The Olympics is coming, are you ready ?
Now, I'm not talking about your 100m personal best or whether you are a medal contender. Unfortunately I'm talking about heightened risk of cyber security incidents. During the Beijing Olympics there were 12 million cyber security incidents. We should use that as the bench mark for our risk management for the London 2012 games.
The London Olympics has the potential to be an incredible event attracting people from all over the world to the UK. With this unfortunately comes a heightened level of risk. The UK.gov is already planning to fly combat planes in London airspace and is clearly concerned about the risk of a terrorist attack, as well as cyber attack. UK.gov is working on the assumption that the threat level will be severe but with a focus on the games taking place come what may.
With a potentially reduced work force it will even more important to ensure that information security controls don't slip. Olympic phishing attacks are likely to be prevalent, no doubt offering access to events or tickets - these could be laced with malware or end up compromising sensitive information from your staff or customers.
Sensible steps to take -
Ensure that you have cover for staff responsible for authorising changes to IT infrastructure and be prepared to limit the number of IT changes during the games period.
Compliance controls - if you have recurring compliance controls that are likely to fall within the games period ensure someone is specifically tasked with staying on top of them and has a deputy. External and internal vulnerability scans, patching and AV should all be kept up to date particularly if you are subject to PCI DSS. Resist the temptation to open up your outbound internet access so that staff can access streaming sites from their PCs. This can make matters worse if you get hit by some rogue malware. A couple of TVs in the office may be a better solution - see below.
Plan for multiple types of incident, and ensure you have contingency for the assets that may be affected (Staff, internet, telecoms, IT etc) Ensure that all staff know how to respond and are empowered to do so - consider adding social media engagement to your incident response plan, this can be a good way to get the message out on mass quickly from and too multiple types of devices. Neira Jones of Barclaycard has a good blog post on that subject here.
For those taking card payments who are serving the tourist community attending the games, there is probably going to be increased risk of payment fraud. Cards from various parts of the world that may normally be declined are likely to be in use by tourists and fraudsters. Make sure your staff are kept up to date and take additional steps if necessary to verify the card holder identity. Have a quick chat with your acquiring bank to see if there is any advice they can offer and to understand what your responsibilities are.
Engage employees and customers! Whilst this might seem slightly off topic for an infosec post I'd suggest finding a way to get your staff engaged in the Olympic celebrations whilst at work. It is highly likely that a number of people will have taken annual leave and unauthorised absence may be higher than usual. A couple of live TV feeds and positive acceptance that the games is going on might be enough to stop the odd straggler from an unauthorised absence when there is a big event. Travel in London is likely to be slower and busier than normal, expect more remote working requests or delays in people getting to the office.
As a real example, I was in Portugal during the 2010 World cup working at a client site when Portugal beat North Korea 7-0. Anyone who wanted to watch the game was given a free pass to do so by the operations manager, who had arranged a TV to be set up in the board room and a stack of pizza for everyone. She had a full office every day I was there. Contractors were invited as were clients and everyone enjoyed the atmosphere.
For those of you looking to be a little more pro-active, now is the time to be reviewing information security policies and procedures, updating risk assessments and incident response plans and ensuring you have up to date contacts with suppliers, third parties and any contractors. They should be thinking about this too.
Still 64 days to go ......