How COVID-19 is Changing Risk Management

One of the most visible results of the COVID-19 pandemic is the transition from traditional office-based work to remote work-from-home (WFH) arrangements for global enterprises. Government officials worldwide mandated that in most instances non-essential employees stay home. Enterprise leaders followed the governmental mandates by directing employees to isolate at home to keep the virus from spreading throughout employee populations. It became very clear, very quickly, that all focus had to be placed on enabling employees to perform 100 percent of their jobs remotely in a secure manner. There was a wide array of quick reactionary measures that enterprise leaders had to take to successfully deliver IT services in this unique total WFH use case. The response is critical to maintaining business continuity and avoiding disruption.

Virtual private networks (VPNs) have become a critical center of gravity for enterprises. In most enterprises, VPNs were not provisioned with enough capacity to handle all the additional users and user traffic associated with the 100 percent WFH scenario. Additional bandwidth had to be quickly increased as every employee began connecting into the network to perform their jobs from home. VPN systems had to be reinforced with high availability architecture and resiliency since they were transitioning from secondary to primary use, and in many cases, they were the only network connectivity option.

Employees that previously did not have laptops and VPN software had to be supplied by IT staff working remotely as well. Processes such as on-boarding and off-boarding employees, and providing technical support, have to be performed safely from remote locations. Human resources and IT teams have developed special decentralized capabilities to facilitate performing these tasks remotely.

With all employees working remotely, strong identity and access management has become increasingly important. Requiring multifactor authentication for accessing network and cloud applications is one way to increase the security of the WFH scenario. For example, if someone succumbs to a phishing attack, a secondary authentication, such as via a mobile application, adds the extra necessary assurance.

Patching of systems, as always, is required to maintain acceptable risk levels. The new challenge is in determining how to deliver patches that were previously performed in the office, but now need to be installed on endpoints that users are unable to bring to the office. Patching through the VPN creates a challenge due to lacking capacity to push patches quick enough. Some users also never connect to the VPN because they perform their day-to-day work on software as a service (SaaS) public cloud-based applications. Zero trust network access provides a way to perform patching directly through the internet without relying on everyone auto-updating at similar times when they are connected to VPN. Zero trust network access clients on the endpoint facilitates an always-open patching conduit between the endpoint and the enterprise patching systems that remedies many of the patching over VPN issues.

Phishing was a problem before the COVID-19 pandemic, but hackers have taken advantage of the situation by employing unique pandemic-related tactics. Pandemic-specific phishing campaigns leverage COVID-19 email language and clickbait topics that take advantage of employee fears. A lot of fake malware-laced domains were published with pandemic topics to take advantage of anxious users more willing to click on pandemic-related links. Mail anti-phishing tools and internet proxies should be updated and maintained to protect the anxious and susceptible user base.

Event monitoring capabilities also should be tailored to focus on the unique WFH use case. The insight that VPN and firewall logs provide for securely managing the WFH scenario have become critical. Centrally monitoring VPN events enables visibility into whether adversaries are attempting to exploit weaknesses to gain unauthorized network access, access critical systems and exfiltrate valuable enterprise intellectual property or customer information. Security operations center analysts should be positioned to monitor new pandemic-related indicators of compromise.

Editor’s note: For further insights on this topic, read Brett Bonin’s recent Journal article, “Pandemic-Driven Remote Working and Risk Management Strategies,” ISACA Journal, volume 5, 2020.