The COVID-19 pandemic has forced organizations to quickly
implement contingency plans to sustain their operations. For those businesses
that have remained operational, IT and security teams have often been so
focused on securing their newly remote workforces that they have had little
time to consider the additional security challenges from employees slowly
returning to the office.
For CISOs, IT managers and risk professionals, it may seem
like an impossible task to keep up with a rapidly evolving threat landscape,
compounded by the dramatic pandemic-related increase in cyberattacks over the
past year. Many organizations deploy a series of products as part of a layered
security approach, but when it comes to threat and vulnerability management,
these products may not provide adequate security for the new conditions under
which they now operate.
Implementing Security Controls
Many seasoned cybersecurity leaders are familiar with the
Center for Internet Security’s (CIS) critical security controls as a means of
extending their cyberrisk management practices beyond simple vulnerability
management. Developed using best practices from the global IT community, these
controls create a framework of real-world actions that, when implemented
correctly, can help organizations strengthen their security posture and take a
more proactive approach.
The CIS Top 20 Critical Security Controls are divided into
three categories: basic, foundational and organizational. Basic controls should
be implemented in every organization. After that, implementing foundational
controls paves the way for organizational controls, which focus more on people,
processes and workflows. Whether organizations are just starting to research
ways to strengthen their cybersecurity perimeter or seeking to add onto their
existing security program, the CIS controls help transform threat intelligence
into prioritized and actionable implementation activities to better protect the
The controls were designed to scale across organizations of
any size, and many use them to guide their entire security strategy. The
sequence of controls allows a organization to follow a foundational blueprint
while gradually improving its security posture and reducing its risk exposure.
According to CIS data, organizations can reduce their
overall cyberthreat and risk impact by more than 85% by simply implementing
five basic CIS controls. Now, as more offices reopen in varying capacities,
organizations should look beyond the basic controls to deal with the unique cybersecurity
challenges caused by the pandemic and subsequent recovery.
The following are some of the CIS Top 20 Critical Security
Controls that can help meet COVID-related challenges:
CIS Controls 1 & 2: Inventory and Control of Software
and Hardware Assets. Bad actors continuously scan target organizations for
vulnerable versions of software they can exploit. Some actors also distribute
malicious web pages, document files, media files and other content via their
web pages or otherwise trustworthy third-party sites.
For months, employees have worked remotely, having to
balance work and home life across multiple devices. Children may have borrowed
a parent’s laptop to use for school or entertainment, and parents may have used
their family’s tablet to check their corporate email. Each of these situations
presents a potential security risk for organizations.
Actively manage—inventory, track and correct—all software on
the network so that only authorized software can be installed and executed, and
that unauthorized and unmanaged software is found and prevented from
installation or execution.
CIS Control 3: Continuous Vulnerability Management. The
National Institute of Standards and Technology (NIST) has published thousands
of reports of common vulnerabilities and exposures (CVEs) since the beginning
of this year, and organizations must prioritize patching these vulnerabilities
while managing the demands of the workforce. Organizations that do not scan for
vulnerabilities and proactively address discovered flaws increase the
likelihood of having their systems compromised.
Conducting regular vulnerability assessments enables
organizations to identify vulnerable or misconfigured systems and prioritize
endpoint patching promptly. With a managed solution, organizations can continue
to function without in-office IT staff if teams are overwhelmed or are not able
to work on-site.
CIS Control 16: Account Monitoring and Control. Attackers
frequently identify and exploit legitimate but inactive user accounts. The
presence of inactive accounts on systems allows them to impersonate authorized
users, making their existence and intentions more challenging to discover. With
millions of Americans temporarily or permanently losing their jobs during the
pandemic, system administrators need to ensure furloughed employees are
properly deactivated. This will help ensure that their credentials can no
longer be used to access corporate systems and sensitive data for unauthorized
and sometimes malicious purposes.
As part of this process, organizations should scan for
information harvested from known data breaches that is publicly available on
the internet and dark web. This can help identify potential credential
exposures and prompt password resetting for any exposed accounts.
CIS Control 17: Implement a Security Awareness and
Training Program. For cybercriminals and scammers, COVID-19 has presented
many opportunities to benefit from chaos and uncertainty. Indeed, the FBI
reported in April that cybercrime incidents had already increased 300% since
the beginning of the pandemic. Companies can significantly reduce the
probability of an incident by implementing education programs that focus on
threats related to COVID-19 or even just offer a refresher on basic cyber
Bracing for a Second Wave
Companies may get the go-ahead to reopen and then be forced
to close again if infection rates increase. Turning to a set of standards such
as the CIS Critical Security Controls can help provide IT and security leaders
with the framework they need to manage the changing security landscape,
particularly given the challenges of COVID-19. While the five CIS controls
discussed are perhaps the most important to implement in the near-term,
organizations may need to conduct a thorough examination of how they currently
adhere to the entire set of CIS Critical Security Controls to maximize their
cyberrisk mitigation efforts in the long term.