COVID-19 has already forced major changes to the way we live our lives. Many of these may outlast the pandemic, especially those related to the modern workforce. New working patterns may in the long-run have significant benefits to organisations and their employees, but there are also challenges; reduced IT visibility and control creates serious security gaps. As we get used to the new reality of mass remote working, IT leaders need to formulate a long-term plan to enhance cyber-resilience, by minimising these gaps and optimising controls.
Security side-lined
A return to business-as-usual once the pandemic recedes is unlikely. Indeed, a quarter (26 percent) of Fortune 500 CEOs believe the majority of their staff will end up working from home indefinitely. This might even be a conservative estimate if potential productivity and cost benefits materialise. If the prediction is true, the coming months could see another wave of digital transformation akin to the initial flurry of activity back in March. The early days of the pandemic included roll-outs of cloud-based communications software like Zoom and Teams, and productivity platforms including Office 365 to enable employees to log-in, collaborate and work from anywhere in the world.
Some organisations also had to increase investments in cloud infrastructure to support new business models and operations. Microsoft estimated it saw two years’ worth of digital transformation in just two months, and a recent Fortune 500 poll found 75 percent of companies have seen work-from-home initiatives accelerate digital plans. Unfortunately, amidst these efforts, security has often fallen to bottom of the priority list. According to one study of global IT leaders, while 90 percent reported an increase in cyber-attacks, 93 percent also side-lined key security projects like regular patching.
Stretched to the limit
Cyber-threats are on the rise as attackers spot new gaps to exploit in distributed workforces. Personal devices at home may not be as well secured as corporate equivalents and may be shared with users that engage in risky behaviour. Even if the IT function can locate and manage such endpoints, VPNs are increasingly overwhelmed with the load, delaying patches. Home workers may also be their own worst enemy. Trend Micro found more than half (56 percent) have used a non-work application on a corporate device, and 66 percent of them have uploaded corporate data to that app. Many more (80 percent) use their work laptops for personal browsing. On the other side, 39 percent said they often or always access corporate data from a personal device.
At the same time, IT security teams are stretched to the limit. A recent poll of its members by industry body ISACA found less than two thirds (59 percent) feel their cybersecurity team has the right tools at home to perform their job effectively. Just 51 percent are confident teams can detect and respond to rising threat volumes. In short, organisations are more exposed than ever to the risk of ransomware, data breaches, bot attacks, and more. Trend Micro alone blocked nearly 28 billion cyber-threats in the first half of 2020 including almost nine million COVID-themed attacks — most of which were destined for remote workers’ inboxes. Cyber-criminals are even cold-calling victims with new vishing and voicemail phishing tactics.
Time for action
The global average cost of a data breach is now almost $3.9m. Remediation and clean-up, lost productivity, legal fees, regulatory fines and reputational damage can all seriously undermine growth and customer confidence at a time of tremendous business uncertainty. So, how can organisations regain the initiative?
The most essential task is to update remote working policies. The first six months of the year were characterised by a struggle to adapt to the new reality. Now it’s time to prioritise security and eliminate IT blind spots, using technology controls to support upgraded policies. The IT security function must have full visibility into all remote working endpoints, and the ability to manage patching, ensure approved AV is installed and up-to-date, and that corporate log-ins are manged securely, or even better, enhanced with multi-factor authentication.
Security must also work at the network layer, email/web gateway, and all on-premises and hybrid cloud servers. Businesses must look for providers that can offer a range of controls to stop the many threats in the modern hacker’s toolkit. IPS and file integrity monitoring are useful tools to spot suspicious behaviour early on, while virtual patching adds a layer of defence for vulnerable systems until an official security update is available.
The final piece of the puzzle is, of course, the people in the organisation. Security leaders will need to revisit and update user training and awareness programmes and communication channels to take account of the new reality of home working. Courses should be flexible enough to adapt as threats evolve. There’s no such thing as a silver bullet in security. But with budgets under scrutiny and staff in short supply, IT leaders may find that the best option is to seek a trusted partner to help them navigate their way through the current landscape. This can not only help with technical implementation of security but also on the people side of things, to assist in adapting and adopting new behaviours required to protect themselves from the security threats. If this is the new normal, it’s time to start managing cyber-risk more effectively going forward.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.