Redefining Cybersecurity Planning
SC&H’s Jeff Bathurst, Director, Technology Advisory, and Anthony DiGiulian, Director, Risk Management, discuss how Covid-19 has impacted not only the way businesses operate, but how leaders must pivot to protect their business from cybersecurity threats.
From infrastructure considerations to security to personnel influences, they provide insights on this new remote work reality and why secure access to corporate networks, applications, and data is more critical than ever. In the following OnDemand recording, they focus on the major components of our “new” cyber landscape: People, Compliance, Access and Authentication, Infrastructure, Disaster Recovery, and Business Continuity.
Watch now to learn:
- How Covid-19 is and will impact the cybersecurity landscape
- Best practices for secure remote working now and in the future
- Cyber readiness considerations for your organization
- Tangible steps business leaders should take now to set the precedence for future success
If you have any questions, please Contact Us.
Video Transcript
Jeff Bathurst: Good morning everyone, my name is Jeff Bathurst, and I am a partner and Director at SC&H. My role is to lead our Technology Advisory services practice, which offers a myriad of technology-related services as it relates to CIO and CTO leadership and implementation of today’s technologies to address everyone’s business needs.
Anthony DiGiulian: Good morning, thanks for joining everyone. Anthony DiGiulian, I’m a Principal within our Risk Management practice. I am primarily responsible for leading our IT audit and cybersecurity privacy practices and internally working with organizations to assess current risk models as it relates to IT and cybersecurity, and provide some assessment functions as it relates to frameworks and various compliance efforts as well. Jeff and I work with a lot of organizations on what we consider a cybersecurity readiness assessment. We look at the current state and environments to really understand and identify if you are making the right cybersecurity decisions based on your business, identify the appropriate risks, and mitigate those risks based on your cybersecurity, security infrastructure, technology controls and framework internally.
We’ll also do specific framework assessments that might be NIST CSF, CMMC, there’s a number of various compliance frameworks out there that we work with organizations to make sure that they are meeting everything within their program. Also, we work with organizations specifically on policy development and help organizations develop and write disaster recovery and business continuity, and other cyber-related and security-related IT policies and procedures. And then, on the privacy side, we work with organizations, whether it’s GDPR or CMC to ensure that their program is designed sufficiently to meet this framework and provide GAP assessments, recommendations, and remediation efforts as well. And then we also do specific data privacy validation assessments, to make sure that they’re meeting the requirements of their suppliers as it relates to data privacy controls and frameworks. And then as Jeff mentioned, within the technology space we have a group that we work with on implementing and determining the right technology decisions as it relates to cybersecurity and immigration.
Cybersecurity Snapshot
Anthony DiGiulian: We’ll start today with a quick snapshot. To set the stage for a lot of the discussion today when we look at how COVID has impacted the cybersecurity landscape and what the considerations are that we should be focusing on. Some of these points, I think are really important in setting that stage. Security attacks, in general, are up nearly 40%, and I think that’s probably an understatement. The reason for that is that we’re not necessarily looking at a brand-new cybersecurity tax, it’s that criminal cyber attackers realize that within the wake of this pandemic, like any natural disaster terror attack, anything that puts people out of their normal comfort zone is an opportunity for those attackers to compromise or to increase efforts because there’s going to be gaps and vulnerabilities created because of these instances.
We’ve seen a huge increase in malware, over 92% being delivered specifically by email. But think about the different types of attacks, one of which would be fraudulent emails that are designed as government correspondence. Click here to learn the most up to date COVID responses. Specifically targeting those vulnerable industries that are facing disruption, right? So manufacturing, pharmaceutical, healthcare, targeting those specific industries with malware and malicious emails. Hey, here’s a coronavirus map of your area, click here to learn more. Or what are the safety measures that your industry should be focusing on? And another one that’s really interesting is false charities. We’ve seen a lot of attackers using CDC donations as opportunities to present a potential virus or phishing attempt.
Jeff Bathurst: Yeah, just one theme across all of these things is that it’s about distraction. Organizations are distracted today with not only trying to ensure that their businesses stay afloat and can service their clients and customers, but they’re also working in a new operating environment in a remote work configuration. What happens is people are distracted with other things, and they may not take the time to evaluate their email as well as they should. They may not examine things as well as they should, and so cyber hackers are taking advantage of that distraction and using this opportunity to implement viruses and other hacking tools.
