Situation Room #8: Security leadership under COVID-19

With global lockdowns and travel bans, people and organizations have been forced to adopt a WFH policy in record time. This poses significant security threats, as we’ve heard too many unfortunate stories about in the past weeks.

Caroline Wong from byFounders’ portfolio company Cobalt, a Pentest as a Service (PtaaS) Platform. Caroline is an expert in cybersecurity and an outspoken figure on the security tech scene. In her recent op-ed for Forbes, she shared best practices security leaders can implement now to fend off threat actors during a time where everyone is more susceptible to hackers. Ty Sbano, Chief Security and Trust Officer at Sisense, a software to provide business insights from complex data with radically innovative business analytics. Ty shares his insights on which strategies he’s implemented and how others can do the same.

Read the below summary or listen to the recording to learn more about this crucial issue.

A situation report

Caroline Wong, Cobalt

• Reentering reality: thinking about the strategy and considering all proper precautions to take to reenter the office
• A global company’s advantage: already proficient in working with distributed colleagues over the various tools (Slack, Zoom etc.)
• Effective communication through technology has been fascinating — it allows all of us to be on the same level when having discussions and exchanging thoughts
• Rethinking the long term approach on how to engage distributed employees
• Keeping a pulse on employees health, safety and security e.g. weekly IT office hours on how to secure home network property
• Fake news on the rise: dealing with social engineering attacks, as hackers are taking advantages of the large volume of incoming news about COVID-19

Ty Sbano, Sisense — Narratives and topics: how are you embedding the security culture

• People first — CPO sent out comms to the team to prepare them for the pandemic. If you look around, most businesses today are data-centric. Rolling out a security program, at the end of the day, is really about human beings, traits and characteristics, how we embody that, and it all boils down to culture.
• Embrace and empower — embracing the little bit of the weirdness of the now and empowering the team on how to plan for when things are getting weird — based on individual needs e.g letting people have events and fun activities to express themselves, their homes and situations
• Changing our mindset around culture — Sisense declared two critical things during the lockdown:
  1. Professional Zoom accounts allowed to be used for personal use (against normal practices)
  2. Wellness days — reflect, refresh and understand our reality (everyone needs it)

Is Zoom recording all our conversations…?

The right time to prioritize security was yesterday

• Business resiliency and continuity are key — test and learn, make sure things are documented, good hygiene processes are in place
• Mitigating threat of leaking business — We make the assumption that everyone has the ability to work from home securely but this is not always the case, e.g. housemates — not okay to have them watch/listen in. It might take a few additional conversations with team members to make sure their work setup at home complies with security measures
• Secure departures — If you have to lay people off, take into account security considerations, e.g. user accounts, access to documents, files

Are hackers sleeping or hunting?

• Phishing is up by 600% — unfortunately no surprise
• More time, more fun, more hacking — hackers also have more time on their hands so they are busy hacking
• False sense of urgency — many companies are behaving differently than they normally do which is a perfect opportunity for hackers to send out malicious links via fake news site on a local COVID-19, a fake WHO organization donation page
• Out to get the vulnerable — the healthcare industry has also seen a number of additional attacks. Hackers are aware that healthcare professionals are currently under huge pressure, who becomes the target of ransomware and the likes. In the mind of a hacker, where there is a vulnerability there is an opportunity for ‘business’
• On the flip side — organizations and leaders that have invested on the human side such as rolling out meaningful training on security to their teams get to cash in on these efforts, which is a tremendous benefit in the current environment
• Rely on team members — security officers don’t have eyes everywhere to monitor everything — rely on team members’ instincts and local decision making
• Be available to help others — as a security leader, communicate to your team that you are a safe person to reach out to and ask for help if they stumble upon an issue or don’t fully understand something. Promote a culture where asking for help is praised and not frowned upon.

Weapons against hackers

• Bottom line — authentication and software updates. These are fundamental and very accessible to many people
• Multi-factor authentication goes a long way — make sure you are using a password manager, and have multi-factor authentication turned on whenever possible
• Security at home:
  Securing home wifi network
  WPA2 with a strong password
  Closed SSID broadcasting
• Report an issue: train team members that reporting an incident and asking for help is praised not frowned upon.
• Have someone to talk about the topic — if you don’t have a dedicated security team, get someone else to talk and educate the team about cybersecurity for your organization e.g. external CISO, consultant (not as vested in your business capabilities and processes), board member, internal engineer
• In the cloud — becoming cloud-native takes away from having to manage all internal software and spending time on patching things up if things go south. Consider subscribing to a cloud-based service that has the intelligence to keep your internal database safe and allow you to avoid having to troubleshoot.

To be on cloud or to be on-prem

• Depends on the business model — this is where security companies come in to help right the size of the security-based on informed decisions
• Ask yourself the question: what it the environment you want to build your startup in?
• Do your vendor due diligence if you do the right due diligence — you start to get a sense of what’s going on — what does vendor due diligence risk-based decision on can we use this product
• Cost as a constant narrative — rationalize your costs. Whichever you choose. Go all in, as otherwise you are losing money and paying double for two services
• Focus on the organization’s core competency. As the saying goes:

“The safest ship is the one that never leaves the harbor”

The best security leaders don’t go for 100% security, because it means your organization can’t do what it’s supposed to.

• With cloud emerged security specializations — the third party is going to be more specialized than any given organizations on on-prem services
• Startups have one huge security advantage — their ability to communicate quickly and effectively. Nobody can predict how your next incident is going to occur — if your company is nimble, agile and with local decision making and a ‘learn on-demand’ culture, you can react much quicker which goes a long way in any crisis
• The ability to easily turn things on/off — a tremendous advantage of using the cloud

Who trains the ‘rest of us’ on cybersecurity?

• At home, it is ‘my interest’ to make sure my devices are not accessible to others
• IoT devices at home — pretty much exactly the same as having a potentially malicious stranger in your home listening — something that needs to be addressed
• Make yourself available and entertain these conversations — it’s okay to have dialogues with others who don’t spend much time in the security roam
• Act in a surveillance mindset — alters your communication slightly, which is not necessarily a bad thing for business

How to cope with the pressure of the surveillance mindset

• Wellness days — looking at employees mental health has security benefits
• Increased stress means higher attacks — when people are stressed out they make more mistakes — need to consider malicious vs. accidental attacks caused by human error
• Effectively establish your culture — how do you culturally respond to different situations — warm and accepting or imposing more stress than needed? You want to make sure people are guarding their personal lives
• Employee stipends — emotional assistance program for employees in tough situations
• Rotations — half days, adjusting schedules, factoring in time for no work
• Adjusting our balancing acts and rituals — allow your team to invest and commit to their personal needs right now, which might look different for everyone. Give that assurance and peace of mind to the team that it’s okay to be figuring things in your personal life out.
• Social hours — make an effort to ‘just hang out’ with the team online

Be human, be transparent, be present.

Final Words

We hope you found this episode useful, we sure did. If you have any additional questions or need advice on cybersecurity, feel free to reach out!🔐

For the next episode, we asked our very own Juuso Koskinen, Investor at byFounders, to give us his opinion on the changing funding climate and share tips on how to prepare for funding. He will be joined by Ashley Lundström, Deal Partner at EQT Ventures and Mikkel S. Thøgersen Co-Founder of Omnio IoT, currently in fundraising mode. 💸

Stay in the know and reserve your spot for next week! 👋🏼

As always, we welcome all topic initiatives you would like to learn more about, as well as any panelist suggestions. 💬