When a disaster strikes, is your organization ready? And more specifically, is your cyber security strategy prepared for adapting to a modified work environment?
Communications are critical for an organization when an incident occurs. Leadership must effectively share information with the workforce. For some organizations, this requires enacting the critical communications plan that has been drilled. For others, an incident is a disruption to the normal course of business, which is where business continuity planning demonstrates its value to the organization.
Disasters come in many forms: Earthquake, fire, cyber-attack, air quality alert, extreme weather events, etc. All incidents require the organization to have a continuity plan in place and need to have practice exercises, so that the workforce is prepared when an incident occurs. “A health epidemic is not different than compromises of public emergency alert services, SARS and political voting interference,” said Pensar Development IT and Security Director Kayne McGladrey.
“The biggest challenge for an organization with lots of users is the hysteria associated with it,” said an enterprise InfoSec professional who asked to remain anonymous. “When people are in a high-reaction state, they tend not think as clearly, and that’s when they become more vulnerable to phishing campaigns, social engineering, and business email compromises.”
Threat actors will also use a disruption to business operations as an opportunity to spread misinformation. If an organization is not the identified authority for communications when business is disrupted, a cyber-attacker could disguise itself as the provider of information and successfully wage a campaign against people seeking to know how to behave in the incident’s aftermath.
When the healthcare.gov website was sending out emails, some organizations detected the communications as phishing because it used a redirect that was not widely known. “It begs the question of who is the authority and trusted source,” said McGladrey.
Email systems will become unavailable to share info with a distributed workforce in a timely manner, requiring organizations to identify the backup communications mechanism. Perhaps it is an online chat service, such as Slack or Microsoft Teams. “Those real-time, authenticated chat platforms are a good way for consolidating communications,” said McGladrey. Strong user authentication must be possible for communications outside of corporate email. Some form of validation, such as MFA, is necessary to know who sent it.
Are communications really that critical if it take hours or days for internal channels to review and approve the message? When faced with the choice of getting the facts out quickly versus having the legal and communications team review it, security leaders that we spoke to say a life-critical impact, such as a person visiting your facility with a confirmed contagious virus, overtakes a formal legal review. “Get the message out immediately and follow-up with updates that have gone through more rigorous review,” said McGladrey.
An incident may necessitate that a larger portion of the workforce be remote. Before making the decision, a risk assessment is necessary to inform strategic leadership. A risk analyst or someone with an intelligence background should review the facts and present to management.
If a hurricane is forecasted for 8 days out, there is likely a business continuity plan in place for preparedness. A cyber event should have a similarly effective plan and procedure. The plan should detail the best practices and procedures to utilize until normal business operations are restored.
Assembling the ideas and intellectual capital are the intangible assets that every organization has, which are also considered the drivers of the knowledge economy. The output could be as straightforward as instructing employees how to connect via VPN, top reasons to avoid public Wi-Fi services, and how to troubleshoot common broadband challenges. The IT or support help desk also plays an important role in addressing a different set of needs when in incident response mode.
As important as documenting the conditions to enact a data incident, what are the indications for an “all clear” return to standard operations? This is another risk-driven exercise where the organization needs to establish the factors that are weighed into the decision to return to work.