ISF CISO Briefing:

COVID-19 Response

1

PUBLISHED BYInformation Security Forum Limited +44 (0)20 3875 6868 info@securityforum.org securityforum.org

CLASSIFICATIONPublic

The information in this document is correct as of 30 March 2020.

HEALTH ADVICECircumstances regarding COVID-19 are changing rapidly. Readers should obtain up-to-date information and guidance (including safety, medical and epidemiologic advice) from credible sources, including regional and national health authorities, the World Health Organization and the Centers for Disease Control and Prevention (CDC).

See appendix for website details.

ISF CISO BRIEFING1. COVID-19

RESPONSEPublished: March 2020

2 Information Security Forum

CONTENTS

INTRODUCTION

BACKGROUND

FACTORS AFFECTING THE ORGANISATION’S RISK PROFILE

MANAGING INFORMATION RISK IN A NEW WORLD

TAKING ACTION

ISF MEMBER RESOURCES

APPENDIX

04

06

08

10

12

13

3ISF CISO Briefing: 1. COVID-19 Response

We are now approaching three months into a global health crisis that continues to evolve at a rapid pace, creating worldwide uncertainty at an international, business and personal level. With the World Health Organization (WHO) declaring the coronavirus (COVID-19) outbreak a pandemic, we are now facing a defining moment in world history.

COVID-19 is expected to eclipse the effects of other major crises, including 9/11 (2001), SARS (2003), the global financial crisis (2008), H1N1 (2009) and the Japanese earthquake and tsunami (2011). Nations, governments and organisations are now confronted with a monumental challenge, the likes of which have not been seen for over 100 years, if ever. As the virus spreads across every continent, it is clear, the world of tomorrow will be very different.

Much of the circumstances regarding the spread of the virus, and the decisions taken at a national level in each country, are outside the control of most organisations. Beyond observing and reacting to frequent changes, organisations are having to adjust to a new way of operating for the foreseeable future.

For CISOs and risk management leaders, as with other business functions, a significant challenge lies ahead. Not only do security professionals have to join the organisational fight against the consequences of the coronavirus, they must adapt to a complex, volatile and unpredictable environment, possibly with limited resources.

How will events unfold over the coming weeks and months, and what does the future hold for CISOs and other risk management leaders?

INTRODUCTION

100k>

0/data unavailable

<500

501–1k

1k–10k

10k–50k

50k–100k

BASIS AND PURPOSE OF THIS PAPER

This paper represents the first in a series of COVID-19 response-related publications by the Information Security Forum (ISF). It is based on the contribution of senior risk management and security leaders, ISF experts, insights from ISF Research and an examination of reputable sources from around the world.

The paper views the crisis from the perspective of CISOs and other risk management leaders. It provides a brief background to set the scene, explores important factors that affect an organisations’ risk profile and introduces a set of response recommendations. These recommendations will be examined in subsequent publications.

4 Information Security Forum

0Feb

Jan 22Jan 26

Jan 30Feb 7

Feb 11Feb 15

Feb 19Feb 23

Feb 27Mar

Mar 6Mar 10

Mar 14

Mar 18

Mar 22

Mar 26

Mar 30

5k

10k

15k

20k

25k

30k

35k

40k

45k

Countries, territories or areas with reported confirmed cases of COVID-19

Epidemic curve of confirmed COVID-19

Data source: World Health Organisation 30 March 2020

Data source: World Health Organisation 30 March 2020

5ISF CISO Briefing: 1. COVID-19 Response

0

50k

100k

150k

200k

250k

300k

350k

400k

450k

500k

550k

600k

650k

FebJan 22

Jan 26Jan 30

Feb 7Feb 11

Feb 15Feb 19

Feb 23Feb 27

MarMar 6

Mar 10

Mar 14

Mar 18

Mar 22

Mar 26

BACKGROUND

Mainstream and social media, as well as numerous websites, provide a continuous feed of information about COVID-19, its spread and effects, expert commentary regarding implications and directives from governments.

At the time of writing (30 March 2020), the coronavirus has been detected in 203 countries, areas and territories around the world. The number of coronavirus cases stands at 638,146 worldwide, with related deaths reported to be 30,039.

