08 April 2020

Top 7 CISO Concerns During Social Distancing and How to Address Them

Philip March

While social distancing has become pervasive and, in some sense normal, there are both security risks and remote-worker concerns opening up that are top of mind to CISOs and CSOs alike. So it’s not surprising that an opportunity to connect and share observations, risks, tips, and tricks with others who are up against similar challenges would be a welcome activity.

Digital Mingling while Social Distancing

When the pandemic began to slow our in-person interactions, we took to video conferencing to check in on our CISO partners and see how we could help. Just as we’ve seen the pandemic bring neighborhoods and communities closer together, the same trend is happening in the security community. We have seen (so far) 18 CISOs come together to share best practices and lessons learned with each other to help strengthen security and enable the business. Because we are big believers in the power of crowdsourcing, we thought it would be useful to share both the concerns and the solutions that our network has come up with at a broader level.

The Usual Suspects

In our list below we’ll focus on the more surprising ones — ones that you might not think would be a key part of the transition to a remote workforce. But we’d be remiss if we didn’t at least capture some of the more obvious ones first.

Challenges around BYOD were brought up as important in the current environment, though not particularly new. Reduced visibility to network traffic when employees are working from home was another big one, unsurprisingly. Account and identity risks were a concern, particularly around merging of personal and corporate identities by employees. And Phishing, as always, was a big concern (though one CISO observed that the quantity hasn’t increased while the subject lines have shifted to exploit COVID-19.)

But some of the more surprising “ah-has” had to do with the irony of keeping workers secure while not traveling. It turns out that to secure in place is actually a very dynamic and global challenge. So, with no further ado, here are the Top 7 (more counterintuitive) concerns from our 18 CISOs:

Risk #1: Ramping eCommerce Too Quickly

There’s some truth to “move fast and break things,” according to some CISOs. COVID-19 is driving some businesses to transition to ecommerce hastily; and before they are really ready. This could be a company that is ramping their already-existing eCommerce business to quickly adapt to the social distancing guidelines. Or, on a riskier scale, it might be one that is desperately shifting from brick and mortar to eCommerce in order to save their business.

In either case, businesses that are looking at new operating models and rushing to implement them, are opening up significant security risk for themselves. This means there is a significant need for CISOs to jump in as those sites and apps will be built at speed and will no doubt have inherent issues.

Businesses and government agencies are already major targets. They will be larger targets now with the increased cyber activity focused on COVID-19.

One CISO recommends being alert in businesses that have closed street operations and are moving online. He suggests reaching out to major developers to see if you can help them at source rather than when the software is shipped. Most development companies don’t have enough testing resources at the best of times. Not surprisingly, our partners are big advocates of proactive security testing, and recommend conducting tests before releasing to production.

Risk #2: Delays in Background Checks

One problem you might not expect at a time like this, when the unemployment rate is its highest in years, is delays in bringing new people on board. As it turns out, background checks are getting slowed due to closure of some government agencies. This, in turn, is causing some delays in accessing new talent.

One CISO noted that the jobs most needed at this time are security roles which require good security/background checks. Ironically, though, these are the ones most being impacted due to background check delays.

Some employers are choosing to hire and bring people on board, contingent on the eventual passing of a background check. A word of caution from one CISO with a legal background: this can be a little risky. It turns out that once an employee starts work, even if they are brought on with a contingency, some legal exposure may occur and the action can be tough to undo if the background check comes back dirty. Accessing shared pools of talent or crowdsourcing has helped augment and scale internal security teams.

Risk #3: Productivity Decrease due to Internet Access and Bandwidth Issues

One “ah-ha” moment was when one of our CISOs said they had originally assumed all workers had at least basic internet access, something we actually cannot take for granted. After digging deeper, it turned out many of their employees didn’t. And with coffee shops no longer an option, the lack of access had become a major problem. And for those that do have internet at home, many of them have bandwidth issues.