Covid-19 Impact on Cybersecurity
Anthony DiGiulian: One of the things to keep in mind is obviously we’re all in different situations, but we’re facing similar risks, right? There’s no universal truth necessarily but these are opportunities, this type of form, speaking to peers are great opportunities to understand what other organizations are doing and how they are prioritizing the changes, the shift of risk within the current landscape.
Jeff Bathurst: Regarding the impact on cybersecurity, we mentioned here in this slide that everything is amplified. It’s not as though things have changed. The games haven’t changed. They’ve just increased in terms of the number of players. And some of the points we’re trying to make on this slide is that the activities that you have done within your organization over the last eight weeks have been in a lot of cases, not all because a number of organizations have been prepared for something of this nature, but in most cases, organizations had to rapidly deploy, rapidly respond, and in a lot of ways, in an unplanned fashion in order to promote and allow for remote work. What this did was, this magnified the number of potential risk points within your technology stack as you move it to the user’s PCs and made work technology available to them in an unconventional way, or at least in a way that you have not yet supported. And so that’s why this becomes more of an opportunity for hackers at this point. I mentioned earlier, it’s about distraction.
Now that we are eight weeks into this and we’ve gotten over the shock of this situation, organizations are now moving to a different place. And that’s what we’re trying to highlight here in this presentation, is now that we’re eight weeks into this, what are we going to do from here? Where is the roadmap? What are the steps that we need to take? Because frankly, we don’t know how long we’re going to be here. It could be months. It could be weeks. We simply don’t know. With the air of uncertainty, we need to make sure that we help all of you prepare to make this a sustainable and secure environment as you continue to operate your businesses.
Anthony DiGiulian: When we talk about this transition or shift from what the cyber landscape looks like before COVID and what the new landscape looks like, we have it broken down into a few buckets here. We’re going to speak to each of these in a little more detail: people, compliance, access and authentication being a critical factor with remote workforce and teleworking environment, infrastructure, how that’s built and designed to maintain that environment, and then obviously disaster recovery. That’s a big piece of how you operate or are able to transition operating modes going forward. We wanted to include this depiction here as we set the stage for the conversation of where we go from a cyber standpoint, looking at what the typical environment looked like before and after COVID. Our classic work environment of users being in an office setting environment, transitioning to where we are now, where we have users all over the world connecting through multiple devices, through multiple platforms and types of connections, and being able to identify those endpoints and transition or shift our focus from an IT security standpoint to address that new landscape.
How Has Covid-19 Already Affected Cybersecurity?
Jeff Bathurst: Now one point about this slide, some organizations, they look like the after picture where they’re accessing their technology on remote platforms and any device, anywhere, any time. But that’s more of the minority and for the vast majority of folks, we were simply trying to as a company were simply trying to respond and do it the quickest, most effective way possible. And then were trying to then come back to it and say, how do we formalize this because frankly, Anthony, one of the things you and I have talked about is remote work may become a staple within organizations going forward, they may find that those companies who were reluctant to move to a remote work that actually the level of productivity and employee satisfaction is high enough or higher than certainly they expected that would allow them to maybe incorporate this as an operating mode going forward.
Anthony DiGiulian: Absolutely. I think that’s the consideration that you want to have going throughout this entire discussion is that the after picture may be the right picture for a lot of cases, for organizations, it’s just a matter of how quickly we’ve had to adapt to get there and what vulnerabilities have been developed by doing so. What we talk about here is increased exposure. When COVID hit, operations were put in a place where they had to be up and running yesterday. And so, that has forced organizations into a change that they may have been previously resistant to or forced to change so quickly and rapidly that they’re bypassing your classic or typical security controls, or where those measures may have been designed appropriately in a normal course of business, but unfortunately, in a lot of the cases where speed and ease of use is prioritized in a rapid state, compliance and technical guidelines are often sacrificed.
