US Supreme Court leak investigation highlights weak and ineffective risk management strategy

The Supreme Court of the United States (SCOTUS) has announced that its investigation to find the insider who leaked a draft opinion of the Dobbs v. Jackson Women’s Health Org. decision to media outlet Politico has come up empty.

In a nutshell, the court’s insider risk management program, designed to protect the information the justices handle on a daily basis, failed—and failed miserably. Frankly, based on the findings of the report, the court’s insider risk management program—if it existed—was anemic at best.

The investigation, detailed in a 23-page report released on January 19, indicates that the court’s methodology was judged to be thorough by Michael Chertoff of the Chertoff Group, who was asked to review the marshal of the court’s investigative results.

Basic security protocols were not in place

Chertoff’s recommendations speak volumes about the state of affairs of the information security arena within SCOTUS and every CISO will recognize that what should have happened was basic blocking and tackling (or infosec 101):

  1. Restrict the distribution of hard copy versions of sensitive documents.
  2. Restrict email distribution for sensitive documents.
  3. Use information rights management (IRM) tools to better control how sensitive documents are used, edited, and shared.
  4. Limit the access to sensitive information on outside mobile devices.

All investigations are limited to the available data. The marshal may well have been most thorough, but what was available seems to indicate an arcane and dated information-handling strategy was in place within the court. The court did not embrace the basic tenets of insider risk management by any stretch of the imagination.

SCOTUS leak investigators used subjective criteria

The report highlights that 97 employees were interviewed, all of whom denied providing the draft to Politico. The report goes on to explain that investigators had apparently divided the employees into cohorts based on an “evaluation of statements and conduct of personnel who displayed attributes associated with insider-threat behavior—violation of confidentiality rules, a disgruntled attitude, claimed stress, anger at the court’s decision, etc.—and weighed behavior and evidence that would tend to mitigate any adverse inferences. Investigators also carefully evaluated whether personnel may have had reason to disclose the court’s draft decision for strategic reasons.”

This is a long-winded way of saying that investigators employed subjective criteria and the content of personnel files (no doubt looking for prior reprimands) and considered whether an individual might hold opinions that did not align with the draft opinion to determine who may have been most likely to violate the trust of the court.

Joyce Vance, former US attorney and co-host of the #SistersInLaw podcast, noted in a series of public Twitter posts that it appeared the investigation focused on people who had “anger at the court’s decision.” She contends that the investigation appeared “very one-sided” and noted that the “court could have explained what they did and didn’t do, why they didn’t use criminal investigators, given cyber issues and their list of possible criminal violations. Transparency wasn’t the goal here.”

In fairness, the report does reference that “the investigative team consists of seasoned attorneys and trained federal investigators with substantial experience conducting criminal, administrative, and cyber investigations,” without further attribution. Interestingly, the report does not indicate if the 97 employees included the nine justices.

Remote working clouded leak investigation

Highlighted by the marshal is an issue that every CISO has had to address throughout the pandemic: a dispersed workforce, working from locations other than their principal place of employment—in other words, working from home. This reduced the IT team’s visibility. In addition, the interviews of employees revealed that several did not handle the document in accordance with existing IT policies and numerous copies were printed, though neither logged nor accounted for by any empirical methodologies as there was “very little logging capability at that time.”

Additionally, the report indicates that some employees violated the “need to know” principles and shared sensitive portions of the draft with their spouses.

The investigation goes on to opine that it is “unlikely that the public disclosure was caused by a hack of the court’s IT system.” The report continues that the investigation did not “uncover any evidence that an employee with elevated IT access privileges accessed or moved the draft opinion.” Furthermore, the investigators “did not find any logs or IT artifacts indicating that the draft opinion had been downloaded onto removable media, but it is impossible to rule out.”

The takeaway for CISOs from SCOTUS leak investigation

The important takeaway for CISOs and their infosec and insider risk management teams lay within the conclusion provided in the Marshal’s report: “Assuming, however, that the opinion was intentionally provided to Politico by a court employee, that individual was evidently able to act without being detected by any of the court’s IT systems. If it was a court employee or someone who had access to an employee’s home, that person was able to act with impunity because of inadequate security with respect to the movement of hard copy documents from the court to home, the absence of mechanisms to track print jobs on court printers and copiers, and other gaps in security or policies.”

