CISO interview: Phishing is not our main concern

Cyber security has been something of a hot topic during the ongoing COVID-19 crisis, it’s received widespread attention in the media, most of which has focused on the increased phishing threat from opportunistic cyber criminals.

However, according to a series of interviews that we have conducted with CISOs and cyber defence managers in Danish financial institutions, the real concerns are more focused on the long-term operational challenges that the crisis creates. 

CISOs across the world are working long hours to ensure that their organisations are able to adapt to the new reality that is facing them as a result of the COVID-19 outbreak. In Denmark, most organisations had to send the majority of their workforce home to work remotely for the foreseeable future after an announcement from the government on the 11th of March.

“The first days were overwhelming, we had to adapt and become a 100% digital company overnight” says Søren Damgaard, CISO at e-nettet.

Moving an entire workforce to home offices is a logistical challenge for most organisations, from both an operational and a security perspective. One of the first concerns that was raised by experts and media in the IT security industry was the lower level of security that is typically associated with home offices – and how cyber criminals are expected to exploit this with more frequent and more sophisticated phishing attacks.

FortConsult’s Frederikke Knop interviewed a group of Danish CISOs about their concerns and other challenges they’re currently facing.

Phishing is always a concern

The CISOs that we interviewed are aware of the phishing threat and have all taken what they call the usual precautions to mitigate it: for example, as an awareness measure, they have communicated reminders about the phishing threat to all employees and have increased their monitoring of inbound communication.

However, all of them share a consensus on the fact that phishing is always a concern, and hence not their main worry during the COVID-19 crisis.

”I always find it worrying when criminals exploit a national and global situation to commit crime. So yes, absolutely, it is worrying,” says Martin Kofoed, VP of Cyber Defence at JN Data. However, he urges his peers to stay level-headed: “We are not experiencing more cases than usual at the moment. Neither have we registered more advanced or more targeted attempts to compromise our company.”

Our interviewees are satisfied from an IT security perspective with how the transition to home offices has gone so far in their respective organisations. However, they are concerned about the consequences of the entire workforce potentially having to work from home for a number of weeks or maybe even months.

Impact on employee health

COVID-19’s potential physical and psychological toll on employees is the greatest concern among the CISOs that we’ve spoken to. Contingency plans for a spike in sick leave and initiatives to improve the well-being of employees are therefore high on the agenda.

”If you have a network team of three, and one of them catches the virus and is sick for a month… It’s incredibly difficult to onboard a replacement under these circumstances, so the employee that is on sick leave cannot be relieved. Your capacity in this case is suddenly reduced by 33%, and you’ll have to start prioritising tasks. This is a potential issue that we are very aware of at SimCorp,” says CISO Karsten Klausen.

The interviewed CISOs advice for their peers is to adjust their contingency plans and increase their organisations’ focus on the mental and physical health of their employees, which will be put to the test by prolonged periods of working from home. Clear and regular communication with all employees, daily meetings and one-on-one conversations are among the steps that are being taken by our interviewees’ organisations so far:

”We are having daily meetings with our employees to get a sense of where people are mentally. I think it’s time well spent. Management prioritise their time to call their employees and ask how things are going, which is something we’ve only had positive experiences with,” says Martin Kofoed.

Besides regularly checking in with their employees, companies are trying out creative ways of maintaining unity and team spirit: Nykredit, for example, have set up a virtual Friday bar, where colleagues can have a drink and chat about life outside of work.

Operational disruptions

Business continuity is high on the agenda, as moving the entire workforce to working remotely is an unfamiliar situation for everyone. A security breach or a critical technical error can quickly result in employees not being able to work, making companies particularly vulnerable to disruptions.

”It’s important to think carefully about the infrastructure around your home offices (VPN, Citrix, etc.), so that you do not have a single point of failure. Because if you do, no one will be able to work if your single point of failure is disrupted, whether as a result of a DDoS attack or a human error. This leaves your business particularly vulnerable, and companies should be on high alert as a result. We are very aware of this at Nykredit,” says Simon Thyregod, CISO at Nykredit.

These concerns mean that most companies are working on increasing their readiness, as the ability to respond quickly to incidents and technical errors is of critical importance.

”We’re currently having 1-2 status meetings in the security department every day, where we look at the latest recommendations and anything that is going on around the globe and internally in our organisation,” says e-nettet’s Søren Damgaard.

Vulnerability to major incidents

The interviewed CISOs have been able to adapt to life under COVID-19 without major IT security issues. However, they are concerned that companies are more vulnerable to global incidents than usual. Difficulties with restoring operations and communicating with employees during and after a major incident are a worry:

"If we were to get hit by a so-called NotPetya2, our ability to respond would be severely hampered by the fact that all employees are working from home and are not able to meet physically because of government instructions. Then we would be reliant on communication channels that could potentially become unavailable in this situation,” says SimCorp CISO Karsten Klausen.

Just getting laptops ready for imaging would be a logistical nightmare, which is why Karsten Klausen, like many of his peers, already has contingency plans in place for a worst-case scenario. Alternative communication channels, such as SMS and WhatsApp, must be in place before the cyber crisis occurs.

”We have secondary communication channels in place, for use in emergencies, which work independently of our own infrastructure. And in the worst case, in an extraordinary situation, you’d just have to accept being forced to go to the office," says Karsten Klausen

To summarise, the COVID-19 crisis can be compared to a cyber crisis. It requires an agile approach to cyber security: communication needs to be clear and regular, contingency plans need to be constantly updated, and you need to plan for life after the crisis.

”We constantly assess whether our contingency plans are adequate. Does anything need to be updated? Have any risks been realised, and if yes, have they taught us anything that we can use to adjust our risk management going forward? This is important – not least in anticipation of life after COVID-19,” says Martin Kofoed.