The COVID-19 driven shift to remote working coupled with accelerated digital transformation poses significant challenges to enterprise cybersecurity operations, widening the threat landscape and exposing enterprise networks, devices and data to increasing cybersecurity risk. Unmanaged devices, shadow IT and rapidly deployed remote access networks have all introduced emerging vulnerabilities that are being exploited by cybercriminals, making securing the enterprise even more difficult for CSOs and their teams.
The rapid transition to remote work and expanding digital footprint of enterprises caught many organizations flat-footed when it came to securely supporting a remote workforce. Research conducted by EY and The International Association of Privacy Professionals (IAPP) found that of the surveyed organizations that rolled out new technology to support remote working, 60 percent either bypassed or accelerated security review. Increasingly sophisticated cybercriminals are taking notice and are routinely exploiting cybersecurity weaknesses, taking advantage of vulnerabilities by deploying ransomware, malware and other attacks. Cloud security company Zscaler reported that from January to late April they saw an increase of 30,000 percent in phishing, malicious websites, and malware targeting remote users—all related to COVID-19.
Concern about these escalating attacks is growing among IT and security professionals globally. A recent survey conducted by Tripwire found that 94 percent of these professionals are more concerned about security now than before COVID-19. The report noted that “for most organizations, this pandemic has acted as a major stress test on cybersecurity controls and policies. The resulting surge in remote work complexifies the attack surface and brings up many new questions for security teams.”
Enterprises are working to address these increasing cyber security complexities and maintain business continuity by applying the lessons learned during the pandemic to strengthen their cyber resiliency, embedding data security, privacy and compliance into their IT infrastructure. As part of this cyber resiliency imperative, post-COVID-19 will see more and more enterprises securing remote working, prioritizing employee cybersecurity training, moving to zero trust and joining together to collaborate on cybersecurity issues.
Securing remote working
Many enterprises struggled to scale security in response to the rapid coronavirus-driven shift to remote working. With communication and collaboration becoming incredibly important almost overnight, security threats also skyrocketed. A respondent to an (ISC)2 survey captured the implications of this noting that COVID-19 hit organizations “with all the necessary ingredients to fuel cybercrime: 100 percent work from home before most organizations were really ready…[and] remote workforce technology supported by vendors driven by ‘new feature time to market’ and NOT security…”
And it looks like remote working, which was trending up before the pandemic, is here to stay. According to ESG research, “79 percent of IT executives say that their organization will be more flexible about WFH policies after the pandemic subsides.” With this increase in remote working comes an increase in exposure to cyberthreats. A survey conducted by Barracuda Networks found that almost “almost half (46 percent) of global businesses have encountered at least one cybersecurity scare since shifting to a remote working model during the COVID-19 lockdown.
Enterprises know they have to do better and acknowledge the need for strategic changes to their security initiatives. A Bitdefender report on the “Indelible Impact of COVID-19 on Cybersecurity” found that a majority (81 percent) of information security professionals believe that COVID-19 will change the way their businesses operate in the long-term.
Post-COVID-19 organizations will reexamine their technology stacks to integrate solutions that more securely support a remote workforce. This includes scrutiny of digital collaboration tools that have become a mainstay of remote working.
Widespread employee usage of unsecure messaging and conferencing apps left many organizations open to significant security and compliance risks. A Messaging At Work Report found that usage of non-regulated consumer messaging apps is common in the workplace with 50 percent of respondents indicating they use these apps for mobile work communications. The report also found that employees are using these consumer-grade messaging apps to share a range of potentially sensitive business information with 29 percent of respondents indicating they share documents and 25 percent saying they share contacts including personal details like phone numbers.
Post-COVID-19 enterprises will step up governance to ensure employees have access to enterprise-grade collaboration tools that enhance employee communication, collaboration and productivity without sacrificing security.
Cybersecurity training and education
The increase in remote working triggered by COVID-19 highlighted an urgent need for employee education and training on security practices. The Bitdefender report found that 34 percent of information security professionals polled say they fear that employees are feeling more relaxed about security issues because of their surroundings, while 33 percent of respondents indicated that they are worried about employees not sticking to protocol, especially in terms of identifying and flagging suspicious activity.
Post-COVID-19, organizations will step up efforts to educate employees on best practices for security hygiene. Enterprises will need to communicate regularly with employees about remote working data security and privacy issues. This involves developing ongoing training programs to ensure employees are educated on how to identify phishing attempts, the danger of clicking on unknown links, how to use a virtual private network (VPN) and the importance of using only corporate sanctioned, end-to-end encrypted collaboration tools for messaging and video conferencing.
As part of this education and training effort, organizations will need to keep employees updated on threats to enterprise networks including phishing campaigns, malware and ransomware and remind them to report suspicious emails and files.
Moving to a Zero Trust operational model
Post-COVID-19 should see wider adoption of zero trust identity and access management procedures. A 2020 Zero Trust Progress Report by Pulse Secure which surveyed more than 400 cybersecurity decision-makers, found that 72 percent of organizations plan to assess or implement Zero Trust capabilities in some capacity in 2020 to mitigate growing cyber risk.
The foundation of this security model, developed by Forrester Research in 2010, is the concept of trusting no one not even an organization’s end users. The continuous verification and authorization approach of zero trust helps minimize risk. This approach provides more secure access, enhancing data protection, usability and governance. As part of zero trust, enterprises will increasingly implement security protocols such as multi-factor authentication and biometric technologies such as facial recognition to reduce the risk of attacks.
As the COVID-19 crisis continues to unfold, public and private sector organizations are collaborating to address key security issues and challenges. Post-COVID-19 this ecosystem-wide collaboration will continue to help blunt attacks.
One of the five principles KPMG develop with the World Economic Forum’s Center for Cybersecurity to help cybersecurity leaders reinforce the cyber resilience and cybersecurity of their organizations post-COVID-19 included the principle of strengthening ecosystem-wide collaboration. KPMG noted “there’s strength in numbers, and the silver lining of the pandemic has demonstrated the need for cooperation. Governments are collaborating to address international cyber threats; major enterprises are pooling threat intelligence; and regulators are seeing the value of transparency and collective action in ecosystem resilience planning. Businesses should think about how to reach out to their industry networks and establish collaborative awareness and intelligence sharing sessions, work together to disrupt criminal activity, and take a systemic approach to risk management as part of the broader community.”
The increased security issues and challenges driven by the coronavirus crisis have made cyber resiliency a key business imperative. In a post-pandemic reality, initiatives such as securing remote working, prioritizing employee cybersecurity education, moving to zero trust and increasing industry collaboration on cybersecurity issues will be the way forward to help enterprises achieve cyber resiliency.
Georges De Moura, Head of Industry Solutions, Centre for Cybersecurity, World Economic Forum said: “In the urgent management of near-term challenges, responsible business leaders must incorporate cyber resilience in the business operating model and invest in capabilities to anticipate, withstand, recover from and adapt to adverse conditions and cyberattacks, to position the business for its success beyond the pandemic conditions.”