Many organisations coped with the difficult forced transition to remote working for most of their employees. According to ESG’s The Impact of the COVID-19 Pandemic on Cybersecurity report, 87% of cyber pros said the transition went smoothly.
The long-term impact on security teams and the businesses they protect is more complicated. CISOs need to contend with new work cultures, new attack surfaces, prepare for the next potential ‘black swan’ event, and fix the “quick-fixes” put in place at the start of quarantine. Here are some of the lessons CISOs have learned from the COVID crisis.
Lesson 1: Security culture needs to follow business culture changes
Many organisations are looking to make large-scale permanent changes to how their employees work in the wake of COVID. Employees have proven they can be productive away from the office and IT has shown the technology works and can scale. According to Radware’s C-Suite Perspectives 2020 report, over 80% of companies expect to continue supporting work-from-home employees at a higher rate than before the pandemic hit.
Graham Thomson, CISO (and interim head of data and analytics) at law firm IrwinMitchell, says few employees worked remotely before the lockdown began. “This was a combination of culture, people thinking they would not be effective in their role if working out of the office, and various legal industry business processes that relied upon physical presence or paper records, such as court appearances, evidence bundles, wills, and wet signatures.”
After scaling existing technologies and introducing new remote work technologies needed at IrwinMitchell, Thomson says the focus had to turn to the employees. “On top of all the security assessments of the technologies were the security and privacy concerns of colleagues now working at home, handling sensitive information and using new technologies they were not familiar with. A whole raft of new security and privacy training and awareness was required to be written and delivered in super-fast time.”
Around 80% of the company said they would like to continue to work from home in some capacity after the crisis. “They love it,” says Thomson. “It makes so much better use of time and can even improve productivity and efficiency. To support this, the information security team will continue to cater for remote training and awareness as well ensuring that our technologies remain secure as necessary.”
Security must ensure the good security education, behaviours and practices in the corporate setting occur in the home. According to BitDefender’s The Indelible Impact of COVID 19 On Cybersecurity report, over 30% of security professionals worry about employees working remotely. Yet IBM’s Work from Home study suggests that almost half of people new to working at home haven't received additional security training, new security policies, or guidelines on how to securely work or handle PII while working from home.
Encouraging good security behaviour goes beyond education around phishing or reminding them of good password security. For example, the IBM study found that 22% of respondents who work with PII said they posted a picture of their work-from-home set up on social media, highlighting the need to encourage people to treat their home workspace – even if it is just their kitchen table – like a proper corporate environment.
Jon Cosson, head of IT and CISO at financial firm JM Finn, says it is his job to champion and ensure that everybody believes in the mission. “In February, we had six sites that we managed. Within a week we had 330 sites that we had to manage,” he says. “It's down to the security professionals to ensure that we educate people. They've got to make the right decisions at home and in work. You need to take them on that journey with you, and you need to educate them so they are at least empowered to protect themselves, and then I'll worry about the technical stuff behind that.”
Lesson 2: Permanent change in work habits means new processes, policies and technologies
The pandemic has accelerated digital transformation. For most, these technology and process changes will be the accepted way of working. According to BitDefender, 24/7 IT support, more security training, new remote policies, and an inventory of devices accessing network were permanent changes introduced during lockdown that impact security.
However, under half of business decision makers have admitted that their existing cybersecurity policies are not suitable for maintaining a 100% remote working model, according to Tanium’s When the World Stayed Home report. Multiple reports have said investments in endpoint monitoring and management, cloud computing and zero trust were key to adopting to the new way of working in the future.
“We’d gone from having to secure 13 offices to 3,000 home ‘offices’ overnight, and there was a massive increase in digitization, too,” says IrwinMitchell’s Thomson. “The traditional paper-based processes, such as wet signatures and sending material via the post, had been replaced with new digital technologies and online processes, and we will be keeping and further developing all the technologies and digitization of paper-based processes.”
The number of devices companies must now manage has become much larger. While many companies encourage BYOD amongst staff or have allowed them to take office hardware home, many have provisioned devices specially for lockdown. Cosson says he wanted to avoid scavenging equipment from the office for employees to take home. “I know many companies have done that, but we kept everything in place because we want to be a smooth transition back into BAU [business as usual].”
Lesson 3: Organisations need to prepare for (and test against) extreme scenarios
The current pandemic isn’t over and scientists warn about the potential for future ones to strike. Expecting the unexpected and properly testing against those events should be the new norm for IT and security leaders.
Half of infosec professionals say their organisations didn’t have a contingency plan in place for a situation like COVID-19 according to BitDefender, while Databarracks’ Data Health Check 2020 reports that 66% of organisations said they did not have a plan for infectious disease pandemic despite claiming to have up-to-date business continuity plans.
At JM Finn, Cosson and his team featured pandemic planning last year at part of a wargaming exercise, which put them in good stead for the realities of 2020. He learned it is critical to have the right people on the emergency management team in such scenarios and involve their deputies from the start. “With an emergency management team, it's not just about senior staff. You need the right staff in the right areas. One of the key onuses from running wargames is to identify the right staff to bring together in an emergency and get decisions made.”
