How one healthcare CISO is navigating the COVID-19 crisis

Gourav Mukherjee is a managing partner at vCISO firm Immersion Security. Since January he has been acting CISO at a private equity-backed healthcare company with hundreds of locations across the US. In addition to managing security for the organization, Mukherjee now must deal with business continuity issues. “They have internal security staff but don’t have the expertise and leadership above a director level and are without a CISO at the moment,” he says.

Mukherjee contracted COVID-19 during a meeting in Florida. He has been in isolation and though he described the experience as akin to having flu and bronchitis at the same time, he is through the worst of it. “I think I was better equipped because I work in the security space and provide virtual services. For me to move some of the in-person meetings that I have in the last week to online wasn’t a big deal.”

Mukherjee says that security is currently “all hands on deck” at the healthcare organization as it does its best to pivot to a mostly remote working organization. “Some of the risk work and long-term security program planning and documentation has been pushed to the side for the moment while we try to help them with their immediate continuity needs.”

The crisis has challenged Mukherjee to keep security relevant, especially while being isolated. “For a lot of people their view is business continuity first, and so they’re making very quick decisions that may be good business strategy but they’re not putting the right security in place.”

Being remote makes that challenge harder. “It has been difficult not being there in person, at least from an emphasis standpoint of being able to get my point across. Once the meetings go completely online, I think I’m at least on an even playing field with the rest of the folks in the room.”

One example he gives is sending people home with their desktop computers that are normally behind the corporate firewall and managed with a corporate solution. “A lot of those security functions won’t work remotely, or they’re not initially configured to work remotely,” Mukherjee says. “People are making decisions in the interest of business continuity, and security is just constantly plugging the holes.”

The best way to keep security in the mind’s eye of the business during this time, Mukherjee advises, is to keep identifying, quantifying and clearly explaining risks and their likelihood to occur. “I find that If I focus on cost of risk vs. cost of risk mitigation, it seems to help both keep security relevant as well as gets my point across. Cost is a major factor for companies during the COVID crisis.”

Security is often seen as a hinderance to business, and in a situation where circumstances and decisions are very fluid, that perception is being magnified. “If somebody says, ‘We want to have this solution ready to go by close of business Friday,’ we have to do our best which isn’t going to be as good as normal, and even if we make the right recommendations they’re not going to be able to implement it [in time],” Mukherjee says. “We’re focusing on completely risk-based decisions. If there’s a risk they can’t mitigate before they make one of these changes, we’re at least giving them the best risk reduction that they can get.”

Security education during the crisis

Opportunistic threat actors of all types have been quick to take advantage of the sudden increase in people working from home. They are using phishing emails and malware-infected apps and websites that offer COVID-19 information to make money, disrupt operations and spread disinformation.

Mukherjee is seeing a lot of phishing geared around “panic click”: emails saying that the organization is doing layoffs and then urging the recipient to open an infected spreadsheet to check if their name is on the list. “These are the types of things where people are going to immediately panic first, before they go through their normal analysis loop,” he says.

The best way to prevent that panic click, Mukherjee says, is to communicate clearly how the company will inform employees of important news like a closure, government lockdown, or a local quarantine. He also suggests using multiple channels such as an internal messaging system and direct communication from supervisors. Also tell them how the company will not communicate—for example, that they will not receive emails with attachments or be required to get third-party verification.

“We just have to be extra vigilant through this process to make sure that they’re not getting hit by something that’s a user error,” says Mukherjee.

Technical issues will arise amid remote working

Security teams are going to miss vulnerabilities, warns Mukherjee, because they are helping with IT tasks. “Security folks are pitching in doing everything from configuring VPNs to helping with troubleshooting some of the continuity solutions, some of which are ad hoc solutions because companies hadn’t planned on sending an entire workforce home.”

These are some of the technical issues that Mukherjee and other CISOs have seen during the crisis:

Bandwidth constraints

Naturally with a sudden shift, technical issues can arise, especially around bandwidth, connections and teleconferencing. Mukherjee says one of his clients suddenly realized Skype is limited to 75 users on a given conference call which was creating issues.

