Higher Stakes In OPSEC As COVID-19 Disrupts Everything
By: Shrey Fadia
Originally published on Pandemic Tech News
Wars are rarely won because of individual heroics, but by teams of people working efficiently together. Today, we find ourselves at war with the coronavirus – a global pandemic of epic proportions. Cybersecurity is essential in military operations, and the U.S. Government and other governments around the world are shining a brighter spotlight on the need to protect vital systems and sensitive information, including intellectual property regarding the development of treatments and future vaccines.
Teamwork makes the dream work, but with COVID-19, teamwork is different and less controlled than it can be in physically unified environments, with digitally solid perimeters. When workers are at home, they are safer physically, but not digitally. When it comes to government workers, given nation-state attacks, it is mission-critical to ensure access to systems, networks, datasets, and applications is tightly controlled, and the only way to do that is with advanced software and automation.
We caught up with Michael Fritzlo, Executive Chairman of Ironsphere, a company offering Privileged Access Management solutions, working with companies including Pega Systems, to support large global enterprises, service providers, and organizations.
“The global pandemic strikes at the heart of teamwork, but we cannot allow it to negate the power of working together, especially at this time.” Said Michael Fritzlo, Executive Chairman, Ironsphere
“While government and military agencies are of the utmost importance, the OPSEC principles established by top commanders with the rise of digital systems over the last several decades also apply to financial service institutions, healthcare providers, insurance companies, and more,” Fritzlo said.
Operations Security (OPSEC) is a discipline of military origins that, in the computer age, has become vital for the government and private organizations alike, and leading CSOs now include OPSEC as part of their comprehensive risk management cybersecurity postures. OPSEC is a proven process used by organizations to assess and protect data that could if properly analyzed and grouped with other data by an adversary, reveal a bigger picture that ought to stay hidden.
“We’ve advanced the art and science of OPSEC since it was first established during the Vietnam war,” Fritzlo said. “The definition continues to evolve and depends on each agency or enterprise’s mission and offering, but given the massive growth of cyberattacks, OPSEC is impossible to do well without software automation and AI. We work with very large and complex organizations, with the top security executives in the world, and are helping them replace manual systems with automated systems, including Privileged Task Automation. They need real-time capabilities, while also needing the ability to capture and review trends and reduce the friction and cost of audits as regulations understandably tighten.”
Since the early days, the OPSEC concept spread from the military to other U.S. government departments and into private industry.
The U.S. Department of Energy, which is in charge of the U.S. nuclear arsenal, has its own definition of OPSEC:
“Operations security involves a process of determining unclassified or controlled critical information that may be an indicator or pathway to that classified information requiring protection, whether for a limited or prolonged time … the purpose of OPSEC is to identify, control, and protect sensitive unclassified information about a mission, operation, or activity and to deny or mitigate an adversary’s ability to compromise that mission, operation, or activity.”
“OPSEC failures at the corporate level may not put national security at risk, but they are still catastrophic for the companies involved,” Fritzlo said. “And given the advancement of public-private partnerships, and the sharing of data using APIs between various systems, we all benefit from working together across government, military, financial, and now especially healthcare industries, given how interconnected they are. Consider, for example, the massive fraud underway with unemployment insurance claims; this requires a partnership between state agencies, federal guidelines, banks, and technology companies to solve. So, in fact, a weak financial or hospital system is a national security threat.”
Fritzlo cited studies showing that more than half of the incidents are caused internally, either unintentionally, but more often intentionally, by disgruntled employees and third-party contractors.
“Without a Privileged Access Management platform in place, risks skyrocket,” Fritzlo said. “We have been working harder than ever to bring capabilities in, to automate and reduce risk in a cost-effective manner. We also have to stand up solutions quickly – in a week or less – as these risks are so real given the work-from-home mandates and other complications that are defining new ways to work in 2020 and beyond.” As we emerge from this crisis, we will have the opportunity to analyze what happened and understand how we can improve in the future. But given the “state of emergency” we find ourselves in globally, Fritzlo says, “We can no longer look at OPSEC as something that would be nice to do – we must have full OPSEC measures and technologies in place now, as there is so much at stake, including lives.”
We have all found ourselves in a different world of work given the events that have defined 2020, and few professionals are feeling the pressure more than IT and OT teams.
Just as cyber risks evolve, the evolution of risk appetite frameworks is more active than ever. With more sophisticated adversaries, more digital transformation initiatives, more mobile works, ecosystem partnerships and connectivity to multiple clouds and services, enlightened management teams and their boards are updating their levels of “risk tolerance.”
Two-factor authentication has been around for decades – requiring an additional step between entering a username and password, for example, then entering a one-time security code sent to a mobile device – to access applications, systems and data.