It was not until the investigation was initiated that it was recognized there were gaping holes in the ability to discern what was happening within the network and with the sensitive data. The court did not know what they didn’t know, and only because they were stung did they learn that they lacked the ability to reconstruct events. The court lost a draft opinion, the loss of which was overtaken by events when the decision was officially made and the ruling put forward. Companies with intellectual property to protect may not be so fortunate.

The loss of intellectual property, the lifeblood of many a company may have significant deleterious effects on the sustainability of the entity. How many companies can withstand the loss of their “crown jewels” and then find themselves competing on the global market at a future date against products following their own design? Not many.

Best to invest upfront in the ability to monitor one’s infrastructure so that in the event of need, one may reconstruct events and provide the empirical evidence desired.

US government indicts Iranian nationals for ransomware and other cybercrimes

The US Department of Justice (DOJ) unsealed an indictment that charged three Iranian cybercriminals with orchestrating a series of attacks from October 2020 to the present, that resulted in the three being able to access the computer networks of multiple US entities. The three, Mansour Ahmadi, a.k.a. Mansur Ahmadi, 34; Ahmad Khatibi Aghda, a.k.a. Ahmad Khatibi, 45; and Amir Hossein Nickaein Ravari, a.k.a. Amir Hossein Nikaeen, a.k.a. Amir Hossein Nickaein, a.k.a. Amir Nikayin, 30, not only attacked hundreds of victims in the United States, but also entities in Israel, the United Kingdom, Russia, and Iran itself.

The five-count indictment filed on August 10, 2022, and unsealed on September 14 claims that the trio garnered access to victims’ networks and denied them access unless they paid a ransom payment. They successfully targeted infrastructure entities including healthcare, transportation, and utilities, in addition, they “victimized a broad range of organizations including small businesses, government agencies, non-profit organizations, and educational and religious institutions.” The identified goals included:

  • Control of victim’s systems
  • Theft of victim’s data
  • Damage victim’s computers (by encrypting data)
  • Extortion – demanding ransom payments in exchange for decrypting or maintaining the confidentiality of the victim’s stolen data

The indictment continued to describe how the criminals would create fictitious entities whose name looked or sounded like legitimate companies, create the requisite domains, and then leverage the similarity to spoof the target and garner access to the network. Once into the network, they would use the resident Bitlocker application to encrypt their victim’s data. In at least one instance, the cybercriminals used a novel means to deliver their ransom notes: They printed the note on their victim’s network printer:

“A. You read this text because your network is accessible to us.”

“B. We can block re-hacking. You are constantly at risk.”

“C. If you want to secure your network against any hacking and get your encryption codes, Contact us.”

One of the victims that paid the requisite ransom was a domestic violence shelter. The group contacted the victim via email demanding contact by email or a messaging platform that the trio controlled. The shelter paid $13,000 in ransom and was provided the encryption keys to their data.

FBI Director Christopher Wray in his statement highlighted another attack, which occurred in the summer of 2021 and targeted Boston’s Children’s Hospital:

“Fortunately, before they could successfully launch their attack, we received a tip from a partner that the hospital had been targeted. And working closely with the hospital, we were able to identify and defeat the threat protecting both the network and the sick children who depend on it. I’m very proud of our success in thwarting that attack. This indictment, and the cybersecurity advisory we’re releasing, show what’s possible when federal and international partners work together and place a priority on close collaboration with victims. The cyber threat facing our nation is growing more dangerous and complex every day. Today’s announcement makes clear the threat is both local and global. It’s one we can’t ignore and it’s one we can’t fight on our own, either.”

Additionally, such is the knowledge obtained by the DOJ of the trio’s activities, the DOJ obtained emails in which “individual timesheets reflecting the hours worked” were exchanged with an unidentified (to us) individual. Indicating a chain of command for tasks and funding exists.

Assistant Director Bryan Vorndran of the FBI’s Cyber Division noted, “The FBI remains steadfast in our commitment to work with our US government partners for the purpose of imposing cost on our adversaries. This indictment, when coupled with other disruptive operational activities, demonstrates what’s possible when we team up with our domestic and international partners and take a whole-of-government approach. We, along with our partners, remain dedicated to protecting the United States of America and the victims affected by these egregious crimes.”

Cybersecurity and Infrastructure Security Agency issues alert

The US Cybersecurity and Infrastructure Security Agency (CISA) alert, Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations (Alert: AA22-257A), provided the modus operandi of the Iranian actors. Of particular note in the CISA alert is the alphabet soup of law enforcement, intelligence and security agencies from around the world that were involved in the analysis of the Iranian cyber activity and pinning attribution upon the Iranian IRGC. This included collaboration with Australian, UK and Canadian entities.