When you think about what that can do to exposure, when you’ve got an implementation of a new environment without going through the proper due diligence, that’s where you create vulnerabilities and exposures for cybercriminals. Similarly, you’ve got strained resources, right? You’ve got operation security often focusing on new considerations of how to get the business running and not necessarily focused on where they should be focused from a security perspective. When we talk about people later, that’s a consideration as well as it relates to, let’s make sure that we’re taking the time to make decisions and do them the right way for the long-term success of our business.
Jeff Bathurst: Then the next point around compliance is often sacrifice. Can you talk for a minute or two about how your compliance requirements are still applicable, even though this is the new way that we’re working?
Anthony DiGiulian: Yeah, absolutely. If you think about, depending on your industry, you may have your requirements around PCI, requirements around HIPA, or GDPR California protection, all of those compliance requirements are not going to change as it relates to what your risks are as an organization. You have to consider those when you’re making the security or I.T. related decisions and in an environment like this, because those fines and those requirements are still going to be applicable throughout this period and you’re not going to get a free pass to make mistakes as it relates to PII or otherwise and potential compromise. That’s why it’s really important to take the right approach in the implementation of new strategies. Then I think that’s the theme you’ll hear throughout. If the change is OK, it can be very beneficial to the organization. It’s how you address and assess the risk associated.
Jeff Bathurst: Let me give folks a real-world example. A lot of companies when they didn’t have remote capabilities, they implemented go to my PC or a remote PC as a way for home users to take over their work desktops. Well, let’s say that user is in accounting and at work you store customer credit card numbers in a spreadsheet. Then the user says, I need that file, I’m just going to copy it over to my home PC and work on it from here because you’ve given them the capability of doing that with remote PC out of the box or go to my PC. Now you have just moved all your customer credit cards onto a device that’s outside of your network. That is obviously not secured based on the corporate standards and your compliance just went out the window times 2. It’s a real world use case where in the essence of providing convenience and satisfying necessity to get work done, we’re creating security and compliance gaps. And that’s one we’ve already encountered with several clients already where they inadvertently created this gap by simply implementing the technology to fill a need that they had not satisfied.
Anthony DiGiulian: We talked a lot about the points of entry. Obviously, attack vectors are just points of entry into a compromised system. You talk about the various mobile devices and the work from home and the connections that are now 10, 15, 20 times multiplied, which is like we said, it’s not a bad thing if you are aware and can identify those connections and increase or strengthen your perimeter to address that. We’ll talk more about that later. And Jeff, from the systems infrastructure standpoint, I think you can speak a little bit to how that strain has caused organizations to increase exposure as well.
Jeff Bathurst: For example, your internet service provider and your bandwidth from your office to the internet. In many cases, they were sized for in-office use and to be used by a percentage of the employee base at any given time. Well, now you’ve shifted that entire employee base to remote work, and they are all leveraging now that internet connection that comes back into your network to access systems. In many cases, your capacity wasn’t designed to handle that. That was not in the game plan and so what happens is we get poor performance; we get user frustration. We see that where we have capacity issues not only in terms of connectivity but also in terms of computing power and server platform, this 100 percent remote work situation is definitely highlighting those constraints in those configuration weaknesses.
The other thing to keep in mind with all of this when you’re dealing with remote work, this is not a security thing, but this is more something to keep in mind from a performance standpoint, and that is in many cases, you can control your access into your system, into your company, through your internet service provider, and they can hopefully provide opportunities to increase that bandwidth or performance dynamically. But what we can’t control is what we call the last mile. That is the connection into the neighborhoods, into users’ homes, where if you live outside of an urban environment where we’ve seen cases where users have DSL still.
What happens is that these acts of internet providers in a residential service use a technology where it’s bandwidth sharing, and so at peak times, typically 9 am – 11:30 am in the morning and from 1:30 pm – 4 pm in the afternoon, you will see decreased performance. We would caution you about that because we don’t want to see the I.T. groups go chasing their tail about a performance issue that we have no control over. That’s just the cost of this situation, but it is something to keep in mind when you’re trying to address remote work, not only today, but as you plan moving forward.
