In a normal world, IT innovations can take months or even years to plan, communicate and execute. And then there’s the era of Covid-19.
Back in March, with just days to prepare to shelter in place, IT organizations in the U.S. halted their day-to-day operations and moved employees from the secure and predictable settings of their offices to the new — and for many, uncharted — world of remote workspaces.
CISOs who were already maintaining security policies through a hybrid mix of remote and office-based employees were better prepared to support this transition. Others faced this monumental task for the first time.
Now, after seven months of fighting off and navigating new, larger attack surfaces from at-home workforces, how can CISOs maintain the safety of their workers and sensitive data while still supporting IT’s focus on innovation?
As you’ve probably read in numerous articles, the remote workforce ushered in a new rush of cyberattacks through phishing, business email compromise and ransomware. New attack surfaces were created by remote employees who were required to adopt new security policies while learning to use applications over the cloud and stay connected over new collaboration tools.
Of the CISOs I’ve talked with who were better prepared for the transition, most had already established remote work policies and are continuing to focus on improving their security posture with features and capabilities such as multifactor authentication (MFA), endpoint protection and data leakage prevention, as well as increased cybersecurity training for employees.
Now, they’re focused on training, adding new security tools, and slowly accelerating innovation goals while keeping an eye on the horizon for the next big disruption.
Train, Equip And Constantly Monitor
Remote monitoring tools are being added with management stacks to provide unified control and visibility into an entire IT environment, ensuring networks, servers and endpoints can be remotely managed. At the same time, extra time is needed to educate employees about cyberthreats such as malware and phishing, along with the do’s and don’ts linked to remote working.
Just as cybercriminals adapt their approaches, you should also keep employees apprised of the new tricks and techniques. Show them examples of phishing attempts as they hit the network, and provide articles of attacks on other organizations.
Security education and training is not just a moment in time; it should be an ongoing theme to help employees understand their part in securing their company’s information. This includes teaching them to use strong passwords, disconnect from the corporate network when not in use, report suspicious emails, and keep work and personal computing separate.
According to a Google/Harris Poll, at least 52% of people admitted to reusing passwords across multiple sites last year. And 33% don’t update or know if their applications are updated. This lack of password and application hygiene creates exposures that many CISOs struggle to cover.
In 2017, Cybersecurity Ventures and Thycotic predicted that the number of passwords at risk on the internet would surpass 300 billion by 2020. Because of this and ongoing efforts to steal and sell passwords on the black market, password management software is becoming extremely popular. Analystsexpect this market to grow by almost 16% by 2025.
Accelerate Digital Transformations With Safety In Mind
The pandemic is drastically accelerating digital transformation as more applications and data move to the cloud and as employees become more dependent on online collaboration tools. For many organizations, digital transformations have sped up from years to months and even weeks.
As organizations work or interact from anywhere on any device at any time, the cyberthreat landscape will expand across myriad boundaries, requiring CISOs to factor three major strategic imperatives for cybersecurity: shifting to a zero trust model (never trust, always verify), increasing focus on building trust between organizations and their stakeholders, and providing more seamless, secure experiences for gig workers and other stakeholders.
This model will remain in place as we prepare for other major disruptions. Some companies, such as Facebook and Amazon, for example, will develop their cloud infrastructures to allow employees to work remotely throughout the rest of the year and possibly into the next.
We know that companies need to know where their data is physically located and that it’s safe. Done correctly, data is safer in the cloud with professionals who have the resources to provide leading security protection and evolve in response to a threat.
Strive For The Best; Prepare For The Worst
While many organizations develop crisis plans and procedures, some fail to consider the human element. During a global disruption like Covid-19, it’s difficult for employees to focus and follow the proper procedures, and they need a checklist or crisis plan to rehearse in advance of a crisis event. In the absence of a plan, automation tools and procedures can also fill security gaps.
Make arrangements to configure all PCs and mobile or other managed devices to automatically connect and download security updates without the assistance of IT personnel on-site or access to the company’s network. MFA should also be enabled for all noncustomer-facing critical applications. And make these processes as seamless and transparent as possible to help encourage employee support.
Despite the catastrophic disruption and loss of life caused by Covid-19, the pandemic provides us an opportunity to learn from our mistakes and experiences to prepare for future events.
Moving forward, the line between home and office will be indefinitely blurred. IoT devices, home networks, intelligent personal assistants like Alexa and corporate networks will almost permanently share the same workspace. And many home users will never properly maintain their personal devices.
It is now critical to identify what you can do proactively to enhance your security posture by continually assessing risks, evaluating impacts, identifying remediation strategies and implementing proper risk governance. And the more secure you become in this new world, the more you’ll be able to think about the next big innovation in your company.