Mitigating Risk from Forced Operational Changes
Managing risk is not easy. It often requires making major business decisions based on incomplete or limited information and making educated guesses on the annualized financial impact of low probability negative events. Risk management calculations and decisions are relatively easy for known, predictable or frequent events, more challenging for the known unknowns and uncomfortably scary for the unknown unknowns. The global economy is now being impacted by the later.
The Coronavirus pandemic is forcing many organizations to rapidly implement major changes to how their employees work and interact internally, with customers and business partners. These changes include, but are not limited to, less hand shaking – more hand washing, self-isolation, remote, work-from-home, video conferencing instead of in-person meetings, reduced travel and more. Some businesses were luckily better positioned for this with all the required remote communications infrastructure, tools and technology already in frequent use. For other companies, this means rapidly implementing major changes to normal business operations often without the time or experience to fully understand the short and long-term impact to their bottom line and brand.
The financial and operational impact to a business will be very industry-specific
Industries like Airlines, Hotel Chains, Cruise Lines, Amusement Parks, Professional Sports, Restaurants and other discretionary services businesses will be hardest hit but all relatively short-term measured in weeks or a few months max, not year(s). Banking, Insurance, Healthcare, Telco, Energy, Retail and other industries will not be heavily impacted by the pandemic. People will still consume the same amount of food (just more at home instead of restaurants), still heat their homes, still buy clothes, etc. Many businesses will see an increase in business (pizza delivery) while their competitors suffer (buffet restaurant). There will be downstream impacts like buying less gas for your car or delaying that new car purchase and of course not going on that cruise.
Voluntary or compulsory self-quarantine will force companies to immediately switch to remote working environments enabling employees to work from home for job functions where this makes sense or is even possible. Customer Support, Software Development, System Administration, Data Processing and Data Analytics all lend themselves to working remotely and maintaining isolating and reducing the spread of the Coronavirus.
The most pressing challenge is, of course, to first enable business continuity by providing employees with the necessary means to work remotely. Unfortunately, this major operational change results in increased risk of unauthorized access and abuse of privilege of sensitive or regulated data and increased risk of a data breach. It is critical that the same confidentiality, Integrity, availability, fine-grained access controls, accountability and audit trail of all access to sensitive data is maintained regardless of how the data is accessed, by whom, where from and why.
Any Business Continuity Plan (BCP) or Disaster Recovery Plan (DRP) should include pandemics
If an organization’s BCP and DRP have not already evaluated and planned for such as event, the risks are even higher when forced to make major decisions will limited information and little or no time to evaluate and consider pros and cons of different options. Important risk mitigating controls are often overlooked. Even better is when an organization has implemented security controls that maintain the exact same level of data security and privacy compliance regardless of how sensitive data is access, where from, by whom, or where the data is hosted, stored or processed.
Data privacy, activity monitoring and access controls should be location, database and application agnostic
Policy and access rules controlling access to sensitive and personal data should be centrally managed, consistently applied and follow the data regardless of how or where authorized users access it they need to perform their respective job functions. Similarly, any unauthorized access should be just as difficult, just as easily detected and proactively blocked whether supporting normal business operations and work locations or in BCP or DRP situations where users must work remotely while accessing all the same sensitive or regulated data. The rules governing access especially by privileged System Admin accounts should automatically be more stringent for remote access to mitigate the increased risk arising from the remote access to the networks and systems processing the data.
This is especially important for all Data Warehouse systems and the Database Administrator, Data Scientist, Data Analyst, ETL or Application Developer tools used to access these large repositories of sensitive or regulated data – all allowing excessive access to personal, highly-sensitive customer or business information. Data security and access controls should be as good or better than on-premise for all remote access. Stretching the lines or communications and increasing the number of systems the data is processed through and increasing the number of remote users all increase risk without mitigating controls. Automatic, built-in mitigating controls that provide enhanced data protection, accountability, User Behavior Analytics (UBA) and proactive detection of malicious activity are far superior to additional temporary measures that have not been fully tested.
The added risk also comes from users having to work differently and not having the benefit of added layers of security often taken for granted. Corporate office or data center physical security controls, multi-factor authentication systems and private LAN network communications eliminate many risks and additional attack vectors versus remote network access to the same systems. Users are required to be that much more aware and vigilant if comprehensive, consistent access controls and accountability are not already in place for expanded use of remote access.
Access based on multiple user attributes and data sensitivity compensates for the added risk of remote access
SecuPi automatically provides the same, centrally managed, consistently applied, fine-grained, Attribute-Based Access Control (ABAC), User Behavior Analytics (UBA), Database Activity Monitoring (DAM), Data Loss Prevention (DLP) and Data Flow mapping, user activity reporting, alerting and blocking of unauthorized access to sensitive data. Enhanced access control policy can be applied to all remote connections to the data. The location a user is connecting from, the application they are using to access the data, the communication path, authentication method and many other user attributes can all be configured to dictate or enforce specific policy or rules.
SecuPi provides all the following:
- Enable business continuity for business users, analytical teams and DBAs while adhering to all the same data privacy and security requirements
- Enhance monitoring for all sensitive data consumption sources
- Configure alerts to protect against excessive, or anomalous data consumption
- Customize audit, monitoring and alerting capabilities specifically for remote access devices
- Confirm all data sources have appropriate access restriction policies enforced
- Update security policy to compensate for changes and the increased risk of using an untrusted distributed environment
- Test configurations and policy implementation in pre-prod environments using real data
- Additional risk mitigating controls can easily be implemented and tested in hours not days
Governments around the world are taking measures to reduce the rapid outbreak of the Coronavirus. Companies likewise can act toward reducing the probability and impact of any potential data breach resulting from changes in how sensitive data is accessed. Absolute restrictions are not possible as they will interfere or even halt business operations. Much like managing the pandemic, gradual and measurable steps can be taken to reduce risk. Configuring alerts and restricting access in response to excessive and/or abnormal user access are critical steps in protecting sensitive and Personally Identifiable Information (PII), an organization’s Intellectual Property (IP) and enabling business continuity without increasing risk.
The author, Les McMonagle (CISSP, CISA, ITIL) is Chief Security Strategist at SecuPi and has over 25 years experience in information security, data privacy and regulatory compliance helping some of the largest and most complex organizations select appropriate data security technology solutions.
Or, visit our website at test.secupi.com