and update them regularly.
For 2021, we are looking into the vulnerability of 5G technology, allowing cyber hackers and attackers more opportunity to exploit businesses and even our consumers. Since it will offer faster network speed and larger bandwidth, some of our existing cybersecurity software and measures might not be able to keep up with it, potentially endangering our data. Aside from updating our security patches, we will be using VPN and improve our robust password security options.
Security Awareness Training
__________________
Dennis Bell
I have worked in the IT industry for the past 15 years. During that time, I have worked with everyone from local businesses to fortune 500 companies. I also run a multimedia company that includes a site called Byblos Coffee, which is a rapidly growing platform I started last year.
Hackers, data loss, and privacy are continuously challenging a business’s cybersecurity. As new technologies emerge, we must catch up with these changes and update their system to protect against cyber threats.
As the CEO, my primary focus for 2021 will be on educating my employees. They should be aware of the cyber issues that may arise. Most of the time, they are the cause of these cyberattacks due to carelessness and lack of information. They fall easily on emails that have malicious intent, download attachments, and click on unknown websites. They unknowingly put their computer systems to risks that can spread on their network. It’s vital to give them annual training to ensure that they are always up to date with the issues and solutions with cybersecurity. Increasing their awareness can help to reduce the threats that your company may face.
Cybersecurity must be every business’s top priority. When ignored, you’ll have to face the consequences it may bring to your company. If you’re aware of the risks, it’s much easier for you to protect yourself from these cybercriminals.
Konrad Rotkiewicz
As a recent [attack on a social media platform] suggested, it doesn’t matter how secure your system is when your staff is not trained to remain vigilant to socially engineered attacks. In 2021 we will invest in Simulated Phishing software to continuously and automatically verify our employees and train them if necessary.
Tetra is a firm proponent of awareness programs and employee security training initiatives — they are critically important for protecting the sensitive data that organizations possess, and employees benefit by learning how to recognize malicious activity.
Timo Wilson
The current and past year has shown a dynamic shift in many businesses. Many have come to rely on remote solutions to be able to continue their businesses, and along with it, the challenges of a digital workplace. As a CEO, I can attest to the vital role of cybersecurity, and the importance of providing your employees with a secure working environment to enable them to perform at an optimal level.
For the coming year, our cybersecurity focus will be on remote access training. With the ongoing pandemic looking to continue well into the following year, the volume of cyber-threats will also increase. This will not only focus on the digital prevention measures, but also on training employees to recognize and counteract social engineering cyber-attacks.
David Brasfield
COVID-19 changed the landscape of how companies and employees conduct their day to day business. This has created an increased challenge on keeping a larger remote work force safe from cybercrime. Cybercrime is on the rise and shows no signs of slowing down going into 2021 — and that problem combined with a workforce that is spending more time working from home, outside the protection of the corporate network, means that we can expect that bad actors will increase their efforts to take advantage of isolated users.
A primary focus in 2021 for NXTsoft is end-user cybersecurity awareness. We will increase our efforts to educate users on proper cyber-hygiene and adherence to corporate policies to help them stay safe and as a result, our company, stay safe. Another area of concern for 2021 is the increase use of IoT devices. The increase adoption of IoT devices, both at home and work, is creating a new cybersecurity attack surface. These devices, for the most part, are lacking proper security controls. Businesses will be challenged with this new landscape and to determine how to protect their networks.
Staying Connected, Even While Apart
__________________
Stefan Chekanov
We’re all living in a highly remote world at the moment, and my business is no different. Brosix Instant Messenger is an IM service focused on providing businesses with secure private IM networks. Our sudden shift to remote work at the beginning of the COVID-19 crisis will likely continue well into the future. We’re even considering keeping our employees at home after the crisis passes. This raises a lot of questions about the security of our team communication. That’s why I believe that creating a secure communication environment for remote teams will be one of the most pressing cybersecurity issues of the year to come. The COVID-19 workplace disruption presents too many opportunities for bad actors to take advantage.
Tetra’s Digital Forensics & Incident Response Operations Director Ben Hartwick says “Attempt to attend as many conference calls as you can with video turned on. Video meetings allow people to see each other’s reactions and to understand each other better. It also helps me to feel more like part of the team.”
This article originally appeared on the TETRA DEFENSE blog and was re-published here with permission. Click here for the post on TETRA’s website.
If you practice in Wisconsin, Texas, Minnesota, Ohio, Illinois, Indiana or Michigan, you can stay on top of ethics and risk management news by being a member of Alta Pro Lawyers RPG. You’ll get access to free webinars, the Pro Practice Playbook, Reminger ProLink, Ask the Risk Pro and more. Here’s how to join.