Anthony DiGiulian: The other area we cover here, obviously the demand for cloud services is at an all-time high, and Jeff and I are big proponents of the flexibility and the scalability that cloud services do provide organizations. The key is ensuring that organizations understand that cloud service investment doesn’t necessarily eliminate risk. It’s a shift of risk. We’ll talk about later on how to manage that risk going forward and the importance of sufficient vendor management programs. But the key from an exposure standpoint is understanding as an organization what that migration or what the new cloud services presents from a risk standpoint, and not just assuming that by going to a cloud service provider, that you’re eliminating a certain risk, it’s just not the case. It’s a matter of how you manage and what the shift of that risk looks like.
Jeff Bathurst: Here is another example. Microsoft Teams. Before this started, they had an average daily usage of between 15 and 20 million users. As of the last week, they were averaging 80 million users daily. That’s over a 4x increase over an eight-week period. What we will see and what you will experience, we’re trying to help you go into this eyes wide open, that there are some cloud providers who are ill-prepared to scale at that rate. Microsoft has done a very good job.
- We see issues with Zoom.
- We see issues with RingCentral.
- We see issues with all of the web hosting meetings.
Why? Because everybody’s leveraging. So again, it’s something that you just want to keep in mind after evaluating each cloud services on how they transition to help mitigate risk and provide services. But keep in mind also from a performance capacity planning that there are things that are outside of your control and that is one of the downsides of moving to cloud services. But it is something that we all deal with, and fortunately, we have not seen a major outage for many of the major provider and we hope that certainly won’t be the case.
Anthony DiGiulian: Let’s touch on the human factor a little bit here, people historically have always been the first line of defense, and that’s still the case. I think more than anything, it’s a matter of how that risk is amplified in the current environment and having a disconnected or distracted workforce presents different types of risk. People working from home having to teach their kids during the day, having to help them with their Zoom meetings and maintain a work-life balance within a completely different, disconnected workforce that Jeff said. I think being eight weeks in, we’ve seen some of those adjustments occurring. But certainly, it presents an increased risk as it relates to the human factor. At the end of the day, a compromised account is still the most common and the easiest way for a cybercriminal to enter the environment and bypass the perimeter controls. So, ensuring and adjusting based on the new risk as it relates to your employees is critical. You look at policies and procedures that are developed historically. They’re all primarily designed for that previous at-work office environment.
So how are we ensuring as an organization that we’re addressing the new risks associated with a remote workforce? We’ll talk a little bit more about that going forward, as well as security training. A lot of organizations have made a great transition. We’ve worked with a lot of companies that we see security training being a priority over the last 12 to 18 months, but it’s still not necessarily enough. A lot of the historical one time of year security training just isn’t going to be sufficient now and going forward as it relates to more tailored security awareness type of initiatives.
Jeff Bathurst: Anthony, I have one thing to add about that slide around cybersecurity training. With all of us being remote work, everything is done via the phone or by the computer, and if you’re not using a third-party managed service provider for your help desk and you have an internal staff or you have other vendors that you’re using for technology services that interact with your employee base. One of the things to keep in mind is that this is an opportunity for hackers to conduct something called social engineering. What that means is that they will use, you know, just simply human conversational techniques to extract information about user credentials. Your company, who are you doing business with, that sort of thing? They will mask themselves as a service provider and they will make an effort to establish a relationship with your employee.
Again, if there’s no opportunity to be face to face where you see John Smith or James Smith from the help desk here to help me, or your representative from Verizon, they can say, I’m so-and-so from Verizon and I’m taking over this account. Let’s talk about your internet service provider. Let’s talk about your account. Give me your password.
Those social engineering techniques are more prevalent today simply because we can only interact over the computer and over voice and not face to face. So again, that’s just something that security training will teach your employees how to look out for this type of activity, because that is one of the most common ways for hackers to actually gain entry.
How Will Covid-19 Continue to Impact the Future of Cybersecurity?
Anthony DiGiulian: That’s when we transition to where we go from here. We start with people and the security awareness training that we identify here, ensuring as an organization that we’re focusing our content on real-time, real-life risks. A lot of the programs today are tailorable to your organization and to your work environment, not just necessarily using an out-of-the-box security training, but being confident that you’re focusing your security awareness training on relevant content. Then we talk about increased frequency. We’re seeing phishing campaigns on a real-time basis, so not just a quarterly phishing campaign, but doing real-time phishing campaigns, targeting employees, targeting service lines to have a true real-time understanding of where you have risk with employees and then determining what the accountability means. It’s a challenge to figure out from an accountability standpoint, how do we hold employees accountable?
