October marks the 18th year of Cybersecurity Awareness Month. Government organizations, communities and businesses use the occasion to educate citizens about cyber threats and how each person can do his or her part to avert or minimize the impact of cyber attacks.
A year ago, we talked about how to be cyber-smart in a COVID-19 world. At the time, we were focused on the increased risks associated with moving to mass remote work and the preponderance of cybercriminals exploiting the pandemic to gain access to information and bank accounts. We had expected that the pandemic would be tamed by now and the world (including the cybersecurity world) would have settled.
Instead, we are moving through our second October of navigating the pandemic overlay – with a distinct increase in the number and complexity of cyber attacks since 2020. The threats from a year ago are still present, though most organizations and individuals have put safeguards in place to address the basic vulnerabilities. Now, we are operating at a more sophisticated level. So, too, are the cybercriminals, whose efforts are supported by the realities of a pandemic world. What’s next? Here are three tips for surviving another year of COVID cybersecurity.
1. Keep Business Continuity Plans Fresh
Among its many lessons, this pandemic has taught us that preparation is a key to limiting the impact of business disruptions – from hurricanes and floods to civil unrest to cyberattacks. The better an organization’s ability to anticipate, mitigate, and respond to threats and incidents, the greater its ability to recover and thrive.
Cybersecurity is an essential element of every business continuity plan and keeping it up to date is critical to effectiveness as cyber threats and attacks evolve.
- Monitor COVID cybersecurity trends: During the pandemic, we’ve seen an upsurge in sophisticated cyberattacks. As Deloitte has reported, only about 20% of cyberattacks before the pandemic used new malware or methods. During the pandemic, that proportion has risen to 35%, including new attacks that use machine learning to adapt to environments and remain undetected. Be sure to monitor what’s happening now, since the cyber threat landscape continues to evolve quickly.
- Increase supply chain visibility and risk management: High-profile ransomware attacks across industries exacerbated supply chain disruptions caused by the pandemic. A widespread practice of “just-in-time” manufacturing meant there was little stockpile of parts and materials before a disruption. So, factors such as truck driver shortages, food processing plant closures, and stalled gas pipelines very quickly led to consumer shortages and price hikes. Take a closer look at your company’s suppliers. Analyze your supply chain risk. And ensure that supply chain risk management is part of your business continuity planning.
- Step up training and drills: Be sure your business continuity team is trained and ready to respond to a security breach, malware attack, ransomware attack, or supply chain disruption. Practice responding to each and update plans to reflect weaknesses that you discover. Remember that a team member could be unavailable to respond, due to pandemic or other reason. So identify, train, and practice with back-up personnel who are able to step in if others are unavailable.
2. Strengthen Enterprise Security
Most organizations have already shored up their virtual private networks to handle a heavy load of remote workers, insisted that remote employees have home network security in place, and strengthened antivirus protection on devices and networks. As cybercriminals get more sophisticated, organizations need to, as well.
Identity, Credential, and Access Management (ICAM) is the set of tools and processes that organizations use to enable the right individual to access the right resource at the right time for the right reason. Over the past 18 months, government organizations and businesses have started to tighten their approach to ICAM to combat next-level cyber threats.
- Identity verification: A move from in-person to remote identity verification for new consultants or employees creates an environment ripe for fraudsters. As this GovLoop article points out, “with the current state of the public internet and the dark web, personal information is easily accessible. So, it’s not difficult to masquerade as someone else over an online connection.” The article talks about accessing government benefits, but the verification challenges and solutions are pertinent to commercial organizations, too. Take necessary steps to be sure that the people who access your networks are who they say they are.
- Clean up credentials: Too often, companies use a standard set of permissions to grant groups of employees access to company applications – even if some of those employees never need to use the apps. To limit the number of users, and thereby limit potential access by bad actors, review who has access to what in your network. Disable the active credentials that are no longer needed by employees who have retired, left the company, or never needed access in the first place.
- Access: There’s a growing movement toward a Zero Trust approach to accessing company networks and apps. Traditionally, once an employee logs into the company network, the employee can immediately access any and all of the applications they have permission to use. The problem is that, if someone gains access using another person’s password, they are then free to cause havoc. The Zero Trust approach requires employees to prove their identities before accessing each application, even after they log into the network. Consider adding that extra layer of protection – though it may be a hassle for employees who have to enter multiple passwords. It’s proven to contain hacks once an individual with malicious intent penetrates that first level of security.
3. Evolve Employee Skills and Competencies to Match Current Threats and Plans
In the end, much of cyber risk management comes down to human behavior. Employees can unknowingly, recklessly, or maliciously grant access to the wrong people by responding to phishing emails, using weak passwords, or working outside a secure VPN. As threats evolve and a company’s policies are updated, it’s key to keep employees informed and engaged.
- Keep training fresh: cybersecurity should be a regular and recurring part of every employee’s learning and development repertoire – updated and delivered annually or more frequently, to reflect the latest tactics of today’s hackers and cybercriminals.
- Combat employee fatigue: slogging through the pandemic – whether navigating remote work or dealing with changing workplace safety requirements – has left employees tired of the changes, the fight, and of the many losses associated with the health crisis. It’s tough to stay vigilant when one is fatigued, so companies need to find creative ways to support their tired workers while insisting upon cyber safety. Use your wellness program to help shore up a resilient workforce. Try text alerts and two-way communications to “break through the noise” when engaging employees around an urgent cyber threat.
- Build skills and reinforce compliance: Update your competency management program to build the workforce skills and competencies needed to combat your company’s threats and to carry out your business continuity plan. Don’t stop with telling employees what not to do; show them what they can do to be cyber safe. Make it easy to use approved messaging apps, document management tools, and devices. Reward employees who participate in drills, training, and skills assessments. Be sure you’re tracking the cybersecurity skills and competencies of your workforce, to be sure they’re staying current with your cyber best practices.
This month (and every month), your company should recommit to securing its internet-connected devices, technologies and networks from cyber threats. Read our white paper, Advancing Cybersecurity with Competency Management. Or contact us to find out how Avilar’s WebMentor Skills™ competency management system can help.
Why Cybersecurity is an Every-Employee Initiative
How to be CyberSmart in a COVID-19 World
5 Ways to Combat Cyber Threats at Your Organization
How to Adapt Your Corporate Training for COVID-19
What did Hurricane Ida Teach Us About Business Continuity Strategy?