The COVID-19 pandemic has drastically changed how organizations conduct business. Organizations have been forced to implement highly distributed remote workforces and move on-prem solutions to the cloud under pressure, and short on time. As a by-product, many businesses are beginning to realize the cost and efficiency benefits of remote work and the cloud, but are struggling to keep up from an IT security perspective. When COVID is over, many organizations will opt to keep a hybrid workforce structure and their new cloud solutions in place due to the benefits identified during this time. But IT security will need to adapt in order to keep pace with these new practices and solutions in place. Hackers are already picking up on the gaps and lapses.
Below we've curated some of our favorite comments from top cybersecurity experts on their views and recommendations for success in this post-COVID world. This is part 1 of a series.
“The post-COVID-19 era will present unique enterprise security challenges. Organizations will need to recalibrate the balance between risk acceptance and flexibility. This will require them to find and fix all the temporary security weaknesses introduced to enable flexibility and business continuity during crisis.
Some of the specific challenges while doing this would include:
People issue: Reverting to more restrictive work setups will be challenging, as employees have grown accustomed to flexible work from home setups, in which they had a lot of freedom to access environments remotely.
Asset issue: Temporary company assets that may have been issued to employees to enable remote work during this time will be difficult to track back post-COVID-19.
Overall, organizations may need to conduct a complete risk assessments to identify people, processes, and technology gaps introduced during the COVID-19 era, and take concrete steps to address the issues.”
“Companies across the globe unexpectedly had to scramble through remote work projects due to COVID-19, ultimately accelerating digital transformation efforts and forcing the shift to the cloud. With this rush, it’s likely that the usual cyber security and data security efforts were put on the backburner. Post-COVID, companies will need to prioritize data security to prevent breaches and accidental exposures. It will be important for companies to restore visibility and take control of their data to regain what was lost during the cloud projects that were expedited during the pandemic.”
Chris Rothe, co-founder and chief product officer of Threat detection and response specialists Red Canary
“Users are the weak link in every security program. That weakness gets amplified by a situation like the coronavirus. Business leaders should make a point to remind their employees of their security training and call out the fact that attackers will use coronavirus as an opportunity. The good news is that for several years now one of the themes of information security has been how the network perimeter is disappearing as a defense mechanism so many companies are well prepared for it from a security standpoint. There are two high-level security challenges brought about by remote work. The first is that as a security team you lose control of the environment in which the user is working. Have they secured their home wifi? If they're using a personal computer what mechanisms do you have to ensure that device isn't compromised? The second is access to IT resources they need to do their job. In a world of growing SaaS and cloud adoption this can be very seamless but if your systems are all on an internal network the challenge is providing users a secure way to access those systems via a VPN or other networking solution. Essentially, your network perimeter now includes all of your employees homes or the coffee shops they are working at. Some security programs are ready for this, some aren't.
Ultimately, I think it depends on whether companies are able to maintain a semblance of productivity with many of their employees working remote. If they are, and they put in place the necessary security measure to protect the company, its customers and data, then it likely will lead to those companies evaluating more permanent WFH options. If productivity is heavily impacted or security can't be maintained then I wouldn't expect it to have a lasting impact. The security needs required to support a remote workforce largely follow trends already underway in IT and security. Specifically, adoption of cloud technologies, SaaS, and employee mobility. Many security teams have been evolving to deal with the lack of a network perimeter as a primary security barrier for many years now by focusing more attention on endpoint monitoring and identity and access, among other things, in place of traditional security techniques like network monitoring. Those that haven't will have to quickly adapt.”
Colin Bastable, CEO of security awareness and training company Lucy Security
“There will be a lot of scams being run under cover of health and medical issues – hackers never let a good crisis go to waste, and this is a biggie. People working from home get easily distracted, especially if they are normally used to working in the office, and they will mix work with personal email and web browsing. This increases the risks that they can introduce to their employers and colleagues, by clicking on malware links. So now is a great time to warn people to be ultra-cautious, hover over links and take your time.
Over 90% of attacks are delivered by email, and with people “WFH”, we should expect a spike in losses.
Last year, according to the latest FBI report, nearly half of all cybercrime losses resulted from BEC (Business Email Compromise) attacks - $1.77bn. With disrupted management communications and fewer opportunities to check with the CEO and CFO, expect remote workers to fall victim to these attacks too. Again, be cautious, have crystal clear policies, never let the C Suite over-ride the rules and check for personal emails and spoof emails. If an unusual request is made – phone a friend! Call the boss.
The USA is probably the most prepared country, as many people, especially sales and sales support, work from home as they live “in-territory”, remote from head office. The Japanese and Germans, for example, have less experience of working from home, and normally travel to a local branch office for work. These staff are entirely unprepared, and their companies often can’t function effectively without line-of-sight management.
Regardless, most back-office, accounting, legal, sales admin, and marketing teams are generally office-based and are used to operating within the physical and IT security perimeter. So even organizations that are used to having remote staff are not prepared for an extended “work from home” culture, and their staff most definitely are not prepared.
Enterprises need to treat this as a brand new induction exercise for the entire team. Management, team leaders and professionals need to adapt – old hands will find it hard to adapt, and will need coaching of security outside the office. HR needs to categorize people by adaptability, manageability and risk-taking profiles to ensure that all people embrace the new WFH culture. This is a leadership challenge, and many “leaders” will be found wanting, while many of the lead will step up and take charge.
Deploy mobile 2-factor authentication (2FA), run video and email training sessions to make people security-aware. Increase outreach. Talk, communicate. The threat landscape is far more serious than it was even in February. Deploy email monitoring systems, as over 90% of attacks are delivered via email. Teach people. Train them. Reward good behavior (for example deploy phish buttons to report suspected phishing emails and encourage people to use them).
Recovering from an attack is going to be hard – the attacks are going to keep coming, so best treat the remote people as part of a multi-layered defense strategy and avoid or minimize the risk.”