But at the end of the day, you really want to make sure that we’re heightening awareness. I think that’s the key, is making sure that our people have a heightened awareness of what their expectations are in a remote environment. And then, as I said, we’re using Webex, we’re using go to meetings and screen shares. So how do we immerse employees into training programs and not just send a clickbait type of email where you just click through a security training and aren’t really truly being immersed in the program? We recommend considering live training programs like real-time tabletops, coming up with ideas to get employees involved in the training so that you have a better chance of them taking in what those things are. Obviously, the topics we have included are, remote work best practices, incident reporting, and privacy expectations.
Going back to the first topic, the policies and procedures, a lot of you have access to your handbook, your problem management policies were written in a different environment. What are the expectations now in a remote environment and going forward? Yes, we all want to get back to some sort of normalcy, but I think the likelihood is that either we transition to be able to transition between a remote and a more normal environment, or we’re in this a little longer than we thought, or we have to go back to it. Ensuring that you’ve got acceptable use handbook policies and best practices that take into account both of those environments.
Jeff Bathurst: That last point you just made is really hitting the nail on the head. We all realize that you have been working over the last eight weeks to, in many cases, simply keep your company operational. But we don’t know how long we’re going to be here, and every company is going to have to make a transition from, we’ve adjusted now how do we then conduct business as usual, but in a different way? As Anthony pointed out, we don’t know if this is going to be weeks or months. Will we come out of it, then we’ll go back to it. Or this is simply the new normal going forward. We simply don’t know, so every organization has to determine for themselves when are we going to transition from, we’ve adjusted and now we’re operating and continuing to operate. These things that are in the slide are really, really important because in almost all cases, they don’t address this type of situation. And it’s really important that you communicate with your employees that these are your expectations as we do this in a remote work situation because now that you’ve done it and now that you are operating in it, it will be very easy and comfortable to go back to it. But you want to make sure that you’re prepared to do so and to be able to cover some of the things that we’ve talked about here.
Anthony DiGiulian: The last point about managing third-party risk, it speaks to how extensive or how comfortable are you with your vendor management program as we’re shifting and seeing a tremendous increase in migration to cloud environment. A lot of organizations may previously have said, we’re going to copy this report, and that’s enough. But I think, you have to have a program that not only considers onboarding an annual reassessment of risk, but also digs a little deeper into what are the services that this specific provider is giving you and what are the risks associated with that? It might be more than just obtaining an SOC report. That gets you part of the way there, but you’ve got to understand as you’re working with various third-party organizations what are the associated risks with that organization and what are the considerations that we have to manage as part of that relationship? Transitioning from people to technology and some of the considerations that we should be making as an organization, jeff, I’ll let you jump in on this first point.
Jeff Bathurst: This is where you take the opportunity to understand, are we prepared from an infrastructure and computing platform capacity perspective to support this long-term? I’m sure that a number of you have had to scramble to increase capacity and you realize that you’re straining your production environments when this first started. This is something that you want to take the time to have your IT resources go through and look at the performance data over the last eight weeks to see where we need to improve. Where do we need to increase performance capacity or compute power to be able to handle this and provide the best services to our employee base? The other thing that Anthony and I talk about a lot is about recovering from the recovery stage.
Anthony DiGiulian: Back really quick to technology. I want to touch on a couple of specific technologies that we’ve talked about. I think we had a lot of discussions around authentication being critical and multi-factor being a thing. But what are some of the technologies specifically that you think are prioritized in this period?
Jeff Bathurst: To give you a quick list and we’ll have some of these in a couple of slides, but you want to talk about multi-factor authentication or MFA and the latest trends in migration from multifactor authentication to something called zero trust. That’s a topic for another discussion but those are essentially ensuring that from a remote work standpoint, you can ensure the identity of the person using it.
Anthony DiGiulian: What about mobile devices? I think that’s another critical topic.
