Rethinking cyber security for remote working

Fireside Chat Screenshot
CSO and Mimecast Webinar

Watch it here: Why your cyber security posture needs a rethink webinar

The COVID-19 pandemic has precipitated a huge increase in remote working, posing numerous challenges for management and for individuals. Arguably the greatest is the cyber security challenge created by organisations needing to speedily grant access to corporate systems from many devices beyond the direct control of CISOs and their security teams.

It’s expected that the current level of remote working will reduce over time, but not to pre-pandemic levels. Future-of-work research firm Global Workplace Analytics estimates 25-30 percent of the workforce will work from home on multiple days each week by the end of 2021.

The shift to home working has created two distinct cyber security challenges: maintaining security through the rapid transition, and securing IT in a future where remote working is the norm rather than the exception.

Meanwhile the bad actors have lost no time in exploiting the opportunities presented by remote working. Mimecast detected a 30+ percent increase in each of spam, impersonation, malware and suspicious domains in the three months following 31 March 2020.

Rethink your security posture

To identify the cyber security challenges of sustained remote working, and offer solutions, Mimecast sponsored a webinar, Why your cyber security posture needs a rethink.

CSO associate editor, Byron Connolly, chaired a panel comprising cyber security analyst James Turner from CISO Lens, Garrett O'Hara, Principle Technical Consultant with Mimecast, and Chris Neal, CISO at Ramsay Health Care.

Turner set the scene for the panel discussion by identifying three forces driving the need to rethink organisations’ cyber security: increased risk, economics and geopolitics.

Summing up the risks created by the surge in demand for home working, he said: “A lot of risks were just accepted in the rush to do it. And now, CISOs and CIOs are going back over the risks they've accepted over the past several months and asking if it is still appropriate to be accepting those risks.

“How do we best enshrine those processes given all the indicators are that this is going to go on for at least the next couple of years?”

It was evident compromises had been made to balance cyber security and operational priorities. Neal said, in Ramsay Health Care, that threat awareness training had been wound back.

“If it's a choice between a nurse caring for patients or trying to deal with COVID patients versus spending five minutes on a security awareness video, I know which that has to be.”

More seriously, O’Hara predicted that many cyber security decisions taken under pressure from the pandemic would create problems down the track. “I see a big piece of work in 12 to 18 months where people go ‘Oh my god! All this stuff has happened. How do we get the toothpaste back in the tube?’”

Meeting the cyber skills shortage

To add to the challenges, the cyber security demands engendered by home working have exacerbated an already serious shortage of cyber security skills, and the discussion turned to how this problem might be addressed.

Turner said there was a growing trend to fill security roles from other areas of IT. “The CISO community is looking to train existing technologists to care more about security themselves. If we can shift their understanding so they get how what they do has a direct impact on security … we've got better security practices and thinking coming from people that already understand the tech.”

Neal confirmed this approach saying he had hired no cyber security specialists. “Most of my team I've poached from other parts of Ramsay Health Care IT: people who knew how Ramsey worked, knew the technology, knew the business and had an interest in and an aptitude for cyber.”

Three part solution to security challenges

Each of the three experts in the webinar — analyst, vendor, user — brought a different perspective to the COVID-19 induced cyber security challenge, but all agreed that meeting this challenge required an effective combination of cyber security skills, technology skills, and business and communication skills.

O’Hara said having good, well-integrated cyber security platforms would free up cyber security personnel for more meaningful roles.

Turner said security staff must understand the businesses they were hired to protect. “Security people need to have an intimate understanding of how the business uses technology, but they can't know everything. They are completely dependent on their communication abilities with both the business and with IT.”

Neal said drawing cyber security staff from other areas of IT had a dual benefit: they knew the business and could educate the business about the importance of cyber security.

You’ll find these and many more valuable insights from the front line of cyber security in a COVID-19 world in our webinar. Why your cyber security posture needs a rethink. Watch it here.

Copyright © 2020 IDG Communications, Inc.