How to prepare for Cyber doom – Quick guide for decision makers/budget approvers

by Lokesh Yamasani, Senior Director, Security and Compliance, Ampcus Cyber Inc

As I write this article, we are in middle of a pandemic. Yes, the “Pandemic/Viral infectious disease outbreak” with 1.3+ million affected and counting that’s been active for the past few months at the least. In midst of this pandemic and with shelter in place orders issued, organizations have either closed their doors/suspended their operations or have requested their employees to work from home. When your employees/contractors/partners are requested to work from home and access systems, whether they are in cloud or hybrid, the experience is not going to be the same for them causing more friction and complaints in addition to chaos due to pandemic.

Given all this confusion, chaos, and uncertainty. It’s time for the “Top management” (Yes, you “Top Management”. Because you are ultimately responsible for security at the end of the day and your CISO/Director/IT guy/security guy/whoever it may be is just one of your best weapons in your arsenal) at organizations to prepare their organization to preserve confidentiality, integrity, and availability even during chaotic times like country closing, airport closing, border closing disease outbreak and have the necessary funding in their arsenal to make that cyber security spend even during such economy drowning pandemics.

In the past two decades alone, there have been more wide spread disease outbreaks than any other time in the recorded history. There is no excuse for not being cyber ready/cyber adaptable (i.e., Have the money/Willing to make cyber security spend even during such economy drowning pandemics). I know what you are thinking, is this article going to be just another rant and rave from a self-proclaimed cyber security expert. You bet it is! just kidding…. All this is about is helping you, as a decision maker think about building a highly adaptable cyber resilient environment regardless of the situation that may arise. Let me jump into how an organization can come together to prepare for cyber security with ongoing pandemic. Well, if it’s too late, at least be prepared for the next so that you don’t end up like that technology company that had a security gaffe’ in April 2020.  Let’s look at some of the tips that will get you going and be that “Goddess/God of Cyber” or at least may help you see through clearly during chaos.

1. Get rid of all Bureaucracy and Bureaucratic processes tied to your cyber security initiatives – Out of all out killers out there. This is the biggest killer of your cyber security initiatives. Most of the CISOs/security leaders leave because of this, because they don’t get the necessary budget plus they are waiting forever to get your attention on the cyber security budget. Unless the day when data breaches are tied to executive pay as a regulatory requirement which is not far down the road happens. I don’t see a radical change happening in terms of getting rid of bureaucracy. This is already partially or indirectly enforced by GDPR. As “Top Management” personnel, expedite or accelerate your processes around implementing cyber security initiatives. Can you imagine having to deal with Bureaucracy and Bureaucratic processes in midst of a pandemic? Yep, me either….
2. Don’t yield to meaningless end users’ bickering around cyber security experience – I’m a great believer of providing a great and seamless security experience to end users. However, don’t encourage an environment where folks gang up and say, “I don’t want to install this Multi factor authentication app on my phone because it invades my privacy”. These types of things must be mandated as part of company policy. Don’t give a chance to such bickering and make it as a mandate as part of HR policy. Believe me, it will work far better when it goes out as “HR policy” than “Security Policy” or “IT Policy”.
3. Train, Train, Train……….your users on security awareness – As Cliché as it may sound, continuous security awareness of your users is one of the best weapons in your arsenal, if not the best at certain times. Create a culture of thinking any emails that’s out of ordinary/unwanted/unexpected as a phishing or an email with malicious content. Why email? E-mail is still one of the most widely used productivity apps in any organization and it’s still one of the primary attack vectors used by cyber attackers to deliver malicious payloads to organizations they are trying to attack. Build that security aware/vigilant mindset. Come up with security awareness training campaigns that’s close to the real-world examples
4. Build a resilient architecture – AsI write this in midst of pandemic, organizations are facing challenges around what end users are downloading what they need to stay productive, how hardened are their home firewalls, what devices they are connecting from as most of the corporate work is being performed from home. This opens “Pandora’s box” in terms of attack surface and the possibility of your “work from home” users compromised by cyber attackers easily. The solution to this is to ensure a highly adaptable architecture is built: a) whether your applications are in cloud or in data center, ensure they are accessible via a simple and secure API by your end users as needed. b) Route all these API traffic through one or more secure cloud services that offers protection against malware and other cyber-attacks. Believe me, it’s easy to find such secure cloud services, given the number of security products/technologies that are available today. When you have a) and b) covered, you reduce the likelihood of a data breach during “work from home” or during such scenarios.
5. Business Continuity and Disaster Recovery – As cliché as it may sound, BCP and DR planning is one of the most key elements and the first thing everyone thinks about during such pandemic scenarios. Every organization has a pandemic plan shoved in somewhere in their policy for such situations. Question is: How often does one conduct real time exercise? As a decision maker, ask your teams for latest and comprehensive BCP and DR test results that spans all your departments. Most often than not, BCP and DR test results show your organization’s maturity in terms of risk management. Review the results, get an independent opinion and make appropriate investments in operations, business, and information technologies as needed. Get involved as part of that exercise. As a decision maker, you should be on the BCP and DR chain of command. Shouldn’t you?
6. Enterprise Risk Management (ERM) – Security shouldn’t be under IT as much as ERM shouldn’t be under Finance. Why? Because for ERM and Cyber security functions, independent opinion is key, and that independence doesn’t come to fruition if they report into a department vice versa that they have conflict of interest with and vice versa, leading to shoving any identified/unidentified risks under the rug. Keep your ERM and Cyber security functions report directly into ultimate decision makers/budget approvers of the company. Nope, I’m not referring to the “CFO”.
7. Incident, Vulnerability, and Patch Management – Regardless of the situation, you might want to check: a) whether you always have a fully functional 24x7x365 security operations center b) Ability to identify vulnerabilities and mitigate those patches in a timely manner in line with the risk. See i made it sound very simple. It may not be that simple. But at least, will give you a piece of mind during these tough times.

Bottom Line: This isn’tsilver bullet list nor the complete list. These are some of the top things that should be on your mind that will help you survive or escape cyber chaos during pandemic or similar scenarios.

About the Author     

Lokesh Yamasani is Senior Director, Security and Compliance at Ampcus Cyber Inc.  He is an experienced and diligent security leader with track record of establishing and managing security programs in line with best practices. He has assisted multiple Fortune 1000 clients, by assisting them in their security initiatives. He has been a part of cloud security Alliance – Cloud Controls Matrix working group, speaker at security conferences, published articles on security and privacy on security magazines.

Lokesh can be reached online at ([email protected], SecuRanch Podcast on google, apple podcasts) and at our company websitehttps://www.ampcuscyber.com/)