Cumulative cases worldwide

Superforecaster Analytics for COVID-19

Data source: World Health Organisation 30 March 2020

Data source: Good Judgement Project 30 March 2020

A HEALTH ICEBERG

Both case rates and death rates are following a similar trajectory, but information regarding the rate of confirmed cases is limited by the testing capabilities in each country. Not until governments increase testing significantly will we have more realistic and accurate figures regarding infection rates and implications.

As a result, we can only see the tip of a potentially large iceberg that emerges over the coming months. Predictions published on the Good Judgement Project dashboard for COVID put the most likely worldwide scenario (50% approximately) at between 53 million and 530 million cases and between 800,000 and 8 million deaths.

<80k1%

<5.3m1%5.3m–53m

12%

53m–530m48%

530m–5.3b37%

5.3b>2%

80k–800k18%

800k–8m55%

8m–80m24%80m>

2%

How many deaths attributed to COVID-19 worldwide will be reported/estimated as of 31 March 2021?

How many total cases of

COVID-19 worldwide

will be reported/estimated as of

31 March 2021?

6 Information Security Forum

THE GLOBAL VIEW

At a global level, governments are racing to implement drastic measures to prevent the spread of the virus. Harsh action, under emergency powers legislation, is increasingly commonplace across the world as movement of people is severely restricted, forcing many to stay at home. These measures have many consequences which are only becoming apparent for businesses operating in all industry sectors.

The focus of most businesses is now on the health and wellbeing of employees, understanding the risks to their organisation, and managing the supply chain disruptions caused by the efforts to contain the spread of COVID-19. The full impact of this pandemic on businesses and supply chains is still unknown. Optimistic forecasts predict normalcy in China in Q2, while other forecasts predict a global recovery in Q3 and beyond. This period depends on many factors, including infection and death rates, behaviour of individuals and the steps taken by governments to combat the virus.

One thing is certain. The effects of COVID-19 will have huge ramifications on global economy and reshape global supply chains associated with all industry sectors.

BUSINESS IMPLICATIONS

Implications for businesses continue to emerge as they become affected by disruptions in the supply chain affecting inventory levels, loss of sales orders, travel restrictions, unavailability of employees, government shutdowns and temporary closure. Further consequences remain unknown but could extend to degraded health services, increased anxiety in the workforce, staff fear of infection and civil unrest due to misinformation.

BUSINESS REACTIONS AND RESPONSE

Businesses need a robust game plan for the next 3-6 months, which includes prioritisation of staff, operations, risk management and business survival. This plan should include:• engaging with labour unions, employees and

other individuals within the workforce• adjusting business operations (e.g. finance,

production, logistics and customer service) and strategy

• addressing the broader supply chain, both upstream and downstream

• confronting an unpredictable risk landscape – long-term strategy and performance might need to be deprioritised for the foreseeable future.

“WE ARE HOPING FOR THE BEST BUT PREPARING FOR THE WORST.”

7ISF CISO Briefing: 1. COVID-19 Response

As business leaders focus on running the organisation, the primary focus for risk management and security professionals during the crisis will be the protection of the organisation’s critical assets. This will include examining the threats and exposures as they evolve (including those that have unexpectedly escalated) and taking steps to keep risk within acceptable limits, particularly as the organisation’s appetite might be subject to change.

FACTORS AFFECTING THE ORGANISATION’S RISK PROFILE

CRITICAL ASSETS

While people are the number one critical asset to be protected, many other high-value assets throughout the organisation remain subject to management and protection, including business processes and services, property, industrial equipment, vehicles and materials/goods.

ADJUSTING TO A NEW THREAT LANDSCAPE

Like all major global events, the coronavirus, brings with it new and unwanted threats. Adversarial groups (particularly criminals) will attempt to exploit uncertainty and changes to business working practices.

Coronavirus-themed malware (including those that exploit LokiBot, Remcos RAT, Emotet and Formbook) as well as malicious executables and Microsoft Office files are being detected by security firms. Organisations are reporting threat activity in the form of fraud, bogus emails, phishing campaigns and malware.

