The Covid-19 Pandemic has greatly affected the way that we live and perform our jobs: Nurses are now conducting health screenings from their bedrooms, executives are managing large organizations from a home office, and many more employees, ranging from entry level to the c-suite, are trying to be productive on the same home network that their children stream tik-tok upon. It is clear that telecommuting will continue to be a significant part of how businesses operate in the foreseeable future. When employees work outside of the office and the security parameters set in place to secure your offices digital infastructure, the organization will become more vulnerable to outside attacks.
The simple fact is that while remote work was growing, most organizations were not prepared to shift at the level we have seen in 2020 and attackers are having a field day with these vulnerabilities due to the lack of preparation. Home network connections are far more unstable and far less protected than corporate offices. All it can take is a single breach of security, and your entire business operations can be brought to a halt. Here are several steps that you can take to increase your digital security.
Adopt the “Assume Breach Mentality”
In the past, approaches to IT security operated under the assumption that if you built a strong enough wall around your castle, you would be secure. But now that laptops and smartphones can allow people to work remotely - and especially now that Covid-19 has forced the issue without adequate preparation - it is nowhere near sufficient nor appropriate. These devices and working arrangements have created giant holes in your security through which your business can be breached and data - not just Protected Health Information - can be stolen.
A Breach Mentality operates on the assumption that your network is already compromised. Put another way, before an organization should think about what tools or procedures to implement to prevent a breach, it must change its mentality from “Assumption of Protection” to “Assumption of Breach”. Now, this does not mean that you should assume that your infrastructure is already broken so no there is no need to take further steps to protect it. What this means is that you should still have your perimeter in place, but you should have a zero trust framework implemented so a breach cannot grow.
The goal now is rather than focus on protection, an organization should prioritize detection. Instead of automatically assuming that internal traffic within your network is trustworthy, assume that it is all dangerous. This mindset will allow you to eliminate automatic access for any traffic, regardless of whether it was internal or external. Traffic is only allowed to connect with systems that are absolutely necessary. Ultimately, this means that the first point that is compromised will be the last one.
Further Reading: How a new mindset can protect critical data
Enact the Principle of Least Privilege
In order to adopt a Breach Mentality, organizations should implement the Principle of Least Privilege. The principle operates from the idea that users should only have access to the resources that they need so they can adequately perform the duties that they are required to do for their work. For example, an employee who works in sales should not have access to PHI, nor should HR have access to financial data.
Administrators should define the authorized roles and access levels of not just their employees, but of the apps and services that are allowed to operate on their network. Next, they should monitor and review the network to make certain that nothing has been missed. Finally, turn on enforcement to block anything that isn’t allowed. This approach gives the network administrator an easy way to stop unnecessary - and potentially harmful - network communications.
Further Reading: Principle of Least Privilege
While what users are allowed to do and where they are allowed to go should be adaptable, they should only be able to access the system or the information they need to complete their job.
Have a Backup Plan for Your Backup Plan
In the wild west of wide-spread remote work, one layer of security isn’t enough. What do you do when your first line of defense fails? What can you do to limit the potential impact of the initial breach?
You can extend your mentality to protect systems from one another, implement multi-factor sign on, or leverage segmentation to supplement your firewalls. Always remember that defense needs to get it right everytime, whereas an attacker only needs to get it right once. Seeing as they have all the time on their hands (and numbers, too), you need to do everything you can to strengthen the defenses you already have.
If you assume that breaches are bound to occur, the next step is to work toward minimizing the possible damage they can do and the spread of the breach. One of the ways you can do this is called islanding (also known as enclaving) which means to isolate the data in a location that is physically and digitally secure. Data is held within a perimeter of firewalls and intrusion detection/prevention capabilities such as multi-factor authentication will help prevent unauthorized access from moving laterally throughout your system. Insurance Provider Premera Blue Cross was fined $6.85 million because of a malware attack that was able to quietly spread through multiple systems, allowing the hackers to access the personal data of 10 million people.
It’s helpful to think of the concept as compartments on a boat. If there is a leak, the section with the leak will be sealed off so that the entire boat will not sink. In cybersecurity, we can create segments across our systems and devices so that in case ransomware infects and disables one device, it will not be able to use the compromised laptop to spread to the others. While the breach may or may not have been preventable, this will prevent an absolute catastrophe from occurring.
There are so many things that you can do to make your organization more secure, but you are probably constrained by time and resources. With that in mind, the HIPAA Security Rule is scalable and flexible, accounting for the difference in capabilities between a small clinic and a massive healthcare system,with two types of security standards within the rule: Required and Addressable standards.
Required standards are considered essential. Either you implement these required standards, or you’re violating the HIPAA Security Rule.
Addressable standards are often technical and allow for some flexibility in how they are implemented to accomplish the objectives of the requirement, though it does not mean that they can be ignored.
With this in mind, an organization should focus on what will make the greatest impact on their overall security. Start by identifying what are your businesses priorities, what are the most critical assets, and what is the most sensitive data and then implement non-negotiable solutions that will work to keep those systems and information secure. Then, focus on additional security measures that will protect your employees and organization in the event that the first line of defense fails.
Keeping all of the attackers out is a pie in the sky dream rather than a realistic goal. Attackers are legion and they possess all the time in the world to find a way in, so you need to not only have a strong wall as your first line of defense but also multiple contingencies to isolate infected devices or systems to stop the spread of a breach.