For IT security leaders, one of the worst scenarios imaginable would be for end users to become the first line of defense against cyberattacks. And yet, when Covid-19 hit, that’s precisely what happened. As healthcare organizations sent the majority of employees to their homes — where they no longer had easy access to the help desk — the walls that safeguard against bad actors started crumbling down.
“Sometimes we’re seen as alarmists who talk about doomsday, but here we are in a real-life doomsday scenario,” according to Nemi George, VP of Information Security Officer and Service Operations with Pacific Dental Services. As a result, leaders had to act quickly, assume risk postures they normally wouldn’t consider, and be prepared to deal with the fallout.
“It’s been a challenge, but it’s also been an opportunity to test and validate controls like remote access and things like VDI that we’ve put in place,” he said during a recent panel discussion, which also featured Arthur Ream (Senior Director of IT Applications and CISO, Cambridge Health Alliance) and Renee Tarun (Deputy CISO, Fortinet). “It has given us a chance to road-test our abilities.”
And while it hasn’t always been a smooth ride, it has provided valuable lessons on what it takes to secure data during a crisis.
The impact on security
The first lesson, panelists noted, involves making sure the workforce is properly educated on cyber hygiene — something that many organizations overlooked, said Tarun, noting that Fortinet has seen an uptick in social engineering attacks.
“A lot of organizations weren’t necessarily prepared to support remote work, especially for the entire organization,” she noted. “Working from home adds additional complexity.” For security leaders, that means ensuring they’re doing basic cyber hygiene such as changing default passwords on home routers. “It was a real challenge for a lot organizations — not only from a technology standpoint, but from a training and awareness standpoint.”
Part of that, said Ream, means understanding that for employees with little to no experience working remotely, angst levels have been high. “They want to know, am I doing this right? How do I plug this in? They just want to talk to somebody, but they couldn’t get these questions answered by the help desk.”
The reason for that? Help desks, in many situations, were already overwhelmed. At Cambridge Health Alliance, call volumes skyrocketed so much that they had to install extra lines for remote access and dedicated individuals. “They couldn’t handle the call volume 24/7, because they weren’t a 24/7 help desk.”
Cambridge certainly wasn’t alone in that regard, noted Tarum, adding that a number of organizations had to quickly pivot to implement an infrastructure that could support remote work and telemedicine. Even those that did have a foundation soon realized their platforms couldn’t scale to support the spike in users.
Something had to be done to enable easier and quicker access to critical patient data. The usual process of assessing new technologies — which took months in the Pre-Covid era — had to be accelerated, which of course meant accepting a higher risk level.
At Pacific Dental Services, the “thorough, robust process for introducing new technology,” which includes testing, validation and alpha groups, went from a duration of about 3-6 months to a matter of days, said George. For example, folks who needed access to applications deep within the infrastructure would normally have to go through the VPN, but the organization didn’t have enough licenses. “We had to make a decision. Do we throw more people on that? Do we get more licenses? Luckily we have a VDI environment, so we very quickly had to spin that up.”
The decision, however, wasn’t made in a vacuum. Representatives from compliance, privacy, security, operations, and technology met to discuss the risks involved, and how they could be mitigated safely. “There are so many things we had to take into account,” he noted. “The key was having everyone around the table and having everyone know what their role was.”
A similar approach was taken at Cambridge, where monthly risk assessments (which were performed by a multidisciplinary team) were replaced by frequent meetings in which a small group of stakeholders decides whether an initiative should go forward. “It’s constant. Every day we get something different,” said Ream. “When operations start to shut down and remote forces come up, you become a fluid team and make decisions at that level.”
Eye on the future
One factor that can’t be underestimated, however, is the downstream effect. When the crisis subsides, what happens to the technologies that were rapidly implemented?
“A lot of polices were relaxed and a lot of decisions were made on the fly to keep the organization moving,” said George. That means risk committees will need to “go back to the table with the same intensity with which those decisions were made, and ask which of those things now need to be rolled back.” As leaders know, it’s not going to be easy, particularly since users have become accustomed to a higher level of convenience.
“We have to take stock of that, roll back where we need to, and build on some of those specific changes we’ve made through the crisis. That’s really key.”
Ream agreed, adding that it doesn’t necessarily mean taking away solutions, but rather, enhancing security around them and lessening the risk. He also cautioned that even as organizations go through remediation, it’s critical to keep an eye on the future so they can be better positioned for the next surge of Covid — or any disaster, for that matter. “Find out what technology worked and what didn’t. And if it needs a replacement, you have time to examine it more thoroughly and get that in place in case it’s needed down the road.”
Finally, Ream and George advised leaning on vendors for support, particularly when navigating the tricky waters of working with other departments that may have differing priorities.
“It’s working with business owners within the organization to decide what solutions you need to put in place,” noted Tarum, who believes that’s where companies like Fortinet can make a difference. “We’re there to make sure they can continue to do their jobs effectively and securely. It needs to be a team sport. You need to talk about what level of risk is acceptable, what can be transferred, and what can be bought down by adding additional controls. That’s a big part of what we do.”
To view the archive of this webinar – Evaluating the Post-COVID Cyber-Threat Horizon – please click here.