The ‘New Normal’: The COVID-19 crisis looks set to reshape society permanently in a number of ways, one being a massive expansion of home working across all sectors. As the pandemic struck earlier this year, organizations around the world were forced to act promptly to continue operating outside the confines of their corporate offices.
For the many companies unprepared for remote working, at the minimum on such a scale, this has necessitated the rapid deployment of technologies, ranging from video communication software to VPN solutions. Brian Honan, CEO of BH Consulting, comments, “COVID-19 has forced the hand of businesses to adopt remote working and cloud services and to establish their businesses much more digitally agile than they had planned.”
With the genie this minute out of the bottle and the benefits of remote working – such as more considerable flexibility for employees and reduced overhead costs for companies – being increasingly recognized, there is unlikely to be a return to the pre-COVID world of business. While this increased flexibility and utilization of technology is to be welcomed, the speed at which it has occurred has caused a significant headache from a cybersecurity perspective. Manoj Bhatt, head of cyber security and advisory at Telstra Purple, mentions, “If you have rapidly deployed tech, but haven’t put the right security controls in place then that leaves you exposed.”
As well as unsecured technologies, the fact that employees are working without direct access to IT personnel exacerbates security problems. For instance, careless habits of workers, such as using home devices to acquire corporate systems, have been regularly observed throughout the crisis, making businesses more vulnerable to infiltration. Additionally, remote employees are far more likely to fall victim to scam attacks. “We are seeing an uptick in security breaches relating to an environment where user accounts are getting hijacked because their access has been phished, or they’ve been reusing passwords from an account that’s been breached elsewhere,” says Honan.
Nevertheless, these major challenges additionally provide the potential for far-reaching solutions and a unique opportunity to promote about a sea change in cybersecurity attitudes and practices. The concept of ‘zero-trust’ has long been preached by security experts, and it is likely businesses will now be far more receptive to such overtones as they look to secure their innovative way of working (the ‘New Normal’).
Bhatt, furthermore, said, “I think we’re going to see a real flexible delivery model going forward in most sectors; we’re going to observe people want to work more from home, and they’re able to do so, so that’s going to be a real challenge to the status quo. Cybersecurity is going to have to envelop its head around it.”
Thence what kind of new and innovative cybersecurity practices can we expect to be employed on a widespread basis in the upcoming months and years?
“Companies need to readjust their mindset to a zero-trust model.”
The ‘New Normal’: User Awareness Training
The notion that individuals are the first line of defense takes on even more relevance as home working becomes the norm, with employees increasingly reliant on using their own best judgement to keep corporate systems safe. In practice, however, currently, not enough staff has the knowledge or training to burden such a responsibility. User awareness training therefore has to be pushed to the fore in this new world (the ‘New Normal’).
The starting point is ensuring employees are far more vigilant and security conscious when working alongside various distractions at home. “Effectively, your laptop was in a corporate environment with lots of security. Now your secure laptop is on a network that is inherently insecure,” outlines Sarb Sembhi, CTO and CISO. “Convincing employees to think about this and to consider the data protection implications of any data that is left lying around or conversations that could be overheard now matters far more.”
This means bringing about behaviors such as locking devices every time they are abandoned unattended, and blurring out the background on video calls.
Encouragingly, the importance of greater user awareness appears to be getting more recognized by business leaders. The ClubCISO Information Security Maturity Report 2020 shows that security awareness and training is one of the top three areas where CISOs have driven measurable improvements in recent months.
Additionally, there are indications that employees are now keener to educate themselves about cybersecurity, rising to the challenge of these more prime responsibilities. Bhatt says, “I’m marking a key trend of people getting interested and looking to upskill themselves around cybersecurity. We are predicting a wave of education that’s happening within the industry.”
The ‘New Normal’: Focusing On Mental Health
Another hope is that, linked to this need to improve employees’ cyber-awareness, a bigger emphasis on protecting mental health will emanate from business leaders. Working from home can place extra stress on people, both for those who have families and are juggling a number of other commitments, and for people living alone, suffering from limited human-to-human interactions. This is especially the case in a time of crisis and makes employees much more likely to be duped by scams such as social engineering when stress and tensions are widely felt.
Additionally, the uncertain economic climate is only going to exacerbate this problem. In the same way that cyber-criminals seized on people’s health worries over COVID-19, they will surely continue to play on ongoing economic fears such as job security. “Users are more susceptible to these phishing attacks on corporate laptops than they would have been at other times. They are vulnerable, and employers owe a duty of care to be thinking about those things,” adds Sembhi.