The Alert continues:

“The IRGC-affiliated actors are actively targeting a broad range of entities, including entities across multiple US critical infrastructure sectors as well as Australian, Canadian, and United Kingdom organizations. These actors often operate under the auspices of Najee Technology Hooshmand Fater LLC, based in Karaj, Iran, and Afkar System Yazd Company, based in Yazd, Iran. The authoring agencies assess the actors are exploiting known vulnerabilities on unprotected networks rather than targeting specific targeted entities or sectors.”

US Department of Treasury issues sanctions

While the indictment is clear on who the miscreants are, and of their nationality, the indictment is also circumspect in not connecting the criminal trio with the Iranian government. The US Treasury, however, connected the dots. 

Contemporaneously with the unsealing of the indictment, the Department of Treasury’s Office of Foreign Assets Control, as part of the all-of-government response, levied sanctions on the trio, and noted their connection with Islamic Revolutionary Guard Corps (IRGC) affiliated entities.

Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson said, “Ransomware actors and other cybercriminals, regardless of their national origin or base of operations, have targeted businesses and critical infrastructure across the board—directly threatening the physical security and economy of the United States and other nations. We will continue to take coordination action with our global partners to combat and deter ransomware threats, including those associated with the IRGC.”

CISO actions regarding the Iranian threat

CISA highlights the most current Alert updates alerts from 2021, which discussed Iranian government advanced persistent threats (APT) exploiting Fortinet and Microsoft Exchange vulnerabilities. CISOs will be well served to take on board the technical analysis provided by Cybersecurity and Infrastructure Security Agency (CISA) and the suggested actions to lower the odds of being a victim of Iranian activities.  In addition, for those unfamiliar with the Iranian cyber threat, CISA provides Iran Cyber Threat Overview and Advisories, which may serve as a useful primer.

SolarWinds breach lawsuits: 6 takeaways for CISOs

The SolarWinds compromise of 2020 had a global impact and garnered the resources of both public and private sectors in an all-hands-on-deck remediation effort. The event also had a deleterious effect on the SolarWinds stock price. These two events, were, predictably, followed by a bevy of civil lawsuits. Fast forward to late March 2022 and we have a federal court saying the suit that named SolarWinds; its vice president of security and CISO, Tim Brown; as well as two prime investor groups Silver Lake and Thoma Bravo may go forward.

As Violet Sullivan, cybersecurity and privacy attorney of client engagement at Redpoint Cybersecurity, observes, the judge finds that the plaintiffs “may have a claim, so the judge is going to hear it.” She explains, “It’s not what is being said in the order that is interesting. It’s what will be shown during the discovery process that is interesting. There will be questions in this suit including: Will the forensic reports be available during the discovery or covered by attorney-client privilege?”

Key question: Did SolarWinds cut corners on security?

The judge’s decision served to highlight what every CISO dreads, the cutting of corners by personnel in the basic implementation of cybersecurity 101. Password management carries a price. SolarWinds is adamant that the infamous password “solarwinds123” that a security researcher found in November 2019 on an “update server” was changed within the hour of being notified and isn’t related to the Russian breach of SolarWinds. However, Sullivan opines, the “password issue on the update server is … just an entry point.”

The judge decided “the allegations of underlying security issues (such as the ‘solarwinds123’ password breach)” need not suggest that these security issues directly caused the loss. Instead, their purpose is to demonstrate that the executives were at least reckless in not realizing that something was dangerously amiss. “An egregious refusal to investigate may give rise to an inference of recklessness.”

Indeed, the one-off violation associated with the “update server” is not unique to any one company. Shortcuts are taken, and policies exist to diminish the likelihood of incidents such as this. That said, former employees, described in the judge’s decision as “a sales engineer, a security specialist, a backup and disaster recovery specialist, a director of global recruiting, an HR contractor, a security account manager, and a marketing associate” all alleged the lack of such cybersecurity policies.

While the civil lawsuit will continue its course, there are several important takeaways for CISOs.

Personnel need to follow policy and procedures

To the company’s credit, they published a “security statement,” which described the seriousness of cybersecurity policies and procedures. Whether this was window dressing or reality is what the suit will determine, as the plaintiffs allege the marketing and public relations statements made by SolarWinds on its website, including video statements from the CISO, projected a mature cybersecurity culture within SolarWinds that did not exist.

