The coronavirus has upended cybersecurity, just as it has transformed so much in today’s world. With so many working from home, the cyber hygiene of employee homes has become a more central concern to those overseeing security inside today’s enterprises. While these experts think about protecting these enterprise networks as more of our work life is conducted via third party applications (Zoom, Slack), they remain equally vigilant about protecting the critical infrastructure at manufacturing plants, oil and gas pipelines and water facilities.
The bottom line for every organization is that its attack surface has greatly expanded, altering traditional cybersecurity roles. This has created what we now call an “extended enterprise,” which requires additional fortifications. At the same time, digital transformation proceeds apace as enterprises embrace everything from cloud and the associated benefits of this agile infrastructure such as artificial intelligence and machine learning to IoT and edge connectivity to new ecosystems that include partners and sometimes, entire industries – all of which have implications for security leaders. It’s therefore up to the globe’s chief security officers (CSOs), chief information security officers (CISOs) and chief information officers (CIOs) and others concerned with security at the enterprise to pull off the juggling act needed to reshape an organization’s cyber skillset to fit the new reality.
Adjusting to the new beginnings
The silver lining is the speed with which organizations around the globe adopted to this new reality. Necessity is the mother of invention with the pandemic serving as a kind of super-accelerator. Projects that may have taken six months or more to implement were rolled out in three or four days. The same nimbleness was exhibited by IT departments around the world and humankind generally. Enterprises, working in tandem with partners, created new ecosystems to fill needs. If nothing else, COVID-19 demonstrates that organizations have speed and ingenuity in their DNA.
The challenge now is to build on the momentum of the past months. A certainty of today’s world is that malicious actors are on the prowl for new vulnerabilities. It wasn’t long ago that most employees worked within a closed, physically secure, LAN-controlled system that monitored devices connected to the network. Now we have the boundary-less enterprise and the reality that virtually any device connected to an employee’s personal network, including home appliances, medical equipment and wearable technologies, represents a potential threat. In essence, every individual’s home is now part of an enterprise’s ecosystem. Reinforcing and monitoring a system with so many endpoints requires a special vigilance and new defense measures are needed for this increasingly distributed environment.
Among the early problems confronting companies was that a very small percentage of the workforce used remote connectivity methods like VPN. That was the observation of my colleague, Dr. Sundeep Oberoi, Global Head of Cybersecurity Services at Tata Consultancy Services. “Companies quickly discovered that only about 10% of their workforce was using a VPN,” Oberoi observes. That presented both a hardware and software problem as customers needed to quickly build their VPN capacity to ensure data was encrypted when sent over the internet.
Preemptive response to new threats
Security controls need to be reconsidered in light of the new beginning and questions of privileged access carefully calibrated. Applications meant to operate on premises need extra layers of protection to guard against outside intrusions. That will frustrate employees, yet overly lenient policies could mean too many people have access to core operating systems and other corporate crown jewels.
Better integration is also required between security and detection technologies. For too long, these have been siloed. The IT system was considered separate from the manufacturing plant, which historically ran in a more controlled environment without running on the Internet. The rise of the cloud, and multi-cloud, along with the spread of IoT, brought forth new benefits for these controlled environments – such as the ability to conduct preventive and predictive maintenance on systems before they failed, but this connectivity represents new threats. If nothing else, the pandemic has made it abundantly clear that we need to better correlate and coordinate intelligence and threat management around all surfaces.
Newly adopted collaborative environments present their own challenges. Video conferencing platforms such as Zoom and Microsoft Teams are lifesavers in today’s environment but also require analysis. How do you enable and extend enterprise security protocols such as encryption and identity management? These and other nuances need to be addressed at your enterprise.
Social media represents another vulnerability point. In our view, not enough attention is being paid to the security architecture and controls around these new social platforms. Phishing becomes even harder to repel when such a large a percentage of the workforce is working outside the LAN network. AI is producing more sophisticated lures – and yet employees aren’t overhearing one another talk about the dodgy email their neighbor just received.
Closing the skills gap
Resiliency testing is critical in these unusual times. That means the ability to anticipate, withstand and recover from an attack and then improve. This might be the single most important set of discussions a security team can have. In the past, the conversation would have been around an organization’s degree of compliance; now, it needs to be around resiliency and an enterprise’s ability to absorb and repel an attack and improve defenses.
As always, education is a part of the answer. The pandemic has provided companies the opportunity to re-stress good security hygiene. What was a truism before the pandemic – that everyone from a company’s CEO to its interns must practice smart security to protect a company, its customers, and ultimately its reputation – is even more apt today. Organizations need to double and triple down on its messaging when virtually every employee’s home is a potential entry point into its systems. Cybersecurity is everyone’s job and not just those who have that term in their work title.
Longer term, companies need to close the skills gap. Cybersecurity roles must adapt to this more dynamic threat landscape. That might mean the creation of new, highly-specialized positions within an enterprise such as security personnel who help employees improve their at-home security posture. Other examples would be edge security specialists who look at perimeter threats to an organization and security architects who take a foundational approach to security. Initiating internal upskilling programs that target areas of need to preemptively protect against evolving threats can be helpful.
Priorities in the year ahead
Threat actors will continue to adapt. AI will be employed both to carry out more sophisticated forms of phishing and as a force multiplier that carries out social engineering attacks at scale. Machine learning models are predictable and therefore easier to evade and companies must guard against the injection of spurious data into a model. In our increasingly ubiquitous mobile economy, social engineering and identity impersonation will be the most common attack methods for payment fraud. Online digital banking and e-commerce platforms in particular must embrace device-based biometrics and SMS-based one-time password (OTP) authentication methods to avoid sophisticated denial of service strikes and other attacks. Ransomware continues to be a major threat to a wide array of industries, though healthcare and hospital systems, along with public transportation and logistics companies, are most vulnerable.
Other priorities in the coming year need to include the need for better cloud security and modernization of legacy infrastructure. Industry-specific upgrades are also needed to protect manufacturing, IoT-enable devices, and the like. For instance, the capture control of sensors can prove disastrous, especially in vital areas (power generation, smart city management, autonomous vehicles) of interest to cyberterrorists and state actors.
For enterprises, the choice is clear. Security professionals can look back on this period as a time they allowed themselves to get distracted and missed a key opportunity to strengthen their systems against intruders. Or, the pandemic can stand as a critical pivot point… the jolt that caused an enterprise to grow more vigilant about its security culture and strengthen its fortifications even as its employees are working from homes and apartments around the globe. It will be the nimble enterprise that is best able to pivot quickly to this new security landscape and the reality of the expanded enterprise.