Jeff Bathurst: When providing services on a remote device, you want to talk about mobile device management if you’re not already doing it. Many cases you already are because you’ve employed mobile technologies into your office environment. One of the things that we also talk about is spam filtering, whether it be through Google or Microsoft or a third-party plug-in to those cloud services. You would be surprised how effective these tools are around removing:
- Viruses
- Malware
- Spam
That is something that can easily be implemented and for a very reasonable cost, but it is one of the most effective tools you can do, since email is one of the most common attack vectors for hackers to get into your environment. One of the other things that we want to talk about from a technology standpoint is about cloud services. Many of you were already there in some way, shape, or form in operating what we call a hybrid environment where you are working with on-premise systems as well as cloud services. Now is the time to talk about stepping up your game and looking at additional cloud services or moving to a total cloud strategy, as cloud services are really meant for work anytime, anywhere, on any device. It is the foundation of that concept and so those are some of the things you definitely want to think about from a technology standpoint.
Back to the point about recovering from the recovery state. We realize that we’re all now working in our disaster recovery plan. Whether we have one or not. And so now, Anthony and I’ll have conversations about:
- How do you recover from this?
- What do you need to do if this is going to be your operating mode for the next several months?
- What happens if a cloud provider goes down?
- What happens if your internet service provider goes down?
Doing so from a remote work standpoint complicates matters. Anthony, I know you have some thoughts on this.
Anthony DiGiulian: I think one of the things you have to think about is the effects of COVID have put us into a test of resiliency as an organization and being able to transition and shift and be adaptable into a different state of operating. But at the end of the day, we still have to be able to continue business in multiple instances. Whether we’re running in different AWS zones or when we’re in a recovery state, what are the risks? In some cases, you have to accept this. You cannot address all of it sufficiently, but have you considered what it might look like if your recovery state was compromised or if you had to transition out of a recovery state? Those are conversations that may not have been had with management that are worth putting into the forefront.
Jeff Bathurst: Anthony makes a great point there. Have the conversation with your organization to map where we go from here if something else comes out, hopefully not, but it’s important to have that discussion. In terms of planning for the next transition, whether it goes back to pre-COVID 19 or it moves onward to a new normal, you know what you want to do. As with anything, plan for the worst and hope for the best with respect to your technology and infrastructure, but in cybersecurity you don’t want to leave it up to hope. There are a lot of things you can do, and we’re about to give you some tangible takeaways here in the next couple of slides of things that you can do today to see, are we doing these things? Are we planning accordingly? Because again, we don’t know what tomorrow will bring, but we certainly can control a lot of our company and corporate activities around providing the best technology and services, but doing so in a secure manner, more importantly, protecting both employee data, customer, and client data, and making sure that you maintain your industry-based compliance.
What Should Organizations Do Now to Elevate Security?
Anthony DiGiulian: I think the goal is, can we use this opportunity to emerge stronger? In many cases, like you said, we’ve used the last eight weeks ramping up to a new state of operating. And now are we positioning ourselves to make decisions that allow us to emerge from this with a stronger, more resilient, more adaptable environment. We talked about some of the recommendations that we have for considerations of increased training. Due to teleworking, making sure that we’re implementing tailored specific training based on that environment and then taking a look at your access controls. User authentication is critical, and this might be a time where you consider tightening or increasing:
- Password length
- Password complexity
- Frequency of change
These are things that may not be user-friendly, but ultimately in the state that we’re at, may help mitigate certain risks associated with the environment. We certainly recommend considering taking a deeper look at what your current access authentication controls are. I think Jeff already talked a little bit about multi-factors. Let’s go a bit more into what some of the mistakes you can make with implementing multi-factor authentication are.
Jeff Bathurst: What we’ve seen in some cases with multi-factor is that users don’t incorporate cloud technology. There are multifactor authentication tools meant for cloud services. I’ll give you two:
- Duo
- Okta
Those are two major players in the cloud multifactor authentication space that allow you to essentially put a portal in front of all of your cloud apps. If for example, you’re using Expensify, instead of allowing a user to go to Expensify directly, if they try to do that from home it’s going to redirect them to this multi-factor authentication portal, and it will then force them to use their username and password and then the token authentication and approval in order to get back to Expensify. These are built as multi-factor authentication front-ends to cloud services. Typically, multi-factor started off with on-premise solutions and are attached as part of the VPN technology. But this is the next phase, moving from cloud multifactor authentication to essentially zero trust.
