Risk Landscape Changes During

COVID-19

How did organizations respond during the initial phase of COVID?

Dustin Owens (00:16):
During the first couple months, and really, especially that the first couple of weeks after the country started basically shutting down. And so the amounts of employees were all of a sudden working from home versus going into an office location somewhere. And as a result of that, there was this massive shift in some cases, nearly overnight, where organizations had to have infrastructure in place to allow people to be able to work from home work remotely, and being able to come back in and get access back to those same assets that they were trying to access from the corporate locations as they did that there wasn't a lot of time for planning. There were a lot of organizations that didn't really have any sort of business continuity plan in place that took into account a massive pandemic that meant everybody had to work remotely nearly overnight. Right? So what they did was, in essence of speed, they kind of placed to the side, some of the security considerations and the consequences of how that impacted risk posture in order to be able to move quickly.

What are some things to consider regarding increased risk?

Dustin Owens (01:40):
How that could have affected them is in several different ways. First and foremost is do they have control as much as they would have within the corporate environment at those remote locations where their workforce is now connecting in from? In other words, are they able to put as strong of controls in place technical controls in place in somebody's wifi environment, within their house, because most organizations don't have that sort of ability to put those kinds of stringent controls in place in that remote workforce environment. They've opened up holes, right? So there's new avenues of attack for external parties being able to come into those home wifi networks and gain access through back doors of network file shares that may be in place within that, that home wifi environment to gather personal computers as an example, they may not have changed their default wifi password that came originally with their wifi setup from their provider six years ago, a lot of different things sort of open themselves up on that remote end, all of a sudden that they didn't, that corporations didn't have to deal with before. And so where they have those lax controls and where there's now new openings and new soft spots in the infrastructure, the corporate infrastructure, because of those remote locations, how are they now opening themselves up to compliance gaps that may not have been addressed because they weren't able to shift the proper controls in place at that remote site, in order to meet full compliance requirements. How are they now impacted by privacy information potentially being stored, or even being able to be transferred off to a thumb drive as an example within that, that remote office location from their home where they wouldn't have necessarily had that capability in the past without being monitored and that sort of thing? And then on top of that is what sort of access are they unwittingly providing to any of these external parties that may be trying to get into the corporate environment through those things, like I mentioned, network file shares with personal devices on that wifi network. People driving by on the street and, and trying to gain access through those wifi networks and default wifi password set ups and those sorts of things. There's a lot of different sort of scenarios that come into play. That's all focused around that remote infrastructure and the lack of pure control that a corporation has over that remote infrastructure because it's somebody's house and it's their personal environment.

What can organizations do to reduce risk in the future?

Dustin Owens (05:00):
In order for companies to start addressing some of those gaps that they may have inadvertently started exposing themselves to is first go back and make sure that, that you have actually re-evaluated through some form of risk assessment or some form of penetration test what the actual vulnerabilities may be that have exposed themselves first and foremost. As you start to understand what those real gaps are and not what you may assume the gaps may be, then you can go back and start to re-evaluate. How do those gaps in your understanding of what they truly are impact your risk posture? What do you need to do to start changing behaviors or changing some of that, that new remote infrastructure to, to close some of those gaps into bring down that risk posture to a more acceptable level and then understand how do you need to reevaluate your medium and longer-term strategies as a result of that? Part of what organizations were assuming when they first moved to this rapid work from home sort of operational model is that it was going to be short lived. That has turned out as everybody has seen not to be the case. And you even have organizations like Facebook and others starting to announce, look, we've seen that our workforce can be pretty productive working from home. We're they're going to go ahead and just develop a strategy for keeping the majority of their workforce remote indefinitely. Other organizations, as the pandemic and different surges continue to happen, organizations are starting to make similar sort of shifts, maybe not for indefinite terms, but they're certainly going back and adjusting their priorities and adjusting their strategies to better accommodate a longer term play on this remote infrastructure.