CISOs should ensure business or operations are the drivers of the policies and procedures being followed by their personnel with the CISOs team in information security supporting the business. This requires business operations to ensure alignment between what the company is saying publicly and what it is doing internally.

Sullivan notes as the case moves forward, “What other exhibits will be referenced to show negligence on behalf of SolarWinds? What can you imagine as a CISO that might be used against you to show that you are just a compliance ‘check the box’ place, or do you really care about security (reasonableness standard)?”

Maintain a register to track and manage risks

Matt Georgy, CTO of Redacted, Inc., observes, “What makes Solar Winds’ exploitation particularly bothersome is the fact that it’s used to manage/monitor IT systems.” Core to a risk management program is the risk register wherein risks to business operations are tracked and managed, he continues. This includes risks associated with reliance on commercial software applications and open-source software. 

Document cybersecurity training

It is noteworthy that this mixed bag of employees and contractors allege that they “were not aware of an information security policy or a password policy, and they did not receive cybersecurity training.” The need for documentation cannot be overstated. Being able to trot out evidence that not only was training provided, but the employee provided attestation the training was received and assimilated, silences allegations of lack of training quickly.

Assign mission-critical tasks according to risk

“Organizations need to reconsider how they assign mission-critical business tasks by risk ranking activities,” says Matthew Rogers, global CISO at Syntax. “It is not always about the work being done that should be assessed when tasks are being assigned. Instead, businesses today must consider the gravity of the error that could happen if work is performed improperly and be overly cautious when identifying ownership of these types of assignments. It’s worth paying more for experience and quality for simple work that could cost you everything if done wrong.”

“At the end of the day, the buck stops with the CISO,” says Justin Wray, director of innovation security at CoreBTS. “Security is not a one-person show,” and the CISO is supported by a team of experts engaged in the technical activities of cybersecurity.

Have a long-term security plan, but be prepared to pivot

Wray makes an observation, which I posit all CISOs would embrace, “It is vital to note that while a high-level, long-term plan is important to a secure IT roadmap, life happens and no one is completely safe from a breach. The security world is changing every day and in the event of a breach, such as SolarWinds, a CISO needs to know how to pivot. Security control and implementation, meaning leveraging day-to-day resources to monitor tools and updates, is the foundation of a solid security posture. Organizations that remain stagnant because everything looks fine on the outside are not properly setting up their organization for success when a breach ultimately occurs.”

Similarly, given the dynamic nature of every business, policies and procedures should and must be easily accessible and updated regularly. Updates are driven by the change in business direction, risk identification, and mitigation all of which are owned by the business operations group, again with the support of the CISO and the infosec team.

Resource cybersecurity according to risk

CISOs are uniquely positioned to provide insight on the threat landscape to business operations and together create the appropriate risk management plan. I recently mentioned how cybersecurity is often something companies get around to. The SolarWinds cyberattack and the resultant civil lawsuits are demonstrating the need for the well-documented investment in cybersecurity must be at the forefront.

The managing director of NetSPI, Nabil Hannan, says, “Internal threats are still a lingering and often under-addressed cybersecurity threat within organizations, especially when compared to the resources applied toward external threats. But, with buy-in from an organization’s leadership team, CISOs can have the resources needed to develop a proactive and ongoing threat detection governance program.”

Those who hesitate may find themselves playing catch up as they are spurred along by the new U.S. Securities and Exchange Commission initiative on the need for publicly sharing information security breach information within four days of discovery that the breach is material will affect direct change. Similarly, the SEC’s desire to have companies describe how they address cybersecurity will drive greater transparency within many companies. This SEC effort will pull infosec out of the back room and to the forefront, like policies, procedures, resourcing, and expertise will be on full display via the required SEC filings.

Three recent events prove the need for an insider risk playbook

Every company, regardless of size, should have an insider risk management playbook in place to address the insider threat. The human factor is always in play, mistakes will happen that inadvertently place the company at risk. The other side of the human factor are the malevolent individuals who opt to break trust and willingly push aside their NDAs and in-place IT data handling processes and procedures to knowingly abscond with sensitive data.