Another CISO specified that with all workers now at home, those living in remote locations are seeing their bandwidth challenges exacerbated with a higher-volume of use. CISOs have had to step in and provide guidance such as: move closer to the WiFi access point to enable them to continue work.

On the brighter side, according to Consumer Reports a number of major ISPs including AT&T, Charter, Comcast, Cox, and Verizon have responded to the coronavirus pandemic by increasing data rates and removing caps in some cases.

Risk #4: Account/Identity Risks

According to one CISO in the group, a recent trend that correlates with the WFH movement is that workers often connect personal and work accounts. This might happen out of convenience or even by accident.

For example, someone might log into G-Suite with their personal account, but then access work-related accounts and/or share between their two identities. This might happen because it’s cumbersome to log out of personal accounts and into corporate ones. (People want quick information and this can mean consolidating all information — personal and private — into a native app). Another possibility is that a given employee may just have poor awareness of how they are logged into their accounts.

In either case, this can mean that digital identities are harder to manage and keep secure during this time and this increases risk to the corporation. Our CISOs recommend clear IT guidelines about separation of personal and corporate accounts; insist on corporate devices when possible; educate personnel on how to log into cloud apps with corporate accounts only; and discourage the use of corporate devices for personal use.

Risk #5: Managing Data Loss Prevention (DLP)

This was an area of great discussion among the attendees. There appears to be a split amongst the group with some using commercial (or even open source) solutions while others recommend build your own.

Some are using Aperture and this has worked well, being connected to all of their cloud apps.

Others have turned to an open source solution which puts the onus on the user to make the decision. If a problem occurs, the solution halts transactions, then slacks the user and they have to decide whether or not there is an issue; and restart the service if necessary. Yet others are building their own DLP solutions.

There was no real consensus on the best way to go about DLP and the “results do vary” as the familiar disclaimer says. But for every success there are headlines about breaches due to mistakes made by even seasoned execs.

One familiar refrain is to know where your sensitive data is, as this can help you stay secure; and conversely, the lack of this knowledge can sink you, regardless of which DLP solution you implement. Here’s an article about identifying and securing sensitive data that may help.

Risk #6: Video Conferencing Fatigue

Social distancing can still be socially exhausting…The prospect of having your work environment fully accessible at home can motivate people to get into an always-on mode which is hard to shut off. In some cases personal time may be abandoned in favor of answering the recent email or Slack that just popped up on your desktop.

One executive says many workers and execs are getting video conferencing fatigue since it is always there and meetings often run all day and into the evening. If you do a web search on this topic, you’ll quickly see that this is, in fact, a thing. Suggestions by the attendees included:

  • Take a screen break and, if you can, get outside
  • Exercise with a brisk walk
  • Use stretching and Yoga for those inclined

Risk #7: Restructuring

Restructuring and insolvency is on the increase, say CISOs with legal backgrounds. Any online business buy-out will require thorough due diligence.

As the security lead you should be part of that process. Find out how secure their systems are. Watch the news and follow stock share prices. Reach out as soon as you think there is a take over planned.

Think about it as “Security Due Diligence Delivered,” he continues. Companies pour thousands of hours into checking out the financial health of a business in the case of a potential acquisition. Yet security vulnerabilities can have a huge impact on a transaction. For example, in 2017, the Yahoo breach knocked off $350M off their deal with Verizon.

Whether you represent the acquiring company or the one being acquired, it’s worth spending some effort to understand the security “lay of the land” and identify (and fix) issues early in the process.

More Conversations Ahead

Well, there you have it, some observations and collective wisdom of community and crowd. We hope you’ve enjoyed this report-out. If you’re interested in joining the CISO-to-CISO conversation, email [email protected]. And for more insights on securing a remote workforce, view our webinar with Synack’s VP of Operations, Nick Harrahill, and CalAmp’s Global Head of Information Security, Greg McCord.