What’s next? CISOs weigh in on COVID’s long-term effects on security

As lockdowns ease, CISOs are looking ahead at how their teams operate and how they protect employees and assets. The most likely change is permanently supporting more work-at-home employees. According to a report released in April by (ISC)², 96% of organizations had moved at least some of their staff to remote work, with nearly half of them shifting all employees out of the office.

The crisis is also an opportunity to rethink overall security strategy and plans, including technology choices, collaboration with the business, and security education and training.

Remote working will be permanent for some workers

A Gartner survey found three-quarters of businesses expect at least 5% of their workforce who previously worked in company offices will become permanent work-from-home employees after the pandemic ends. Rafael Narezzi, CIO/CISO at renewable energy asset management firm WiseEnergy predicts this will have a long-term effect on the physical footprint of businesses, which will mean longtail effects for how CISOs manage people. “When we come back, everything is going to be different and I don’t think the office is going to be in demand,” he says. “My company [was] looking to expand to a bigger office, and now they are asking if we need a big office.”

Narezzi believes that being able to quickly transition the business to remote work because the provisions were already in place not only justifies past spend but can also help strengthen future arguments. “My team has been working hard for a year to transition everything to work anywhere, everywhere. The business recognize[s] that all the money that we asked for — to protect the business, to enable the business to work anywhere, everywhere — the results for the company are there and the return on investment is justified.”

Long-term work-from-home security challenges

If working from home at scale is to become a permanent fixture for how companies operate, they will likely have to revaluate the risks brought by different people in different scenarios. Digital Guardian saw an 80% increase in the egress of corporate data during the lockdown period, including a 123% increase in the volume of data moving to USB drives and a large spike in data uploaded to cloud storage services. According to a remote work study by BitGlass, user training, home network security, and personal devices are the three key security challenges organizations are currently facing, followed by sensitive data outside the corporate perimeter, a lack of visibility, and additional cost of new security solutions or licenses.

“Some people will want to return to the office as soon as it is safe to do so; others will want to continue to embrace the freedom and flexibility that remote working can provide,” says Ste Watts, head of cybersecurity at wealth management firm Rathbone Brothers. “This will open up longer-term considerations for cybersecurity and risk teams such as remote printing, use of personal equipment for accessing company networks and the physical security of remote workplaces, to name a few.”

A Dimensional Research report found over half of organizations have begun identifying new tools to address the post-COVID-19 environment and 42% are investing in staff training for the new skills required to adapt to the new normal. However, despite these increased risks, CIO’s COVID-19 impact study suggest that digital transformation and user experience are higher priorities than security for CIOs. CISOs might need to work hard with the business to ensure security is taken seriously moving forward.

“A good leadership team recognizes that these scenarios cause additional risk and it’s a collaborative effort between the leadership teams and the cyber security team to find a compromise where required.,” says Watts. “Companies will need to strike the right balance between capitalizing on the benefits whilst ensuring this still occurs within the boundaries of acceptable risk using the company’s agreed risk appetite as a guardrail.”

CISOs will still need to ensure a robust process for getting patches out to devices that might rarely, if ever, connect to the corporate network. While the company doubled its VPN bandwidth in anticipation of additional load, B2B payments firm AvidXchange also uses Office 365. So, company CISO Christina Quaine communicated to users that they were required to connect regularly via the VPN to receive patches for corporate devices. “There’s a lot of individuals that don’t necessarily need to log on to the VPN, but if they’re not logged into the network, they’re not getting the latest patches on their laptops,” she says.

Culture change requires CISOs to lead

Watts says that CISOs shouldn’t let the crisis to go to waste, and the pandemic is an opportunity to get more time with the board and do things that perhaps they couldn’t do before. “The pandemic has forced a number of companies to adopt technologies and processes that weren’t required before or that weren’t planned to be adopted at such a rapid pace or scale,” he says. “This in turn has been a great opportunity to demonstrate that cybersecurity isn’t a blocker, but a function that can help the business to achieve their goals.”

“Good security leaders will have been leveraging cyber threat intelligence to provide regular briefings to the board. This is something that may not have occurred in some companies prior to the pandemic but is something that should continue going forward,” Watts adds.

“Hopefully, the pandemic has demonstrated just what is possible with the right motivation and focus. That’s not to say that all new initiatives should be approached in the same way as they might have been recently, but instead that good communication and faster, risk-based decision making is possible, which will open up new opportunities for companies.”

WiseEnergy’s Narezzi says during the start of the crisis, his company saw a 600% increase in attack attempts, primarily through phishing and other social engineering scams. However, he had already implemented work-from-home capabilities, so he avoided the mad scramble that many companies faced at the start of the lockdown. “We were very lucky. We started planning to work from anywhere, everywhere last year, so when the crisis did come we were prepared for it.”

Despite the preparations, it took the virus and lockdowns for the staff to adopt the new capabilities. Employees were sticking to the old ways of working prior to coronavirus, despite the technology to enable remote working. “The hardest part was making them work for home,” Narezzi says. “The company was offering [it], but people didn’t believe they could do that remotely. Then coronavirus comes so there was no other option. The results have been very positive.”

Once employees are at home, however, they may let their guard down. A new study from Tessian suggests just under half of employees are less likely to engage in safe data practices when they’re working from home. If organizations are to keep their employees following process and policy, CISOs will need to instill a strong security culture around staying secure at home.

Some organizations are hosting daily company-wide ‘huddles’ where CISOs have been sharing security advice and tips to keep employees aware of key security messages. Even if these meetings do not continue once staff starts returning to the office, CISOs should make use of their increased visibility to send to regular reminders about how to stay secure.

Watts believes the push for more regular communication about cybersecurity might drive the importance of employees taking more ownership in helping keep the business secure. “This new focus on cybersecurity has also helped employees to realize that they are part of the solution,” he says. “The so-called ‘human firewall’ has never been more important than now and I think this is starting to resonate with people a lot more than before the pandemic, both in the workplace and at home, which can only be a good thing for the industry.”

Rethinking the security workforce

The pandemic is pushing organizations to rethink which technologies and processes are truly critical to the business. Narezzi predicts that more CISOs will begin to start to outsource security operations now that coronavirus has proved that most processes can be done remotely. “Today, you buy technology and then you have to buy labor to monitor or control the technology. Companies that did prepare to work remotely and cloud-based will be allocating processes digitally in different countries to save costs,” he says. “You don’t need to pay a UK price for a SOC today. Why would you if you can get an even better price in Mexico or in different countries where we can reduce costs?”

AvidXchange’s Quaine says the pandemic has been an opportunity not only to identify and shore up critical processes and realign resources, but where work is done. “What I think COVID did for our organization is widen our view on the ability to work from home for a subset of teammates that we weren’t necessarily thinking about. This gives us more opportunity to not just hire in locations that are where our offices are. We may have the ability to hire somebody, ship them equipment, and get the best talent throughout the country, versus in our home sites.”

However, while the pandemic was a unique situation, it did show the benefits of regular communication with remote staff to ensure they aren’t overworking themselves and risking burnout. “We tend to have longer days I think because of the usability and the lack of commute time, and so I’m very mindful with my team,” says Quaine. “I have a daily check-in with them at the end of the day to see how we’re doing and how their teams are, just to make sure that they’re not feeling like they’re completely locked into the computer.”

“Having the team on a daily call, I feel like the team’s really jelled, and we’re not there talking about information security, but also who’s Christina as a person,” Quaine adds. “People have a little bit more of a connection with you, which I think is really great for our organization.”