Another lesson that became clear in that wargame was the idea of recovery sites in a COVID-like event. Like many organisations, JM Finn had a designated recovery center in its planning, but in a pandemic-type scenario with large-scale quarantines, that wouldn’t be a feasible option. “It was evident, even a year ago, that we would have to have capacity on our network to support everybody remotely. We now have the perfect disaster recovery solution, and it's people's homes and people's living rooms.”
Cosson says telephony was another area of importance identified by the wargame due to compliance requirements. “Voice communications is every bit as important as desktop or delivery of a solution or an application because for regulatory requirements we need to record communications with clients.” he says. “Early on we realised you couldn't use mobile phones to make a call to someone, you couldn't use their own landline as that wasn't recorded. So, regulatory requirements directed us towards a recording solution for all incoming and external calls.”
During a breach, Cosson says, nothing can replace a physical phone in a home setup. “We had a number of devices ready and we started shipping out physical phones that can record and simply plug into the router or can use wireless. How well telecommunications worked has been one of the big wins from the lockdown.”
IrwinMitchell also had conducted exercises and had plans in place, which proved crucial even if the plans never accounted for so many employees working from home. “It was the sheer scale of the challenge that was a surprise and what we learned was that to handle it effectively the problem must be split up into chunks,” says Thomson. “We quickly adopted the squad approach and had dedicated people look after each area that would support our response to the crisis. We had regular communications with the business and clients, and ensured that all colleagues could feed back to a central squad with ideas and tips for everyone else.”
“CISOs have a responsibility to ensure the availability of information,” says Thomson, “and this includes IT disaster recovery. CISOs should not have direct responsibility for ensuring availability but should lead on the governance side of it. Have controls for IT disaster recovery in your information security policy and test the maturity and effectiveness of them every year or so.”
Lesson 4: The threat landscape is the same, but different
A permanent large-scale workforce means a much larger attack surface that is harder to gain granular visibility into. Cybercriminals redoubled their efforts during COVID with phishing campaigns, DDoS attacks, and ransomware infections. Remote work also put challenges around on- and offboarding, device management and shadow IT on a much larger scale.
“The risk profile of organizations has changed in the sense that there are now many more home offices to secure, a greater level of critical technologies (VPNs and communication systems), and a reliance on staff following company policies and remaining compliant. The level of required trust has increased and staff must be even more risk aware,” says Thomson. “I don’t think there will be a full return to work, and where it does happen it will be phased in and slow progress. The risk profiles of organizations have changed forever in my view, and this is, dare I say it, the new normal.”
Thompson says his company saw phishing attacks trebling as well as a huge increase in malicious websites and links within malicious emails. “With all colleagues at home and working on laptops using the VPN, endpoint security also became a critical focus, and our plans for advanced endpoint detection and response were delivered in good time.”
Whether in the form of shadow IT or personal devices, the increasing crossover of personal and corporate life away from the eyes of security is a pressing issue. Studies suggest employees using their personal laptops and computers for business operations while working from home has become increasingly common, and as a result issues such as shadow IT, non-employees having access to corporate data, and non-corporate devices connecting to the network have all jumped up on companies’ risk registers.
Cosson says that many organisations built their security software around an office. “That's now going to change and you've got to think about how the office of the future is going to look and how we secure that,” he says. “We have 300 users and we're in six offices. Now it’s going to be 300 users in six offices, but also 300 users working from home, and you've got to think not only of the office but the home as well environment. You’ve doubled your surface to protect.”
This new landscape means organizations are investing in new technologies. Moves to cloud computing have accelerated, but many security leaders are not satisfied with their visibility into remote workers. Interest in technologies such as zero trust, behavioral analytics and multi-factor authentication have increased.
Lesson 5: Stand back and reassess
Studies suggest resources may have been shifted away from cybersecurity to set up remote workers, and organisations that adopted remote working technology may have bypassed privacy and security reviews to minimize disruption to operations.
CISOs must reassess many of the changes they made to enable the business to continue to operate. Were vendors brought on quickly? Were security processes or controls relaxed to allow operations to continue? Do you know what changes your supply chain has made?
IrwinMitchell’s Thomson says that some companies were caught unprepared and reduced their security posture by removing two-factor authentication and opening the firewall to remote access ports. “There is always a balance between security and usability, but some security controls are just so essential to keep or put in place because those areas will be attacked constantly and you can never let your guard down. CISOs focus should be on securing any new technologies or processes that were brought in quickly during the crisis, identifying and fixing any technical vulnerabilities in the estate, and when it comes to staff, train, train and train them again.”
“COVID has changed the plumbing of most business for the foreseeable future and has only served to increase the use of technology and digitizing business processes. In support of our technology changes, effective governance still had to be followed and some very agile security risk assessments were needed. This included reviewing any new IT architecture, new laptops and their build, and accelerated cloud-based technologies like Microsoft Teams.”
BitDefender reports that supply chain attacks are up 38% since the start of the pandemic. How you work with customers, clients and vendors in more remote environments will likely need to be reassessed. Every organization in your ecosystem will be undergoing similar transformations and changes may be needed to accommodate everyone securely.
Cosson says one of JM Finn’s challenges over the next 12 months is to look at how it delivers services to clients. “We have to think ahead. We have to look at our staff and how we can support them so they can support the clients and continue to service them in a secure way.”