Three recent incidents underscore the importance of having an insider risk management playbook:

Ubiquiti’s insider risk mitigation plan pays off

Malicious insider Nikolas Sharp of Ubiquiti stole his company’s data and then attempted to maneuver the post-investigation efforts away from his own actions and to extort from his employer $2 million. While the Ubiquiti team did not stop the exfiltration of the data, once an anomalous activity was discovered, they executed on their mitigation plan, and eventually brought in the FBI to address the criminal aspects of their insider incident.

Code42 detects improper downloads early

Prime components of the mitigation playbook, or plan, according to Code42’s vice president of portfolio strategy and product marketing, Mark Wojtasiak, is embracing the three T’s of transparency, training and technology. In his December 2021 piece, “Your employees are making a run for it, and so is your data,” he emphasized the need to “Teach them company data ownership policies, set expectations in terms of ownership and develop guidelines they can follow when in doubt.”

Wojtasiak, wrote the above from a position of personal experience. Speaking to this writer for an earlier article, he noted how a recent incident within his own team at Code42 served to highlight the importance of having the insider incident playbook. In the Code42 case, the employee had given their notice that they were leaving Code42 for another opportunity. The company standard operating procedure (SOP) called for a review of the last 90 days of activity by the employee. The review team discovered the employee had downloaded sensitive internal customer lists to an unmanaged device.

Wojtasiak explained how the playbook allowed Code42 to immediately work the problem. HR, Legal, infosec and the business unit all have a role. He emphasized how the working assumption within Code42 was that the employee’s actions were not a result of malicious intent. The facts directed the investigation, and they would learn that such was not the case and that the employee had in fact intended to take the customer lists to his next employer.

The employee availed his devices to the mitigation team, which allowed the recovery of the pilfered data. Then when the internal aspects of the incident concluded, Wojtasiak shared how the CEO of Code42 shared directly with the CEO of the company which was hiring the departing Code42 employee what had transpired, how it was handled internally.

Pfizer threat monitoring identifies data theft

Pfizer had beefed up its insider threat monitoring capability when it implemented a technology that monitored employee uploads to devices in October 2021. On October 29, they discovered that between October 23 and 26 an employee transferred over 12,000 files “from her Pfizer laptop to an online Google Drive.”

The insider risk mitigation team’s efforts are detailed within their court filings. Immediately upon discovery of the October 2021 download of the 12,000 files, the team initiated a “digital review of the employee’s emails, file access and internet activity on her Pfizer-issued laptop.” This investigation showed, “that she had been interviewing with and had received an offer of employment from Xencor.”

With this information in hand, the mitigation effort brought together HR, security, and IT (forensics). The team met and then spoke with the employee, twice on October 29. One of those interviews occurred over a video teleconference where the employee “logged onto her Google Drive account and deleted all of the files saved there.” On November 1, the employee came into Pfizer’s offices and provided her company laptop and provided access to her personal laptop for forensic review.  

The employee was placed on administrative leave and the subsequent investigation showed that the laptop provided was not the laptop which contained the 12,000 documents, and that the company’s data, data which included COVID-19 research was no longer in their control.

Pfizer acknowledges in their court filings the detection of the theft, and resulting investigation confirmed their findings, and that this employee attempted to dupe them into thinking that their internal documents were not at risk. Pfizer believes its former employee and others continue to possess Pfizer’s information.

Importance of an insider risk playbook

Those who eschew the idea of having a playbook in place will find themselves reinventing the wheel with each insider incident. When it comes to reacting to the discovery that a colleague may have mishandled data, having a process takes the emotion out of the equation.

While the makeup of the mitigation team may vary from company to company including HR, legal, security, IT, and the business unit are table stakes. Equally important to identifying elements of the mitigation team is ironing out defined roles and expectations when an incident percolates to the top and requires handling.

What’s in your playbook?  

CISOs, what’s in your work-from-home program?

I wrote previously of what the key ingredients are for a successful travel program might include, as it was a topic which had not garnered much attention over the course of the past couple of years as pandemic took hold. What most entities have experienced since early 2020 is the IT scramble to accommodate the migration by employees from onsite and in their seat, to off-site and sitting wherever they could find internet access. Just like that, CISOs found themselves having to formulate work-from-home (WFH) policies, implementation and procedures.

The shift was swift, and while some companies did nothing but allow the employee to access their networks via an external internet connection, others took a more programmatic approach. One such entity was XYPRO. According to Steve Tcherchian, CISO and chief product officer at XYPRO, he observes the shift was swift, “We had lost the air cover that the office security infrastructure provides, we had to quickly adapt our WFH procedures and controls to address a situation where everyone was required to work from home at once.”

