June 2, 2020 Data Security Supply Chain in the Next COVID “Wave”

Organizations need to assess and plan for a still-uncertain future to ensure their data is secure and IT systems remain up and running.

By Stephen Boyce, Principal Consultant, The Crypsis Group

For some organizations, COVID-related lockdowns inspired a rush to adopt new applications and platforms to support remote work models and social interconnectedness with employees, customers, and partners. Manufacturing organizations classified as “essential services” faced the additional challenge of having to quickly adjust production facilities to new health safety standards for onsite workers. With so much to consider, decide, and do, some organizations inadvertently adopted what were later revealed to be insecure off-the-shelf IT solutions or platforms that buckled under the strain of new demand spikes. The haste to ensure business continuity in the first wave of COVID-19 had unexpected consequences.

Today, while many facilities are feeling settled into the “new normal,” organizations have, to some degree, a brief respite to assess and plan for a still-uncertain future. While no one knows when this new normal will shift into yet a new type of societal norm, most economic experts agree that we are headed into a period of economic downturn of undetermined length and severity. Without careful consideration and planning, there could be more unintended data security consequences. However, there are steps manufacturing organizations can take to ensure their data is secure and IT systems remain up and running during the next wave of effects of the COVID-19 pandemic. And, planning for provider continuity is a good exercise even in the best of times.

Take Stock of Your IT Outsourcing Dependencies and Data Flows

It is crucial to have a complete understanding of which IT vendors are essential to core business and manufacturing operations, as well as which handle any sensitive data. This can be more complex than it appears. Many departments, such as Finance, Marketing, and others, may license smaller cloud-based platforms to manage their work outside of IT’s line of sight; but sensitive data may be handled by these vendors, be the target of threat actors, and result in data breaches. Before you can assess your data security supply chain risk, we recommend auditing your third-party IT dependencies across the business and your data flows to understand where your data may traverse networks and be handled, stored, or processed outside of your perimeter. Vendors can include internet service providers (ISPs), cloud service providers (including any “shadow IT” cloud providers leveraged by smaller departments within business units), data center providers, managed security services—any vendor critical to supporting your information technology or operational technology (IT/OT) needs.

Ensure Third-Party Remote Work Models Aren’t Affecting Data Security Standards Today

Once you have identified your critical and data-handling vendors, contact them to assess whether their staff is working remotely, all or in part, and how they anticipate this has changed their current or anticipated future data security practices or contracted levels of performance. Some vendors may have requirements for retaining a certain number of onsite personnel (such as cloud infrastructure providers), but may still have remote workers in some essential functions. In many states or regions, “stay-at-home” orders for individuals and non-essential businesses are gradually being lifted. But it is up to individual businesses to determine when and how they will introduce their staffs back into the office, if, indeed, they will ever fully revert to entirely onsite models. It is not too late for organizations to come to an understanding of their IT vendors’ business status in this time of COVID.

Questions you may consider asking them include:

• Do you have a business continuity plan in place for COVID-19-related potential impacts?
• Have you shifted to a full or partial remote work model? If so:
  • Describe the security measures you have employed to protect ongoing operations and security of information assets.
• Are your staffing levels adequate to address current customer needs and/or take on new business? Do you have an employee augmentation plan should staff fall ill?
• Have you reduced, or do you plan to reduce, your services offerings as a result of COVID-19? If so, please specify.
• Are you experiencing (or do you anticipate) any degradation or outages of critical systems, services, or platforms? If so, please specify.
• Do you rely on third-party providers/partners for your offerings? Are you satisfied with their ability to deliver at the levels you require to deliver for your customers?

Partners are often essential and highly valued; delivering these questions with respect and appreciation helps continue to foster an ongoing, trusted relationship.

Assess Partners for Future Risk

When making inquiries of partners regarding their business continuity and remote work status, you may also choose to inquire whether they anticipate any future impediments (including financial issues) that will affect their ability to continue to meet your needs at the levels delivered before COVID-19. This is one step in assessing their financial solidity; but the fact is, few can accurately predict the economic impacts of global shutdowns, or even the course of the pandemic itself. We recommend taking a risk matrix approach: map out your third-party providers by the criticality of their offering to your core operations and whether they handle sensitive data. Also, consider the difficulty/time needed to assess and contract new vendors in this space. Consider your contract terms and your ability to cancel should performance or data security drop to unacceptable levels or service offerings change in scope. Using this information, prioritize your highest risk third-party service areas so that you can build a fallback plan, should a vendor close their doors or be acquired by another organization, and offer contract terms that are not favorable to your needs.

Planned Redundancy: Identify Fallback Plans

To avoid repeating mistakes made in the first COVID wave, we recommend conducting behind-the-scenes research to identify a shortlist of alternate providers for your most “at-risk” service areas, in case you need to find a new vendor quickly. Your research should determine whether they offer the span of service offerings, service levels, brand reputation, and, importantly, rigorous data security practices you require. Additionally, ensure you have a plan to repossess your data from your current vendors should they fail.

The goal of the exercise is not to create insecurity in your current provider base (particularly if you are satisfied with them); but, rather, understand your options so that you can shorten the time needed to shift to new vendors should it become necessary, avoiding the need to make hasty, poorly thought-out decisions that could backfire. Business continuity is paramount—but if you embrace a new vendor with sub-par data security practices and suffer a data breach, the cure can be worse than the illness.

A little research and planning today can help you feel confident you have a continuity plan for your IT solutions and data security, to stop riding the wave of COVID reactivity.

Stephen Boyce

Stephen Boyce
Principal Consultant, Crypsis Group
Stephen Boyce is principal consultant at The Crypsis Group, responsible for leading and investigating complex cyber investigations for clients across a range of industries. He is an experienced cybersecurity professional with a background in federal law enforcement and testifying as an expert witness in criminal cases.

He joined the Crypsis team in 2019 after several years with the Federal Bureau of Investigation, where he led national security technical exploitation. In that capacity, he worked on criminal investigations, analyzing and exploiting digital media and training the Bureau’s agents and analysts on how to interpret raw data. Stephen also maintained working relationships with the Bureau’s domestic and international partner agencies through his service on working groups, committees, and joint projects.

Previously, Stephen was a forensic examiner at the FBI and was a Cyber Intern for the National Cyber Investigative Joint Task Force (NCIJTF), the U.S. State Department, and the FBI.

Stephen is also an adjunct professor at the University of Maryland Global Campus and a cybersecurity adjunct professor at Marymount University. He holds a Bachelor’s degree in Information Technology, a Master’s degree in Cybersecurity, and is currently pursuing a Doctorate in Cybersecurity at Marymount University.

Subscribe to Industry Today