Council Post: Important Cybersecurity Lessons Learned During The Pandemic

By David Obasiolu, founder at Chow420, building the future of the CBD market with automated online Compliance.

For my company and me, the most valuable cybersecurity lesson learned during the pandemic is that security starts internally. This lesson highlights the importance of founders and CEOs to enforce simple cybersecurity measures at the most basic levels of their organizations. Most people usually think of cybersecurity only as complex and external measures that help secure an organization from external attacks. However, the security of an organization starts with its employees (user domain of the IT infrastructure). The user domain encompasses all the actions and access that users/employees need to control most of the IT infrastructure.

There have been a series of major attacks in recent news, such as the Twitter attack that took control of the accounts of major public figures and corporations, including Joe Biden, Barack Obama, Elon Musk, Bill Gates, Jeff Bezos and Apple. The compromised accounts, which have tens of millions of followers, sent a series of tweets proposing a classic cryptocurrency scam: Followers were told that if they transferred cryptocurrency to a specific bitcoin wallet, they would receive double the money in return. The way the attack was effective was that the hackers targeted employee accounts (user domain) by sending spear-phishing attacks, and employees fell for them.

With these sorts of cyberattacks in mind, this article is meant to remind founders about the importance of keeping a trained and secure user domain, because it’s just as important as other forms of security. 

I have a master’s degree in cybersecurity, so I’m very interested in this issue. Fortunately, my company has been safe from cyberattacks during the pandemic. Given the importance of the user domain in an IT infrastructure, at my company, we’ve maintained a reliable access control system internally during the pandemic that emphasizes training, segregation of duties and the principle of least privilege for all internal users and employees.

Training is vital to ensure security in the user domain. Training provides awareness to employees about attacks that may slip through the cracks in an organization, such as social engineering and phishing attacks. A successful social engineering or phishing attack will enable an intruder to bypass detective and preventive cybersecurity tools and software, which may cause a significant breach in an organization.

Segregation of duties (also known as separation of duties) is an essential principle in cybersecurity that ensures that employees do not have access to systems that will lead to conflicts of interest, fraud or abuse. For instance, an employee in charge of managing invoices from third parties should not have the access to approve or issue payments to third parties.

Segregation of duties enforces the principle of least privilege, which, in simple terms, ensures that individuals only have access that they need to perform their job without resulting in fraud or abuse.

A secure user domain has helped strengthen the detective and preventive security measures that we also have in place at our organization. Another connection to the lesson touches on proactive cybersecurity measures like the importance of patch management. An effective patch management program has helped us stay updated with software patches and other important updates from all third-party software that we use daily. Proactive measures of cybersecurity, such as patch management, are usually downplayed at big and small corporations. However, the lack of proactive patch management in corporations has caused major breaches, such as the Equifax breach in 2017 that affected over a hundred million Americans. This year, Zoom bombings also highlighted the importance of patch management for software applications and why companies should have healthy patch management programs. Internally, at my company, we keep a close eye on patches and updates for all third-party software we are using during the pandemic. Unpatched third-party software will always pose significant threats to an organization and should be taken very seriously to maintain a healthy I.T. environment.

At my company, we use the same internal security measures, rules and laws to maintain a high degree of compliance for the CBD industry through our online marketplace. With the use of cybersecurity’s principle of least privilege, we combine users’ ages, addresses and state laws to control what they can buy through our automated compliance algorithm.