These past several weeks have produced many challenges for IT organizations across the world. In addition to supporting operations in a truly unprecedented environment, many have had to implement new processes and tools in order to enable a now remote workforce to remain productive. Many of these stopgap measures that have been put in place carry with them a significant amount of risk, which some organizations have not had an opportunity to fully understand or mitigate.
Other challenges include IT initiatives and projects being placed on the “back burner” until there is a return to normalcy. Economic pressures that organizations are encountering may indeed further delay these undertakings for the foreseeable future until the extent of the financial impact to the organization is realized and accounted for.
Questions on items such as these have been at the forefront of the minds of IT leadership. After departments initially pushed to respond to operational concerns, most have now settled into their modified working configuration. As a result, many have had questions come up related to their new posture. Some are also not sure where it makes sense to focus their attention. Below are just a few suggestions and examples of guidance that we’ve given our clients that you might find useful.
Update risk assessment documentation based on the newly modified working configuration
Ensure that you fully understand the risks presented to your organization resulting from measures enacted to support your workforce. Update your risk assessment documentation and consider implementing any additional processes or controls which may be required to address new or evolved risks to your organization.
We’ve had several clients that have decided to allow end-users to connect their personal computers to company networks via VPN solutions. (Which, of course, we never recommend!) Organizations that have implemented solutions such as these should ensure they understand and respond to elevated risks presented as a result of operating in this configuration, and if possible, identify alternative solutions to facilitate employee productivity.
Record what works and what doesn’t during these modified working conditions
Be sure that you are keeping track of lessons learned. What has worked well in responding to the pandemic and what hasn’t? While we certainly hope this is a rare occurrence, it probably won’t be the last time we’ll have to respond to an event such as this.
We’re advising our clients to keep detailed records of their efforts during this event. This information can then be used to make useful updates to your internal policy and process documentation, especially your Business Continuity and Pandemic plans. Also, be sure that you are accurately tracking unplanned expenditures incurred as a result of this event.
Don’t lose sight of security
Continue focusing your end-users on security. While aspects of the world economy may be shut down, the “bad guys” are not. Make sure that ongoing “human layer” training is being performed, and that your IT department is periodically testing that end-users remain vigilant. Also, verify that your training has evolved to respond to potential risks introduced by any new processes or working configurations that are now in place.
We must all remain watchful and aware even during this unprecedented time. It is important that you continue to train your users to not become complacent and to scrutinize all received emails, particularly those with links or attachments. Encourage your users to run any items they are unsure of past IT before acting upon them. IT departments should prioritize responding to these inquiries, as a fast turnaround helps to ensure that employees are more likely to ask IT’s opinion when in doubt.
Did your Controller receive an email with “updated” wiring instructions from one of your vendors? Did the CEO just send you an email asking you to “send a wire quickly”? Always be sure to confirm via telephone or another out-of-band method prior to executing wires or other key instructions.
Company assets are for company work
One of the worst cybersecurity incidents that we’ve had to respond to was caused by a client who let their child use their company computer while at home. Not only did their child download pirated material (e.g. movies and TV shows) to that computer, but that machine was also infected (unbeknownst to the user) with some nasty malware. Upon returning to the office and placing their laptop on the docking station, the malware then spread and took the entire company network down. This cost the company several hundreds of thousands of dollars in lost productivity and recovery expenses. Ensure that your users understand that company assets are for company work and are not to be used for other purposes.
Make the best of any downtime
If your IT department finds itself with additional bandwidth, then it may be a good time to take care of housekeeping tasks that may not normally be prioritized throughout the year.
- Examine your departmental policies and procedures and identify any areas that may be stale or obsolete. Consider making changes based on any recent lessons learned or issues that you’ve encountered.
- Update your risk assessment documentation (especially considering any changes as a result of the pandemic!) and ensure that your processes and controls are still appropriate.
- Conduct some audit or review procedures. When was the last time that you went through your Active Directory or ERP system user listing and removed dormant or long-since-used accounts? Have you taken the time to confirm that user privileges and group membership are appropriate? Have you gone through system logs to look for abnormal activity? Are there external audits coming up that you can prepare for?
- Tidying-up. Some of these items may be accomplished in conjunction with your audit and review procedures. A few other tidying-up activities to consider include: Are there shared passwords that could stand to be changed? Is there computer room maintenance to be performed (i.e. cable management, de-rack obsolete equipment, overdue HVAC/generator/battery maintenance, etc.)? Is the IT workroom a disaster?
- Training! This may be a good time to get your team that training they’ve been bugging you about. There are a multitude of worthy remote learning programs available that may benefit your organization. Don’t forget your end-user training as well, particularly regarding secure computing habits.
While these are certainly uncommon times and uncharted waters for many of us, we are here to help!