This guest post was written by Piyush Pandey, CEO at Appsian:
With the World Health Organization (WHO) declaring COVID-19 (Coronavirus) a pandemic, businesses now are facing a unique challenge of needing to prepare a strategy that prevents essential functions from disruption, continuously provides essential services, and maintains their ability to deliver core capabilities.
Organizations are required to secure power users’ remote access, such as within Human Resources departments, to ensure that their workforce members and data remain healthy. What are the important strategic steps that need to be taken in order to make this transition go smoothly?
Let’s start by looking into what are some of the business continuity challenges organizations face during the COVID-19 pandemic?
Social distance, or separating people to limit the spread of infection, led many organizations to implement more flexible remote work strategies. The Occupational Safety and Health Administration (OSHA) and Health and Human Services (HHS) issued a joint guidance that specifically suggested:
Employers should explore whether they can establish policies and practices, such as flexible worksites (e.g., telecommuting) and flexible work hours (e.g., staggered shifts), to increase the physical distance among employees and between employees and others
Problematically, organizations can’t just stop securing data and maintaining privacy controls. Organizations still need to engage in mission-critical operations including human resources, payroll, and vendor contract payment. Business continuity planning also includes managing power user access to and within the applications that support those operations.
Then comes reassessing the power user access needs and risks. If you traditionally require power users to access data from on-site devices, then you need to update your risk assessment to create appropriate internal controls. Most cybersecurity and privacy regulations and standards have language similar to the following from the New York Department of Financial Services (NY DFS) Cybersecurity Rule:
The Covered Entity’s Risk Assessment shall allow for revision of controls to respond to technological developments and evolving threats
While COVID-19 is not a technological development responding to evolving threats, the move from on-site to remote could qualify under these types of risk assessment requirements. As you prepare your business continuity plan (BCP), you want to think about also updating your cybersecurity and privacy risk assessments as well as your business impact analysis (BIA).
Additionally, use access controls to “simulate” a workday. Your power users need the same access from home that they need in the office. To limit business disruption, you still need to engage in hiring practices, pay employees, and meet contractual vendor payment requirements.
Using a solution that allows you to set repeating timebound controls gives you a way to control user access and limits potential risks like stolen credentials. For example, during a normal business day, you may expect employees to be in the office between 7am and 7pm, if you offer a flexible work schedule. For standard users, this level of timebound access helps provide day-to-day operational business continuity.
For power users with additional access to organizational and customer financial information, limiting sensitive information access even further might be useful. As part of your BCP, you might want to consider:
- How much time does the power user spend interacting with sensitive data?
- Can we set timebound access uniquely for privileged access?
- Can we rapidly escalate access privileges outside of those windows in the event a power user needs to engage in a task at the last minute?
By limiting the time of day during which power users can access sensitive information, you can mitigate the risks of attacks such as man-in-the-middle and credential theft. With a smaller monitoring time window, you can decrease the operational costs associated with the monitoring and gain greater visibility into anomalous behavior.
Additionally, limit power user data visibility. When reviewing access and risk as part of BCP, you may also want to incorporate the power user’s need to view the information. Users may not need to view all the sensitive information in an ERP solution to meet job function requirements. For example, an accounts payable power user may need to view the dollar value of a receipt but may not need to view the bank data in order to process the payment.
When incorporating power user remote access needs and business operation continuity, you should start by asking:
- What is the business-critical operation for this user?
- What data does this user typically access to meet their job function requirements?
- What data does this user typically view based on my data visibility controls?
- What access does this user absolutely need to complete the job function?
- What visibility does this user absolutely need to complete the job function?
Engaging in this process provides you with answers that can help reduce data security and privacy issues associated with power users who work remotely.
Data masking acts as a security layer that minimizes data breach risks by fulfilling encryption requirements. Even if cyber attackers gain access to the device, they will be unable to read the information.
Also, continuously monitor power user access. From a security standpoint, visibility into how and when remote power users access sensitive information is a primary struggle. For example, in SAP, organizations need to a way to view and control access based on context, including user attributes, data attributes, activity type, IP address, user location, time of day, amount of money transacted, the number of transactions, user activity trends, and segregation of duty.
After creating contextual controls, you should incorporate power user security analytics monitoring dashboards that provide insight into anomalous activities. For example, you may want to consider monitoring authentication attempt trends or geographic location access to detect stolen credentials being used by malicious actors. Meanwhile, incorporating access trends by data sensitivity level and access trends for power users can help mitigate internal privilege misuse risk.
Finally, create an effective and secure Business Continuity Plan for situations like we what are currently experiencing. Preventing business disruption as part of BCP also needs to secure power user access and visibility into sensitive data. The Coronavirus may be acting as a catalyst for organizations to change their approach to managing user access to sensitive information. Although using automated solutions to secure information is not new, many companies focused on requiring employees to work on-premises when they manage sensitive data, thus resisting the perceived costs associated with these solutions.
Organizations can leverage their business continuity planning and business impact assessments to drive additional digital transformation data security. Whether remote work becomes the new norm or not, businesses can also incorporate these controls to better secure their power users across their on-site and remote needs.