Many companies have implemented or expanded their use of VPNs to establish more secure connections to internal systems, but that doesn’t scale well in some instances. “Having to route everyone through VPN is not efficient because of the constraints on bandwidth and available connections is a lesson we’ve learned,” McAfee’s CIO, Scott Howitt, tells CSO. “We are actually encouraging our people not to use VPN when working from home unless they need access our internal network as most of what they need can be accessed directly through our SaaS providers.”

Protecting high value workers remotely

John McClurg, senior vice president and CISO at BlackBerry, says his biggest challenge is accommodating unique use cases of engineers within his organization and ensuring high value workers can produce at home in the same way they would in a lab. “That’s requiring a little time and collaborative effort on my part to make sure we understand them and what they need and then, of course, how do we make that happen in a secure manner, while ensuring that they can work as effectively and efficiently as possible.”

Licensing restrictions

Jason Hicks, advisory CISO at Kudelski Security, says his company has gone through its internal infrastructure such as VPNs, application load balancers, endpoint protection technologies and remote collaboration tools to make sure it has the required licenses and technical capacity to support a dramatic increase in remote users. “We’ve increased internal communications to ensure our employees know the basics on working remotely,” he adds. “This includes guidance on when the VPN is needed and when it isn’t.”

Balancing authentication requirements against risk

To streamlining productivity, Alert Logic’s Senior Vice President of Technology Operations and CIO Sydna Kelley says her company has extended the default timeout settings for its identity and access management (IAM) tool so users don’t have to authenticate repeatedly, though she adds it is a risk/balance scenario that needs to be carefully considered.

Pushing out endpoint protection

Ryan Weeks, CISO at Datto, says that companies need to rethink how they’re pushing protection against threats targeting employees – such as the malware-laced COVID-19 interactive map sites his team saw employees accessing – as security teams are now accounting for workstations that may not be subject to your standard office network security controls.

Have people redundancy plans

Companies need to have people redundancy plans in place for dealing with the prospect of losing staff or key members of the organization for weeks if they become ill. During Mukerjee’s isolation, another of his Immersion Security colleagues also contracted the virus, so the company has had to adapt quickly to losing key members of staff.

“Fortunately, we had enough people on our roster that we were able to pick up the slack while [my colleague and I] were both down. One of my in-house project managers had to step up,” says Mukherjee. 

As well as identifying which staff internally could help with key tasks during this time, Mukerjee says he had outside contractors with the right skills on notice to step in if needed. “Part of our contingency plan is to have other subject-matter experts that have knowledge in these skill areas, and we’ve encouraged our clients to do the same.”

Mukherjee has seen one client cross-training to fix “single points of failure” when it comes to roles and individuals in the organizations. Others have rotated staff en masse. “One client in the financial services industry can’t afford to not have banking services available, so they’re rotating staff one week on, one week off. They’re paying their staff in the week and doing a deep clean of the facility over the weekend. They’ve literally got 50% of their staff off every other week until the virus is gone.”

Look to natural disaster plans

Companies in areas used to natural disasters like hurricanes or earthquakes might be in a slightly stronger position than those in more traditionally “safe” regions. If organizations have natural disaster preparedness and recovery plans and process – or have locations that do that can be shared with the wider business – now might be the time to use them.

“Having an updated global pandemic plan, as well as business continuity plans for critical business applications and for each location is crucial and of great value,” says Shawn Burke, global CSO at Sungard AS. “Having these plans intact and testing them at least once a year will allow businesses to respond to pandemics in a calm manner, rather than panicking. There are always lessons to be learned from situations like these and its smart for businesses to review how they fared and update their existing plans to prepare for the future.”

Mukerjee says that given their regular encounters with hurricanes, organizations in Florida seem to be better prepared than some. “During the hurricanes you run into the same situations,” he says. “You’ve got a staff of hundreds or thousands that have to now suddenly work remotely, and they run into all sorts of headaches and hiccups and that they weren’t aware of.”

“My clients that are in Florida that have gone through hurricanes and have hurricane preparedness are a lot better off than the one or two clients that I have that are in the middle of the US that never deal with these type of area-wide disasters or emergencies.”