The COVID-19 pandemic drastically impacted how companies operate as workers were given the option to perform their jobs from anywhere — not just a corporate office. While this new flexibility has been a boon to employees, it has also increased opportunities for hackers or malicious actors to threaten cybersecurity when workers remotely access company networks. So how has this impacted the focus of CIOs, CTOs, and CISOs?
In episode 4 of Compliance Crosswalk, hosts Arti Lalwani and Blaise Wabo are joined by Joe Alequin, Chief Information Security Officer (CISO) at FAIR Health, Inc. to discuss the current state of cybersecurity, including how organizations can mitigate risks associated with remote work and improve their cybersecurity posture.
Hybrid Work Environments Are the New Normal
FAIR Health is a New York-based nonprofit organization with a mission of providing transparency around healthcare costs. The organization provides online tools that physicians and patients can use to determine how much they can expect to charge or pay for medical treatments. CISO Joe Alequin believes that even as we emerge from the health emergency, companies will continue to adopt hybrid work policies and maintain a geographically distributed workforce, just like at FAIR Health: “I don’t see a world where, after this pandemic, companies return to a rigid workplace with an office where everyone has to be.”
But a hybrid work environment brings security challenges that risk and security professionals must focus on. These challenges aren’t new, but they’re now more prevalent. The greater use of teleconferencing and a distributed workforce (with staff potentially working from other countries) means security professionals will have to develop strong authentication mechanisms so that organizations know who’s coming onto their network and accessing their resources.
Thwarting State-Sponsored Cyber Attacks
Another persistent, but growing challenge, involves cyber attacks. The war in Ukraine and the rising threat of state-sponsored cyber attacks highlights how organizations must be proactive in their internal processes. Joe believes there are two measures companies can take to get ahead of state-sponsored attacks:
- Focus on the social engineering element, which requires companies to educate staff around phishing and invest in tools that simulate phishing attacks for enhanced training.
- Remediate known vulnerabilities from an environment that can be exploited by hackers. “If you manage to do these two things, in my opinion, you’re halfway there.”
Powering Greater Efficiencies within the Security Team
Another issue that Joe thinks is top of mind for CISOs and tech professionals is creating efficiencies. Companies are understaffed when it comes to security analysts as a result of a labor shortage, forcing just a few analysts to do the job of many. Also, organizations may be relying on too many manual processes which are laborious and time consuming, further contributing to exhaustion.
And then there’s the common issue of alert fatigue – the inundation of events that must be investigated, pulling focus. It’s going to be the CISO’s job to convince company leaders to invest in their security team by increasing hiring or purchasing tools to automate processes and drive efficiency. Joe says, “As CISOs we’re going to have to really look at that budget and convey to senior management that this is in the company’s best interest.”
The Emergence of Zero Trust Security
Some companies are developing zero trust security architectures to better protect themselves from cyber incidents. Joe thinks it’s a step in the right direction, but since zero trust is relatively new and complex, wide adoption will take time. The good news is that elements of zero trust already exist including minimum required access, network segmentation, and multi-factor authentication.
But true zero trust security requires companies to understand every touchpoint of their digital resources so that an asset can be contained if it were ever compromised, mitigating its impact on other devices. Fortunately, new tools are launching every year that are developed with this specific architecture in mind, enabling greater adoption.
Blaise agrees saying, “We might not embrace zero trust or password-less authentication immediately, but companies should definitely be tracking toward that direction.”
Telemedicine Is Here to Stay
The pandemic saw an explosion in the use of telemedicine and Joe is of the opinion that this method of accessing healthcare is poised to stick around. In the past, many people didn’t use telehealth because they simply didn’t understand the technology. But lockdowns forced a change in behavior with many people relying on telemedicine to connect with their physicians. And now that they’ve tried it once it’s likely they’ll turn to the technology more regularly in the future.
But institutions adopting new telemedicine assets and remote patient monitoring devices must understand the risks associated with them. The experts at A-LIGN recommend these organizations undergo a risk assessment to better understand the threats faced within their environment. This will reveal whether the devices comply with HIPAA and any other applicable laws, and if they keep patient information properly secured. Due diligence also requires investigating vendors and training staff tasked with using the devices. Regulators will also need to step up and provide additional guidance to covered entities and business associates on how to properly leverage this technology.
Finding the Right Partners
For CISOs, a strong partnership with a third-party assessor is invaluable. Having a second set of eyes come in and review policies, procedures, and controls to evaluate the environment in a non-biased way is beneficial to enhancing an organization’s security posture. Additionally, it allows the organization to demonstrate to clients that it is in compliance with industry regulations and frameworks.
With respect to FAIR Health’s partnership with A-LIGN, Joe praises the third-party assessor for its capabilities in assessments, and in understanding how his business operates which saves a lot of time when getting audits done. He also mentions that leveraging the right audit technology (rather than relying on spreadsheets) goes a long way to ensure the exchange of information during the assessments is easy, secure, and efficient. A-LIGN meets all those needs and Joe is looking forward to continuing working with A-LIGN.
Listen to episode 4 of the Compliance Crosswalk podcast.
The post What Cybersecurity Execs Are Focusing On in 2022 appeared first on A-LIGN.