Will Coronavirus Affect Security Operations?

You cannot open a news site or turn on the television today without rightfully hearing about the coronavirus. While governments and medical systems scramble to respond and contain the virus, it is not clear if the virus will reach epidemic or pandemic levels, how quickly treatment options will become available or how the virus will affect the health and related productivity of large portions of the global population.

Much has also been presented in the media about business response to the potential crises, including prevention awareness, travel bans and cancelation or digitizing of major conferences or trade shows. Most employers have also reviewed their disaster recovery/business continuity planning to react in case substantial portions of their workforce are unable to perform their jobs due to illness, and many have already begun additional sourcing to address potential supply chain interruptions.

Security operation leadership should be performing the same exercise. The obvious contingencies to plan for are sick employees and hardware shortages. A few perhaps less obvious scenarios to discuss include:

• Lack of support due to employee illness at third-party businesses that are integral to your security operations, for example outsourced help desk, identity and access management or maintenance vendors, managed service providers (MSPs) or network operation groups or managed security service providers (MSSPs).
• In addition to short-term planning for security operations at less than full staff due to illness, planning in the event that there is a major economic downturn, forcing a reduction in your budget.
• Additionally, while unfortunate, it is a reality that major news stories such as the coronavirus and resulting hardships drive phishing activity, potentially leading to ransomware/malware ingestion or account takeover and often related financial/business reputation loss.

To address these contingencies SecureSky recommends several elements to consider in your planning:

1. If your Security Operations Center (SOC) operates with desktop machines, determine the number of machines required to remotely maintain risk prevention, threat detection, response and support functions and acquire, deploy and test these laptops or mobile devices.
2. If your SOC operates primarily via a corporate telecommunication infrastructure, discuss alternate mobile communication processes, for example acquisition of mobile phones or use of employee-owned devices (and reimbursement policies).
3. Once designed, test employee remote work scenarios, incorporating your organization’s possible entire remote worker population into access and authentication processes, as well as VPN and web conferencing capacity. Most web conferencing application (for example, Cisco Webex, Zoom and GoToMeeting) have standard voice conferencing capabilities. Other providers, for example Microsoft Teams, require an additional license for a dial-in number. Check the functionality of the tool your organization uses and consider adding a redundant vendor.
4. Identify your mission critical vendors and understand their disaster recovery/business continuity planning measures. For example, core vendors like Microsoft have recently announced their preparation for COVID-19 response, including work from home and geographic staff rotation scenarios.
5. If your security operations use SOAR and SIEM tools with the capability to automate routine investigation or response actions, identify your use cases and begin development of such actions, recognizing the period of normalization and user impact testing required.
6. If available and you have not already done so, deploy email phishing prevention and employee notification controls.
7. Reiterate security awareness training, communicating the propensity for coronavirus-related scams and phishing attacks to all employees.

We at SecureSky wish a speedy recovery for those already impacted by the coronavirus and hope that the thousands of public health officials and medical professionals on the front line are able to contain and minimize the effects of it.

The suggestions provided are best practices for multiple disaster scenarios. In supplying this blog, we do not want to scare anyone, but we want to emphasize that the time for planning is now. Hope for the best, but plan for the worst. If we can assist your organization in any way, please do not hesitate to contact us.