Just to talk a second about that. Zero trust is essentially, I don’t care where you come from, what you do, how you do it, or what device you’re using, I’m going to assume I trust nobody in this world and we’re going to make everyone authenticate in a multifactor fashion.
Anthony DiGiulian: It monitors all internal, all external users, and device management and it’s a great model if you have the time to implement it correctly. Jeff spoke about how data classification and identification of data are critical when you’re managing new environments or transitioning environments. Being able to know where your data is, that is going to be the first and foremost priority. Customer data, you’ve got internal PII data, and you can’t forget about the financial data as well. We talk a lot about the IP security component, but we also want to make sure that you’re aware of and considering the financial component as well. We have spear phishing or social engineering, which isn’t just through email, it’s the most common but this is an opportunity for attack vectors from the phone side of things as well. Ensuring that you have appropriate controls in place for callback operations and otherwise, is going to be really important in a remote environment where you’re not sitting next to the person who signed up that you typically work with.
Jeff Bathurst: One point I want to add to that, regardless of what environment you’re operating in today, you are still responsible for compliance, for controlling your customer data, controlling your employee data, controlling your IP. A lot of changes were probably made over the course of these last eight weeks to your technology environment because you needed to get somebody access to something from home. Maybe you didn’t think about that beforehand. Well, those are going to be infractions against your compliance framework. You are not exempt from being responsible for those things, and if that has been done or you suspect that it’s been done, you need to go back and revisit that.
Anthony DiGiulian: More than anything, the expectations have probably increased. Think about the discussion we’re having. You should be putting more on your vendor, that you should be increasing how you manage and monitor the risk associated. The same goes for you as well and your customers, and you’ve got compliance initiatives now that you’re facing, but those are only going to increase over time. We’re only so far away from a national privacy standard. The expectations as an organization of what you’re going to have to meet are going to continue to increase. It’s important to make sure that you’re comfortable and confident with your ability to meet those compliance needs.
Jeff Bathurst: The last two points on here we’ve already touched on around bolstering your community infrastructure. I won’t repeat that as well as looking at expanding your cloud technology platform and service offerings. This is more of a checklist to go back to your organizations. One thing I want to add to this list is around cyber insurance. In fact, hopefully all of you have it all. But if you don’t, you need to get it. However, if you have it, you need to reach out to your cyber insurance issuer because in this type of situation, insurance policies and products can be changed without notifying you. Their controls, their compliance requirements around their cyber insurance policy to your organization can be changed because it is still a relatively new product as it relates to business insurance products. It’s something that is a regular course of action, you should be talking to your cyber insurance broker twice a year to ensure if they have had changes to their policy or what new products they are coming out with. But in this particular situation, given that everyone is accessing things remotely, what is your cyber insurance company’s stand on that, and does it have any effect on your existing policy? That is a conversation you want to have yesterday because again, we’re already eight weeks into this and who knows for how much longer and you want to make sure that you’re covered. Given the increase in cyber hacking traffic and attempts, you want to make sure that you’ve got your bases covered as it relates to that.
Q&A Portion
Anthony DiGiulian: I think that we’re shifting to Q&A here. Please submit any questions that you guys have, and we will answer them. We had a couple sent in before as around tracer apps and if we think they are legitimate considerations and implementation. For those of you that might not be aware of tracer apps, they are mobile apps that track individuals that have had exposure to COVID and or locations where exposure has been identified.
Jeff Bathurst: Some countries have implemented tracer apps as a way to help remediate the virus exposure and control it. South Korea is a good example of that. Tracer apps are not implemented in the U.S. on a formal basis as of right now, and there may be some civil liberties issues that may prevent that from happening in the U.S. But essentially, these tracer apps are going to monitor user behavior based on their mobile device. Now one of the things that is being handled during the pandemic, and you’re seeing this in the news today, is around hiring people to do contract tracing. That is more of a human interview process for people to communicate where they’ve been, how are they interacting, who have they interacted with and when? Tracer apps go hand in hand with that contact tracing manual process as a way to help them to draw a picture. But tracer apps are not an issue here in the U.S. as of yet, there hasn’t been a whole lot of talk about allowing them, but it is something that’s being used in other places in the world.
