“You can never get risk to zero, but you can mitigate risk to an acceptable level for that agency or that project,” McGladrey says. “You need to know what risks you can accept and what you have done to mitigate the potential damage associated with those risks.”
On February 17th, 2021 I’ll will be leading a tabletop exercise for the students of CISS 471 at Western Washington University. The tabletop exercise explores the ethical decisions associated with a ransomware attack at a fictional international organization.
2020 was the year no one could have predicted. IT and security teams had to quickly adapt to shutdowns that brought remote workforce security issues, COVID-19-related phishing campaigns, ransomware attacks on schools and hospitals, and more. Now, as enterprises begin 2021, there are three more pandemic response challenges to potentially contend with: securing a hybrid remote and office work structure; securely reopening offices and facilities; and adapting to a permanent remote working environment. Kayne McGladrey, IEEE senior member and security architect and governance, risk and compliance practice lead at Ascent Solutions, outlined the most significant challenges each scenario presents and how security teams should prepare for them now to thwart potential security issues.
“I hope that you want to create safe products that benefit individuals and society, that make life better.
That you want to reverse course, and can advocate for security in face of lean IT, DevOps, and less money and less time and less people.
IEEE code of ethics includes the phrase “disclose promptly factors that might endanger the public or the environment”.
Not as strong as language as the other code of ethics I’m bound to follow as a CISSP, to “protect society, the common good, necessary public trust and confidence, and the infrastructure”
Regardless of which code of ethics you’re following, we have responsibility to society to turn this around.”
Telehealth was an unexpected technology bright spot in 2020, as the Office for Civil Rights (OCR) relaxed enforcement of certain aspects of HIPAA, helping to reduce COVID exposure via virtual rounding and virtual visits.
Unfortunately, bad actors have shown a lack of morality in their pursuit of illegal profits and have continued to attack medical organizations. Ransomware attacks, for example, can cripple a hospital’s abilities to provide high-quality patient care by denying access to key computer systems, which would force medical professionals to have to treat patients based on memory and paper-based records.
The following three high-level recommendations provide a basis for defense in depth for healthcare organizations in 2021.
Kayne McGladrey (@kaynemcgladrey), Security Architect at Ascent Solutions, agrees: “Microsoft 365, for example, allows for automatic classification and labeling of unstructured data, but also permits users to provide a justification when the automation gets it wrong.
“Combined with automated data loss prevention, this can allow a business to easily enforce and report on policies for sharing non-public data both inside and outside of their organization,” he says.
Companies should record video calls when doing so poses an obvious business benefit, the participants have consented to it, and there are adequate controls in place to limit access to the resulting video to only authorized parties, Kayne McGladrey, security architect at cybersecurity consultancy Ascent Solutions, said.
To ensure accessibility,companies should also strongly consider using closed captioning on call recordings, McGladrey added.
Cybersecurity has always been a critical task that must be handled effectively. However, cloud—and more recently—COVID 19—have exacerbated cybersecurity issues and changed the security landscape. In this episode of the podcast, Mike Kavis and guest, Ascent Solutions’ Kayne McGladrey, discuss cybersecurity in the context of cloud, and vis-à-vis the changes wrought by the pandemic. Kayne’s take is that the transition to cloud and the pandemic have exposed and magnified issues that have always been a problem, and that companies should not skimp on cybersecurity, in favor of spending on other “more pressing” projects. The key to success is to focus on data, automation, and risk assessment.
“Being able to rapidly detect and evict threats is necessary in the modern enterprise to avoid regulatory and legal penalties while protecting confidential data or trade secrets,” says Kayne McGladrey, CISSP (@kaynemcgladrey), cybersecurity strategist at Ascent Solutions.
What a delightful surprise! I was nominated and won one of the three “Top Cyber Pro” awards for 2020.
I hope you’ve already had a risk definition conversation- get in front of the board or in front of your CIO or in front of your CFO, whoever is going to ultimately pay the bill. And then for anything where you know you can’t afford it because you’ve seen a reduction in your budget as a consequence of the pandemic- have that conversation early with your cyber insurance broker.
Linux continues to be a popular deployment choice for new virtual machines on Azure. “Organizations moving legacy on-premises Linux servers to the cloud can quickly gain the benefits of robust disaster recovery and security without needing to change platforms or applications”