The Role of Cyber Hygiene in the COVID Crisis
Federal teleworkers need to know the cyber basics.
When it comes to nefarious deeds, the COVID-19 pandemic has been a gold mine for bad actors. In addition to wreaking havoc for individuals and healthcare organizations, federal agencies are also prime targets. Case in point: a portion of the Department of Health and Human Services’ (HHS) website was recently compromised, in what appears to be a part of an online COVID-19 disinformation campaign.
In a time of heightened cyber risk and limited human and fiscal resources, how can agencies protect their networks from malicious actors by taking a page from the COVID playbook? They can diligently practice good (cyber) hygiene.
In fact, there is a direct correlation between personal and cyber hygiene.
Specifically, actions to support both are considered fundamental: they must be done thoroughly, and they must be performed diligently. Failure to maintain these basics is often the result of human error or complacency. This failure—in maintaining either basic network or personal health—is the most common source of vulnerability.
Fundamental cyber hygiene begins with knowing what is on your network, that your devices are securely configured, that your network is set up as intended, and that any change does not affect your security.
These fundamentals are even more important with many federal agencies’ staff now working from home on either nongovernment-issued devices or devices without up-to-date software. It’s also easier than ever for employees to fall for a phishing attempt or to set up work-from-home configurations hastily, allowing unauthorized access to parts of the agency’s network. This is complicated further as agencies share resources and often employ staffers from other agencies to temporarily support specific efforts.
Knowing which device can access what parts of your network is vital to keeping that network secure.
Just like basic personal hygiene, practicing cyber fundamentals comes down to the individual and consistency. Even if 99 percent of employees diligently perform certain actions, it only takes one person—or one oversight—to accidentally open the network for infection.
The COVID playbook also stresses the importance of social distancing to reduce risk and limit the spread of damage. In network terms, this is achieved through segmentation. By limiting access between highly valuable assets and vulnerable, less-trusted parts of the network, teams create virtual perimeters. Then, when an attacker finds a compromised location, their ability to spread throughout the network is limited. Although agency networks are massive, it's alarming how few lateral moves one needs to move from one place to another.
Even with IT departments already spread thin, and their networks’ complexity compounded by more staff working from home, there is hope. Agency IT teams can use network modeling platforms to see what’s on their complex networks, how it’s connected and the associated risks. They’ll know if their remote workforce has access to the applications and systems they need without compromising the agency’s security posture.
Like personal hygiene fundamentals, the cyber basics can be a challenge to diligently maintain 100 percent of the time, and a lapse in either case can result in significant consequences. A breach can lead to ransomware attacks, information being stolen, or an entire network being taken offline. By practicing the fundamentals of cyber hygiene, teams can measurably reduce cyber risk, which keeps their networks—and their operations—healthy.
Ray Rothrock is the executive chairman of RedSeal and author of “Digital Resilience: Is Your Company Ready for the Next Cyber Threat?”