Anthony DiGiulian: Another question came in as it relates to compliance and other audit reporting. If we foresee any relaxing of certain requirements. Continuing education is an interesting one because I have seen, especially as it relates to the implementation of CMMC, some delays on expectations based on the ability to train. I think the training, the CPE aspect, is going to be interesting. I haven’t seen any definitive issuance of any statements, but as it relates to actual audit requirements and SOC requirements, if anything, I see increased exposure and increased requirements from a compliance standpoint of expectations as a vendor in being able to provide the right level of comfort to your customers and clients around privacy and around security. Think of the overall expectation as organizations have options. I think the expectations, as far as I have seen, are not going to decrease or see much from a reduction. For Office365 users, how do you feel about the native MSA that’s available within Microsoft?
Jeff Bathurst: If you don’t have it and it’s something that you want to implement quickly. Microsoft, I use it as a consumer. I use it for some of my application access. It is effective, but it is not the most robust solution. But if you’re starting from zero, it’s a quick add to your environment and I highly recommend it. If you’re in already, that tells me you’re in the cloud, you definitely want to consider more than one of the mature products like Okta or Duo and you can easily start that, implement that with just your Microsoft 365 as your only cloud application, but it will set the foundation and the groundwork for you to add multiple cloud apps behind it. As a starting point, Microsoft works just fine, but again, that’s specific only to Microsoft and 365. It does not give you exactly the full environment right to do all of your cloud applications.
Anthony DiGiulian: I think that’s a critical component. Is it sufficient for your enterprise-wide multifactor, not necessarily, but specifically just the Microsoft environment, it’s better than nothing. Then another question, Jeff, going from a hybrid environment to what you spoke about earlier, like a full cloud environment, what are some of the key difficulties or considerations there?
Jeff Bathurst: Moving to a full cloud environment, your biggest challenge is going to be the applications that are unique to your organization. Particularly if is on-premise. And that’s where it’s more of a strategic road map discussion if you are using apps that are what we call off-the-shelf type of applications where you can procure them and then you use them. Moving into a pure cloud environment is actually a pretty straightforward exercise, although it is a complicated one because almost all software manufacturers today have shifted their development to the cloud and are a cloud-based environment. If you have on-premise, again, that’s where on-premise applications that were custom developed for you as a company, where you have a niche product that is requiring on-premise. At least you should go to more of a hosted environment where it’s not a cloud app, but you can host it in the cloud. That would be the next best alternative for those applications that are not pure cloud types of technologies. But there is a way to develop a strategy to get your computing hardware and your software out of your offices and out of your companies, and preferably out of your data centers and into a cloud environment where you can actually then remove yourself from owning an operating technology and be more of a consumer of technology. And that’s really where the strategy is moving towards organizations for tomorrow.
Anthony DiGiulian: Circling back to the last mile in the discussion you had earlier on the last mile, specifically as it relates to home routers. As an organization where is the line drawn and what are the risks that we should be considering as it relates to vulnerabilities associated with home routers?
Jeff Bathurst: Well, here’s the thing. You know, most ISPs who provide a router for high-speed internet access are not going to allow you to touch it outside of the consumer settings. Just a fact and there’s no exception to that. So what you want to do is because we can’t control that last mile, we want to control where the employee enters into our environment, whether it’s entered into the cloud or cloud infrastructure, or our on-premise infrastructure. That’s where multi-factor authentication is critical because by controlling that, we don’t care what happens outside of that connection. What we care about is once they decide, once they touch the perimeter of our organization and its technology, you then have to put multiple gates in place for them to pass through in order for them to be able to get access to the environment. But no, unfortunately, we cannot do much, if at all anything at all, to the ISP’s equipment and their controls. Now one thing I will add to that is that there are a lot of, Verizon, Comcast, they’re offering additional services. Of course, as for a monthly fee that will put on intrusion detection, and they will add a spam filter and they will add things that we’ve talked about in this presentation for home users and services. You can talk to your ISP and your provider about those things, but some of them are further along in these service offerings than others. But again, it’s for the consumer. It’s not meant for the business.