In times of crisis, one of the guiding principles for leaders is to trust and enable the people in the organization who will be asked to go above and beyond.
As someone with decades of previous military service, I found that many well-known mantras began to enter my mind as we entered the "Twilight Zone" of the COVID-19 global crisis. I was finishing my latest novel at the time, so my mindset was already immersed in fantasy, science fiction, suspense, and even horror as my spy thriller came to its conclusion. Then I looked up, and the world was in crisis. We were entering the zone between reality and fantasy—an author's dream. Would there be an unexpected twist? A macabre ending? Or even a philosophical moral to the story?
Having dealt in risk management all my life, often in life-and-death situations, the mantras came at me like a flood. "Never let a good crisis go to waste." "Act early, move fast, and stay low." "Improvise, adapt, overcome." But I knew that only one mantra would stand the test of an enduring campaign, a mantra often cited by my long-time mentor and former special forces friend over our regular lunches: "Always keep a half-pint of goodwill with your people—you'll never know when you'll need to call upon it in a crisis."
Wise words indeed for any leader. You see, crises are all about people and how they can react smartly to reduce potential damage. That's why "train hard, fight easy" was always a core principle for me throughout a career full of crises.
Watching my own cyber and privacy team and our university IT practitioners "improvise, adapt, and overcome" during the past three months was superb, but, boy, it did mean some hard work and some very long hours, all with a common goal: to make sure the digital services our university community needed were delivered quickly, safely, and with agility. I take my hat off to all those workers who really have made a difference to the students and staff at home, learning, working, adapting, continuing their business, and forging ahead with their own goals. I have to say, it wasn't all a story of petals and roses—some serious difficulties and lots of frustration were part of the process. But if you work that well, and "hog the pain," eventually the fog will lift and people will make a critical difference.
From a cyber risk and resilience perspective, we needed to be sharp to reduce risk and smart in how we went about it. Many of our staff had to facilitate working from home for the first time. Even those who were already set up for remote access may not have been equipped to enable home working on the scale we are now witnessing during this pandemic.
As a crisis, COVID-19 has undoubtedly created additional security threats as attackers take advantage of the increased proportion of the workforce spending more time online at home, working in unusual circumstances. Home working shouldn't prioritize productivity at the expense of safety and security, but in some cases, this was bound to happen. We needed to do three major things: equip staff and students with the appropriate work tools, overlay sensible security measures, and train the workforce on the threats and then message those threats again and again. Engagement was key—a gentle "drip, drip" of solid and sensible advice to keep their homes cyber-safe.
We're some way past the days when security ended at the campus perimeter. The security perimeter is now digital, and our thinking and journey is one of moving toward zero-trust environments so that threat reduction can be achieved whether at home or on site, with data on site or in the cloud. Our main effort throughout this period has been an enduring messaging and communications campaign to our staff to achieve two things: help them understand the importance of handling and protecting data, and continually inform them of the measures they need to apply to ensure that our systems, platforms, and endpoints are secure. This messaging is vital to encourage them to adopt a specific way of working so that data won't leak.
All the while, new security threats are surfacing. Some are old attacks brought back now that we're more vulnerable, and others are new scams that prey on our desires to have up-to-date news, buy food, avoid infection, and recover quickly if we do get sick. Old-fashioned security practices that we used for years needed to be sharper, encouraging people to care about the data and their home vulnerabilities and showing them we are available to help and advise. That difference meant we needed to rethink our mindset and our approach to cyber resilience. I am often amazed by the resilience of our staff, who pivoted very quickly to innovative thought leadership in a time of crisis. Wonderful people make wonderful differences.
We had to manage four major risks to think about how to reduce our community exposure to the threats flying around at the time:
- Hackers targeting VPNs: For the cybercriminal, an obvious target—then and now—is the VPN, the new lifeline to extend our network reach. It was crucial to have endpoint checking and strong authentication and trusted devices in place once we'd extended the use of the VPN.
- Threats to the endpoints: Cybercriminals generally start with identity theft before conducting their next stages of the kill chain to get to target assets through lateral movement, reconnaissance, and classic digital exploits—then they would move on to new targets.
- Social engineering: In the past few months, attackers have taken advantage of human weaknesses. These types of social engineering attacks essentially weaponize tools and information because these attacks can easily be done with applications that also provide legitimate benefits. Before, attackers had to plan their lures, but now COVID-19 has become a common watering hole, which is why enduring awareness and education is vital.
- Privacy risks: When staff take their devices home or use their home computers for work, those devices sit in a physical and digital space unlike any within the office, which brings risk to our data and privacy. Staff homes will have a plethora of routers, printers, IoT devices, and other social devices—staff will often be on conference calls within earshot of family members or even employees of other companies. Privacy breaches and data leakage from home devices is a clear and present threat.
As we have seen, the cybercriminal is often way ahead of our laws, our government advice, our technical countermeasures, and our own risk thinking, and they adapt and innovate at speed—just as we should be able to do. Security is a never-ending cat-and-mouse game of criminal adversary versus the defender and the hunter. Another mantra drilled into me as a counterterrorist officer was to always be in the mind of the terrorist (or, in this case, the cybercriminal). Think like them, design simulation exercises that replicate theirs, and defeat them with your own smart thinking and deception. Simple policies and messages to our community are an important part of collective defense, and caring about defense—campaigns to persuade everyone to care—that's my mantra nowadays: "Care about our data, and share that care." This is relevant as peer to peer and within teams, not only for security but also to privacy in general.
Lastly, an observation that I have used often, whether in the mountains, on the battlefield, in the office, chasing down adversaries, seeking incriminating evidence, or working at home: "With great teamwork, and great leadership, magnificent things will happen." The combination of our security team and trusted "critical friends" (as I am fond of calling our vendor partners) have enabled us, despite the odds, to achieve magnificent things during the COVID-19 crisis, hopefully with class, style, a sense of humor, tremendous teamwork, and good old-fashioned hard work. I've certainly seen that among our own community.
And of course, since I started this piece with mantras, it's perhaps worth finishing with my absolute favorite, which spurred me on throughout many doubting periods, crises included, and is the one I often sign my novels with:
"Never let fear get in the way of your dreams…"
For more information about information security governance, compliance, data protection, and privacy programs, please visit the EDUCAUSE Review Security Matters blog as well as the Cybersecurity Program page. Access additional security and privacy awareness resources through the Awareness Campaigns page.
Michael Jenkins is Chief information Security Officer at Brunel University. He is also a veteran army officer and soldier, mountaineer, explorer, and the author of three spy thrillers. Follow him on Twitter @FailsafeQuery.
© 2020 Michael Jenkins.