While the global response to the coronavirus presents a new and immediate risk to organisations, many critical assets remain exposed to current threats, some of which are already evolving and materialising.

Criminal activity is expected to emerge in a physical form as organisations change working locations, halt operations and lock up premises indefinitely. Theft of physical assets, burglary, robbery and damage to property represent a concern among many business leaders.

New working environments also influence the nature of accidental threats. Modified business processes, alternative working locations, new responsibilities and use of unfamiliar technology increase the likelihood of human error. Under pressure, preoccupied with health implications and dealing with priorities at home, employees and other members of the workforce will be subject to making mistakes.

“WE HAVE SEEN A 400% INCREASE IN SMS PHISHING ATTACKS AGAINST OUR EMPLOYEES.”

8 Information Security Forum

EXPOSURE POINTS

The changing threat landscape requires risk management and security practitioners to pay close attention to how exposures change over the coming months and the circumstances that influence the level of protection. As business processes, working environments and technology change, gaps in protection will emerge, requiring prompt attention.

BUSINESS IMPACT

With organisations already suffering immediate and major impact from COVID-19, the focus of risk management professionals will be to reduce the level of threat to information and technology assets, and minimise business impact and financial loss when threats materialise.

It is not possible to know how impacts will unfold in the coming months. However, the environment in which organisations will have to operate will have significant implications on impact, forcing organisations to prepare for unexpected outcomes.

THE INSIDER THREAT

Risk management and security leaders will need to manage the delicate issue of the insider threat during a time when many employees have concerns, need support and require protection.

Employees subject to new working arrangements could react maliciously due to restricted hours, lowered remuneration, reduced promotion opportunities, and even expectations of redundancy. These concerns at work can be compounded by increased levels of stress outside work due to worries about family health, livelihood and uncertainty about the future.

Under such conditions, employees might become disgruntled or disaffected towards the organisation, resulting is occurrences of fraud, information leakage and theft of intellectual property.

9ISF CISO Briefing: 1. COVID-19 Response

MANAGING INFORMATION RISK IN A NEW WORLD

Organisations operating in all industry sectors have been forced to react quickly to evolving circumstances. However, traditional business resilience measures have not taken into account the current crisis. As a result, gaps are being identified during early testing of business continuity plans and arrangements.

CISOs and other risk management leaders are highlighting two keys aspects of resilience that are proving essential to managing risk in these early stages of the COVID019 response – approach and communication.

APPROACH

As with any crisis, how an organisation manages the response can affect the level of success in maintaining business operations. Acknowledging the nature and extent of uncertainty as ‘the new normal’ is essential. Consensus among CISOs highlight eight key elements that are contributing to an effective response to the current crisis:

Speed and agility to manage circumstances as they change

Visible and ongoing support from the board and other business leaders

Focus on critical assets (including people, business processes, information and technology)

Clearly defined roles and responsibilities, including for individuals reassigned at short-notice

Avoiding assumptions and managing bias in the face of uncertainty

Critical thinking to support decisions making, particularly in light of missing, incomplete and incorrect information

Empowered employees who are educated and trained in making risk-based decisions

Clear and regular communication to all stakeholders.

1 5

2 6

3 7

4 8

10 Information Security Forum

“OUR BOARD IS FOCUSED ON KEEPING THE BUSINESS RUNNING WHILE WE PROTECT ORGANISATIONAL ASSETS.”

PEOPLE FIRST

Overwhelming consensus among CISOs and their business leaders is that the number one priority in a crisis is the health, safety and wellbeing of employees. Organisations have reported an increasing load on HR functions and occupational health teams as they manage staff expectations and handle enquiries from employees.

Organisations need to develop and implement pandemic plans that include: employee support services, alternative methods of communication and collaboration; minimisation of infection in the workforce, restriction of contact with infected persons, and adequate leave for infected employees to recover.