The ‘New Normal’: Keeping The Cloud And Communications Secure
The rapid move to the cloud that many organizations have undertaken in recent months requires a more robust approach to managing access and permissions. “In the rush to induce people working remotely, many organizations may now have people on non-corporate devices or even on corporate devices that can no longer be updated and made as secure as they were when they were on the corporate network,” states Honan. “Companies need to readjust their mindset to a zero-trust model in other ways to ensure that the appropriate people obtain appropriate access in the appropriate way to get information that can all be centrally monitored and managed.”
With remote employees increasingly targeted by phishing scams, including via email, investing in technology that defends workers from these kinds of malicious communications has taken on a heightened sense of importance. This is vital for enhancing productivity as well as cyber security. Sembhi explains, “Investing in technologies that stop these messages getting to the end user means that they focus their time on actually getting work done and not trying to filter out what’s spam and what’s not.”
It may indeed be the case that companies shift away from email as the primary form of online communication going forward, moving towards cloud and app-based alternatives for both security and efficiency purposes. Interestingly, a recent survey by the think tank Parliament Street exposed that over two-fifths of businesses are considering replacing email as their primary communication channel.
The ability to hold meetings remotely have remained a crucial aspect of businesses continuing to function during lockdowns; however, for ease, many companies have been utilizing software not suitable for the kinds of confidential discussions that take place in the corporate world on a routine basis. Gemma Moore, director at Cyberis, states, “The rapid growth of collaboration on platforms such as Teams and Zoom delivers adversaries a robust, innovative way (‘New Normal’) to target employees who might not be ready for the threat.”
Honan outlines the steps organizations should take to ensure video meetings are secure, including consistently having Multi-Factor Authentication (MFA) capacity and most crucially of all, using end-to-end encryption. He adds, “You are still responsible for the security of your information and for your obligations under GDPR, so you have to ensure that whatever tools you use are secure.”
“We’re hoping in the next year or so that the technologies we’re offering will be de-parameterized.”
The ‘New Normal’: Enabling Safe Working, Always, Allover
The security of VPNs has naturally taken on a broader level of significance since the shift to mass remote working. Some businesses have had VPN solutions in place for some time to cater for having a minor fraction of their staff working from home, but these are often not configured for the entire company to do so. Conversely, other companies have been forced to implement new VPN solutions from scratch this year. As the dust settles and many organizations consider more extensive remote working going forward, steps must be taken to ensure VPNs are adequately secured.
Honan says, “VPNs are becoming much more of an important entry point to a network so it’s important those systems are properly patched and secured, as well as up-to-date and scaled to the appropriate size. Subsequently, you have tools in place such as the MFA to verify users and their accurate locations, with Geo-location, isolation preventing people logging in from remote locations.”
There are also evidence organizations are increasingly looking for software-defined networking in a wide area network (SD-WAN) as a more secure means of enabling remote connections to a network, with this technology enabling IT teams to more deftly manage hundreds or thousands of locations and multiple connections. For instance, a study in June by Barracuda Networks showed that SD-WAN is presently the cloud security solution of choice for around half of UK businesses; this suggests organizations are thinking more carefully about securing their systems adequate.
Another positive that could emerge from the COVID-19 crisis is the development of strong continuity plans in the event of disaster scenarios – traditionally an issue far down the list of priorities for businesses. The pandemic has highlighted that emergency situations do occur and are capable of severely disrupting business processes.
In Bhatt’s view, this realization should give rise to a much more proactive approach to cybersecurity going forward, with boardrooms and industry leaders increasingly receptive to the suggestions put forward by CISOs to properly anticipate threats. “Boards will recognize the importance of resilience, and they’ll look at the importance of cybersecurity,” he says. “Proactive security and getting ahead of the curve is the absolutely key, whereas I think what we’ve had to do during COVID-19 is extremely reactive.”
The ‘New Normal’: Have Faith In Zero-Trust Model
Although it may take time, it seems inevitable that as remote working becomes ‘The New Normal,’ a zero-trust approach to security will follow suit; one that retains all aspects of an organization’s operation secures. This includes communication software, network access and arguably most important of all, a workforce well versed in best cyber security practices and behaviors.
Sembhi believes that the traditional approach of building strong perimeter defenses around the corporate walls is no longer adequate. He notes, “I’m hoping in the next year or so that the technologies we’re offering will be de-parameterized so that we can work from anywhere with a perimeter around each of our devices and ourselves. That zero-trust approach is going to be in place no matter where we work or what we achieve.”
There is plenty of retrospective work required to achieve this, with cybersecurity measures far from keeping pace with the rapid rollout of mass remote working at the moment. Moore adds, “With businesses having re-architected their platforms in record time to support remote working, many will recoup themselves accelerating down the zero-trust implementation route because this lends itself so well to the flexible remote working paradigm we have been forced to adopt.”
The ability to perform secure in such a dynamic and agile way is surely the motivation lacked to finally herald a zero-trust cybersecurity approach on a widespread basis.