COVID-19: A Shift in Priorities - Q&A with Andrew Smeaton, CISO, DataRobot

Andy Smeaton, CISO, DataRobot

There's no doubt COVID-19 has affected every aspect of life. People are now spending much of their time online, engaged in activities such as working remotely, virtual learning and social networking. This sudden change in online human behavior has significantly increased the attack surface and shifted vulnerabilities. As for businesses, remote work has become the new normal, increasing the risk to their employees and company data.

To address the effect that COVID-19 has had on security leaders, we turned to Andrew Smeaton, CISO at DataRobot, a Boston-based leader in enterprise AI. A four-time CISO with over 20 years of experience in the information security field, Smeaton is well-versed when it comes to building security programs from the ground up and transitioning security environments into cultures that value proactive prevention of risk. Let's see what he has to say regarding the ever-shifting priorities:

Q: Have your security priorities changed given the fact that workforces are now almost entirely remote?

Smeaton: As this is a difficult time, it is likely that security priorities might go out of focus. As security is more on the hands of the remote workers, things such as security awareness training are more important than ever before. System patching is another important priority that has the risk of being postponed or even avoided. This can keep you exposed to vulnerabilities. Employees may be taking shortcuts at home, using untrusted and insecure technologies.

This practice is most common with the use of communication channels and file-sharing applications. Sometimes when official corporate workstations fail, employees may use personal devices which further increases risk.

Things such as ensuring the collection of logs and fully functional incident management processes can be neglected as well. Thus, it is very important to make sure that the security priorities are not just the same but enhanced as per the situation.

Q: How has your security awareness training been impacted by the new remote work situation?

Smeaton: One of the most important security aspects during this phase is to make your employees aware and more responsible for their own personal security as well as the security of the organization. This may be achieved only through regular training and awareness. It is important that you analyze if security awareness training in your organization is increasing or decreasing. Having reduced security training may not be a good sign. It is essential that you provide regular training and maintain awareness about security, location, performance and overall work hygiene of all employees. You should train your employees to use these tools and features in a secure manner. 

Along that note, with remote working, it is obvious that your attack surface is large. Approaches to narrow down the attack surface should be top priority. One of the first steps is to use advanced VPNs or tools that are secure and ensure the protection of data. However, technologies are not just enough. It is important that you implement strong security practices for networks and devices operating during remote work, and establish security protocols for remote workers to ensure proper authentication and authorization mechanism. Access to databases containing sensitive information should also be limited.

Q: Prior to COVID-19, did your organization have a sufficient business continuity/disaster recovery plan in place? 

Smeaton: Before COVID-19, the cybersecurity response plan was based on the assumption that the majority of employees would be working on-site. The on-site environments are controlled toward security breaches. However, with COVID-19 most of the employees are working remotely with many different configurations and security settings. Such environments are vulnerable to new threats. This brings us to a situation that our cybersecurity response plans should be updated as per this new challenge. Without proper cybersecurity response plans, companies may fail to continue with their businesses during the time of disasters. Your business continuity plan should include things such as regular testing of your systems, networks, applications, and even your security stack so that they are stable in this situation. It is always advisable not to rely on untrusted tools and technologies. A considerable amount of your security posture is decided by the security posture of your vendors.

Organizations must ensure third party vendors meet the security standards of the company while working for them. There is a wide range of things to consider in order to properly manage vendors for remote working. Before anything else, you should start evaluating the security postures of your vendors. How does your vendor access your data? Are there procedures in place to prevent data loss or service interruption? Understand if there are new risks associated with the vendors during remote working; if there are chances of added risks, you need to update your service level agreements. Work only with trusted vendors. Security controls and procedures should be the same for everyone who with access to sensitive information. Ensure you have proper security controls in place when third party vendors need to access your networks. Things such as multi-factor authentication and time-based access control are very important considerations. Furthermore, as already stated, each access to your infrastructure should be properly logged. This does not just apply to your employees but also to third party vendors. And the most important thing is to make sure that your vendor has proper plans in case of an emergency.

K logix works with security leaders to ensure they keep pace with business transformations and address the shift to remote workers or any other demanding challenges. Whatever your maturity and security goals, we meet you where you are and deliver white glove consulting services through our agile approach.

Drop us a line for more information on how we can work together to strengthen your program. 

Want more? Read our blog post on how COVID-19 and the shift to remote work has impacted cloud adoption and migration.


    Stay up to date with cyber security trends and more