Multi-factor authentication first followed by technical controls

XYPRO prioritized steps putting multi-factor authentication (MFA) at the top of the list to “ensure all services were adequately protected against credential attacks,” Tcherchian continues. “Some of our staff had never worked from home and were ill-equipped to work efficiently.” He further observes how, “oftentimes, work on computers doubled as school computers.”

In sum, the implementation was an infosec nightmare. To rectify the situation, Tcherchian cataloged the changes that XYPRO rolled out to help ensure their remote workforce was as secure as those working from within security afforded by the office.

  • Require MFA on all services
  • Maintain BYOD devices at a certain OS/patch level
  • Install antivirus tools and keep definitions current
  • Properly secure Wi-Fi
  • Prohibit company data from BYOD devices
  • Do not shared computers
  • Assign corporate computers or cloud workspaces for employees who had to share computers for their children’s school

This was followed, Tcherchian advises, by implementing technical controls to include mobile device management and the ability to remotely wipe the employee devices, which may include personal, non-company data. He notes that employees “voluntarily enter into our BYOD program.”

While remote work is at its apex, so are credential reuse attacks, says Bojan Simic, CEO/CTO of HYPR. He shared how “according to ESET research there was a 768% increase in RDP [Remote Desktop Protocol] attacks targeting remote workers in 2020. The number of virtual private network (VPN) users also increased by more than 54% in 2020, while MFA adoption remained relatively flat.”

Similarly, Mike Puglia, chief strategy officer at Kaseya, emphasizes the need to mandate the use of MFA and conditional access policies. Those working from home or at a far-flung beach bungalow “make extensive use of cloud apps and one can no longer make assumptions based on physical location or device.”

A few entities were impacted less than others, as was the case with Abnormal Security, which according to its CISO, Mike Britton is “a ‘remote-first’ company, which means we treat all employees as work from home. Our policies and procedures are designed with that operating model in mind. We reinforce that security is a critical aspect of how we operate, and the expectations of good security habits and requirements apply whether working from your home, a local coffee shop, or the office.”

Onboarding employees for remote work

Britton continues how Abnormal has a well-defined automated process that onboards the employee, who is provided a “company-issued laptop that is configured according to our security baselines and centrally managed.”

The devices, Britton explains, “leverage an enterprise SSO [single sign-on] solution that requires multi-factor authentication to access any company resources. All devices have endpoint detection and response (EDR) software and web filtering at the endpoint level to prevent access to malicious websites.” Additionally, via a third-party solution, he emphasizes “these devices are monitored for compliance and to prevent employees from making changes.”

While David Matalon, CEO of Venn, notes a Harris Poll showing that 71% of Americans admit to working around their company’s security protocols, when a protocol asks them to work in a non-natural way or cumbersome manner. His team “enjoys the notion of ‘freedom without compromise.’” Venn employees are permitted to use any device, anywhere. This is possible using a platform that “ensures all work-related data is secure and eliminate the possibility of enabling unrestricted access to such data with cutting edge DLP [data loss prevention].”

Need for a BYOD policy

Venn embraces the BYOD without exception, and it, too, has in place a methodology to “enable administrators to pull back or wipe all work-related data as required,” Matalon says. “Unlike traditional remote management monitoring, which wipes an entire device’s data, the secret sauce for Venn is being able to execute that same level of protection while ensuring that employee privacy is protected, too. LocalZone focuses exclusivity on separating work-related data from what is personal. If a wipe is required, an administrator can protect all work relating data while not interfering with the employee’s personal and private data.”

Puglia of Kaseya reflects how “most companies do not have a comprehensive BYOD strategy. They have a policy that enables employees to get email and maybe a few apps on their phones as a matter of convenience when the employee is not on their primary device. Organizations need to re-think their BYOD strategy to embrace access and more importantly, security, no matter what location or device users are on.”

All the policies and procedures already in place need to extend to every user and device no matter where they are as the physical boundaries of the office no longer apply. This may explain why Tcherchian led with the requirement of having MFA in place as the first bullet point in XYPRO’s migration to all employees working remotely, all at once.

Work from home requires a comprehensive architectural plan and decisions to be made, some which will increase the operational expenses of the CISO’s span while also increasing the security of the company. The aforementioned, examples from industry, highlight the diverse opinions on how to tackle the WFH conundrum, be it BYOD or company issued devices, both require process and procedures to implement securely.