The COVID-19 crisis has created an awful state of affairs--people’s livelihoods and hard work taken by an invisible foe. As companies cut their workforce to cope with the impact of the coronavirus, the specter of cyberattacks stands on the horizon looking for trouble. Cyber threats both malicious and accidental are at the heart of this, and access control to business data may be the key to recovery. Can our identity and access management (IAM) systems contain these threats?
Why COVID-19 caused a perfect security storm
The main reason behind the spike in security issues during the pandemic is that cybercriminals are, first and foremost, scammers who understand human behavior better than any behavioral scientist. Cybercriminals looked at the pandemic, saw an opportunity, and jumped on it.
Ever since, a perfect storm has been brewing:
Lost jobs: Job losses due to the pandemic are massive and will continue to happen. The World Economic Forum (WEF) reported in May this year that G7 job losses ranged from 30 million in the US to 1.7 million in Japan. WEF expects in Q2 of 2020 to see around 305 million full-time jobs lost worldwide to the COVID-19 pandemic. When employees leave, they are more likely to cause data breaches, according to a study by The Hague Delta. The researchers found that 89% of employees who leave an organization have continued access to company data, increasing the risk of a data breach.
Home working: Before jobs were ever lost, people were sent home. Tech companies such as Facebook and Twitter have now added a “forever” extension to allow people to permanently work from home. Homeworking adds in a new dimension to controlling cyber-attacks, as the home office acts like a satellite office. This requires enforcement of new security policy adaptation.
Increased cyber threats and cybercriminal activity: Checking out Tor Metrics over the pandemic period, I noticed a massive spike in .onion sites. It almost looks like it follows the course of coronavirus infections across the world. In April 2020, there were around 100,000 .onion websites. By mid-May there were over 220,000. Not all will be malicious, but I’d wager most are.
As a report by Proofpoint found, 99% of cyberattacks require human intervention. A key way that data is breached, is via privileged access. The 2020 Insider Threat Report confirms this, showing that 63% of organizations see privileged IT users as being the biggest threat.
These three inter-related areas of the perfect storm have created an identity crisis. Access control measures need to use ways to harden the wider resource access landscape. COVID-19 has created a situation that requires a systematic recheck of the use of any access control measures an enterprise has in place.
Access control key during and post COVID-19
Even before COVID-19 hit home, enterprises had begun to see the wind of change in how they needed to use digital identity and access control. The industry was already offering better and more decoupled methods of managing access rights to a wide variety of employees and non-employees. Systems such as directory as a service and wider consumer identity access management (CIAM) models were already available. Other centralized identity services specifically designed to onboard and offboard non-employees were also readily available. Using these tools, an enterprise can catastrophe-harden its access management in these ways:
Offboarding lost employees
A survey by OneLogin found that 20% of companies could associate a data breach with a failure to deprovision departing employees. Offboarding employees, once they have left the organization, is a priority. The employee may have no malicious intent whatsoever, but by still having access to company data they present a gap in security. An ex-employee is still an insider threat if they have access to insider data.
Onboarding non-employees
Non-employees may well become a more normal way to work post-COVID-19. We may need, in fact, to think of all workers as “non-employees.” Traditionally, non-employees are consultants, vendors or even devices. We have to treat them differently with regards to access management because their work lifecycle is so fluid.
Taking a zero-trust approach
We are now entering a new era where technology can facilitate an extended workforce. The zero-trust security model is a strong contender for setting the right tone in terms of continued, persistent, fluid access control. I’m not saying it is easy, but it is necessary. Zero trust is not, by itself, the entire answer. Rather, it is a framework to deliver robust access control. It is about an “always verify, never trust” attitude to controlling resource access.
Catastrophe-hardened IAM for an unpredictable world
The fluidity of our workforce needs to be reflected in the fluidity of our methods of controlling access to corporate data. Dynamic adaptability to change as circumstances need is a key design remit of a catastrophe-hardened IAM (CHIAM) system.
How do you achieve this adaptability? Using smart technology already developed. Machine learning is an example, but this is not limited to AI capability. Rules of operation that modify system behavior is an overlay of CHIAM that provides the level of control needed in a complex corporate environment where workforces are fluid and the world is unpredictable.
Having a design remit that works by the dictates of zero trust with adaptable rules that overlay a CHIAM provides a way that fits all: employees, non-employees, devices.
The issues we are seeing during this pandemic are not new. COVID-19 has simply thrown them into sharp relief. It is likely that work will continue to adapt to a new world order: Climate change drives reduced travel and home working; freelancer and consultancy worker uptake for non-employee facilitation increases; and unstable economic conditions are likely to lead to an unstable employee base.
Our access control measures need to adapt, too, and now is the time to look at what your organization is doing to move forward in an unpredictable world.