BY Tod Ferran, CISSP, QSA It’s easy during crisis, such as the current Covid 19 pandemic, to drop our critical thinking skills and become overwhelmed with the current events.
As a refresher, each of us has critical thinking skills along the lines of analysis, interpretation, inference, explanation, self-regulation, open-mindedness and problem solving. We can apply these skills to current events and their effects including the increased risk and vulnerabilities to our health, our associates and the increased attacks against our data and systems.
It is important to evaluate the work environment changes we’ve been forced to make during this time. With people working remotely to help protect their health, how are we protecting the health and security of our information?
In addition to helping our staff create a secure work environment at home, it is also an excellent time to remind staff and associates to view all incoming information through the lens of analysis:
- Who is the message from?
- Is it someone I know and trust? Recently there was a significant earthquake near my home. I received a message from someone I know and trust indicating the US Airforce was preparing for a second quake in the next two hours that would be double or triple the intensity. Historically, humans have not been able to predict earthquakes with any real accuracy, so I was very skeptical about the validity of this message. Several hours later the department of natural resources publicly asked people to stop sharing this false rumor. Of course, the stronger quake never came.
- What evidence supports this message?
- Just because you know and trust the source, additional independent research is often necessary to understand either the real source of this message, or the true source that should be sending out this information. In this case, the USGS is the best authority on earthquakes and would be providing information relative to additional quakes or aftershocks. I had checked their website and there was no information indicating a second quake.
- What does the message want me to do?
- In this case, the individual was simply trying to be helpful, without realizing that the message could spread a sense of panic.
- Is the message a call to action? Phishing emails often ask you to open an attachment to see what was just purchased on your ebay account, click to unlock your Apple account, or wire money for the big boss. We want to reinforce to our staff and associates good email hygiene.
Hopefully we all understand that the pandemic is a short-term health and economic crisis. The risks and threats to our data and systems is not temporary and is continually escalating with no end in sight.
Whether we are receiving messages regarding the current pandemic, phishing attacks or changes to our working environment, vigilance and the application of critical thinking can help us keep ourselves and our systems virus free.
Tod Ferran is a Mensan, and Managing Consultant for HALOCK Security Labs with 30 years of IT security experience. In addition to many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk mitigation strategies, and HIPAA and PCI compliance assessments for organizations throughout the US and across the globe. Ferran has written over 50 articles about the best methods to become HIPAA compliant. His credentials include membership in Mensa, Qualified Security Assessor, ISO 27001 Lead auditor and Certified Information Systems Security Professional.