Saturday, April 25, 2020

Risk management and Covid19

April is coming to an end, since beginning of the year, Covid19  had rampage the world for approximately 4 months. The virus was first discovered in a part of China, Wuhan in December 2019 and months after, there have yet to have a confirmation over the source and where it could have start, i.e. we have not clearly identify the zero patient. Some argued that it was a Chinese disease, some claimed that it was a lab-released mistakes. We tend to believe none of these are true but understanding how nature has always behave, this is an evolution. If humans can innovate, what is stopping other forms of life beings to evolve? How much have we truly understood the micro organsm? These questions probably best answered by scientists.

Before Covid19, the threat landscape was focusing on digitalisation, cybercrimes, cloudsecurity, Internet of things (IoT). On the health front, WHO released the following list of 10 threats in Jan 2019:

1. Air pollution and climate change
2. Noncommunicable diseases
3. Threat of a global influenza pandemic
4. Fragile and vulnerable settings, such as regions affected by drought and conflict
5. Antimicrobial resistance
6. Ebola and high-threat pathogens
7. Weak primary care
8. Vaccine hesitancy
9. Dengue
10. HIV

On 15 Jan 2020, WHO released the following list of 10 threats:

1. Climate crisis
2. Health care delivery in areas of conflict and crisis
3. Health care equity
4. Access to treatments
5. Infectious disease prevention
6. Epidemic preparedness
7. Unsafe products
8. Underinvestment in health workers
9. Adolescent safety
10. Improving public trust of health care workers

Infectious disease prevention, epidemic preparedness, access to treatments, underinvestment in health workers, were less threatening than climate crisis which had stayed at No.1 for 2019 and 2020 assessments. However, after Covid19, I supposed the threat landscape on technology would probably heightened while the no.1 threat on WHO now could be "Global Influenza pandemic" follow by Vaccine Hesitancy, Weak primary care, Fragile and vulnerable settings instead of climate crisis or air pollution. These being said, risk management is about relativity.

The virus is more threatening because it had showed its impact to the global economy and had expedite the oikcrisis because of #stayhome, #lockdown, #cruiseships, #airline, #financialindustry. Along with it, cybercrime could get rampant due to public stability and social impacts of #stayhome, #lockdown and the lack of entertainment or security resources. On the flipside, digitalisation could speed up because of the sudden surge demand on remote office, remote socialisation, virtual teams, virtual coffee place, and the list goes on. Some of the more obvious changes are video conferencing technology like Zoom, Skype, Microsoft teams which had already used widely by educators, students, public speakers, corporate enterprise. What are the associated risks to these technology?

1. Data Loss incidents could escalate
2. Cybercrimes over the intellectual property (information shared via these technologies)

Hence, I felt that information risk practitioners need to reassess their administrative controls such as  information classifications, information security during BCP, systems availability and recovery, software management controls to technical controls such as antivirus preventive controls, firewall rules and packets inspection.


Wednesday, April 22, 2020

Stay home - work from home - better security? - Part one Data Loss

Many of us liked the idea of working from home because that means getting up later and doing your work at your own pace, away from the gossips and distractions you once face at work. But, think again, is working from home really good?

Risk of data loss
For centuries, organizations regardless of nations learned that intelligence is crucial and important in the competitive environment. As the digital space gets heavier with content, more data are available for harvesting to gain insights. In the past 20 odd years, countries started enacting on data protection regulations, some worked on cross border data exchange, some decides to tag data to a nationality. There are simply many ways to prevent data being abused. However, none would consider data usage during a pandemic situation like COVID19.

Working from home means either you brought home your corporate laptop or you start to work off your personal computer.

Working from home using your personal computer

In the enterprise environment, network is usually monitored and secured with multiple devices. IPS, IDS, firewall, network access control appliances and so forth, are just a few that ensure your network is secured. However, working from home means, you have an internet router/modem that either connects you to a wireless or wired network. That is really a concern because your device that connects you to the internet could be obsolete to protect you from the latest security threat or a remote access attack. Your wireless network could be setup with a weak security control such as WEP or MAC filtering. Your router might also be running an old firmware with a bunch of remote access vulnerability waiting to be exploited. Next, the anti virus software on your personal computer could be obsoleted too, then the operating system might be running on Windows XP. The list of danger goes on.

Hence, there should be an easy checklist to assess if it is security feasible to allow one to work from home especially in the event of a data entry operator having the access to all customers' information.