COMMUNICATION

Communication with stakeholders in the organisation and with external parties will influence an organisation’s resilience to the effects of the global pandemic. CISOs leading response efforts are implementing robust but adaptable communication plans, which involve:• Identifying stakeholders,

including business leaders, key business support functions, employees, suppliers, customers, business partners and, where necessary, the public

• Communicating frequently with stakeholders and keeping them informed on a regular basis

• Providing a mechanism to address the concerns and questions of stakeholders

• Establishing lines of communication, using different methods for different groups, such as social media technology, mobile and collaboration platforms

• Managing the content of communication, always being mindful of the dependency on incomplete and incorrect information

• Increasing engagement with key suppliers and customers (e.g. the top 10-20).

11ISF CISO Briefing: 1. COVID-19 Response

Subsequent ISF CISO Briefings will examine the steps being taken by leading CISOs to manage information, technology and cyber risk, while combatting the effects of COVID-19 on businesses worldwide. The briefings will address key areas, such as business resilience, workforce and working arrangements, maintaining and securing technical infrastructure and protecting the supply chain.

TAKING ACTION

ISF MEMBER RESOURCESRECOMMENDED RESOURCESThe ISF has an extensive library of reports, tools and methodologies available to Member organisations on ISF Live and recommend the following:

Securing the Supply Chain: Preventing your suppliers vulnerabilities from becoming your own

Establishing a Business-Focused Security Assurance Programme: Confidence in controls

Using Cloud Services Securely: Harnessing core controls

Standard of Good Practice for Information Security 2020

Building Tomorrow's Security Workforce Briefing Paper

Securing Collaboration Platforms Briefing Paper

Delivering an Effective Cyber Security Exercise

Protecting the Crown Jewels: How to secure mission-critical information assets

Managing the Insider Threat:Improving trustworthiness

Supply Chain Assurance Framework: Contracting in confidence

COVID-19 SUITE

The ISF has created a suite of useful resources available to Members during this period. These resources are available on ISF Live and include:• Top 10 Cyber Security

Tips for Homeworking Poster

• Top Tips to Prepare for Future Threats in the COVID-19 Era Poster

• Podcasts and webinars• Blogs and press releases

Access the ISF resource and content suite for COVID-19

on securityforum.orgClick here

ISF Live COVID-19

Resource SuiteClick here

12 Information Security Forum

EXTERNAL RESOURCES

Credible sources of information regarding COVID-19 are available publicly, including:• World Health Organization• US Centers for Disease Control

and Prevention• European Union COVID-19: Commission sets out European

coordinated response • European Centre for Disease Prevention and Control:

Situation update worldwide• United Nations: Coronavirus disease (COVID-19)• Health and Safety Executive: Coronavirus latest

information and advice• U.S. Department of Health and Human Services• Johns Hopkins Coronavirus Resource Center• Worldometer Coronavirus Update (Live) COVID-19 Virus

Outbreak• Nextstrain• Public Health England• European Commission

RESEARCH

Research used to develop this series of COVID-19 response-related publications includes reports produced by Aon, Boston Consulting Group, Deloitte, EY, Grant Thornton, Harvard Business Review, International Monetary Fund, Marsh, McKinsey, Moody’s Analytics, Organisation for Economic Co-operation and Development (OECD), Oliver Wyman, PwC, RAND, Slaughter and May, World Economic Forum, World Health Organization and World Trade Organization.

APPENDIX

13ISF CISO Briefing: 1. COVID-19 Response

ABOUT ISFFounded in 1989, the ISF is an independent, not-for-profit association of leading organisations from around the world. The organisation is dedicated to investigating, clarifying and resolving key issues in cyber, information security and risk management and developing best practice methodologies, processes and solutions that meet the business needs of its Members.

ISF Members benefit from harnessing and sharing in-depth knowledge and practical experience drawn from within their organisations and developed through an extensive research and work programme. The ISF provides a confidential forum and framework, which ensures that Members adopt leading-edge information security strategies and solutions.

By working together, ISF Members avoid the major expenditure required to reach the same goals on their own.

Consultancy services are available to support the implementation of ISF Products.

FOR FURTHER INFORMATION CONTACT:Information Security Forum +44 (0)20 3875 6868 info@securityforum.org securityforum.org

REFERENCE: ISF 20 03 05©2020 Information Security Forum Limited. All rights reserved.