6 security shortcomings that COVID-19 exposed

A year ago, in the fall of 2019, Mike Zachman ran a security drill for his company, Zebra Technologies Corp.

Zachman, who as chief security officer oversees cybersecurity as well as product security and physical security, had focused the exercise on business continuity to determine how well the company’s plans would hold up.

He had organized similar events in the past, running through both a mock ransomware attack and a staged natural disaster that took out a data center. So, to further test his company, he came up with a new scenario for 2019: a theoretical pandemic, complete with office workers undergoing temperature checks.

Mike Zachman, Chief Security Officer. Zebra Technologies Corporation

Zachman assures that he’s not prescient but rather pragmatic: Global companies have had to deal with SARS and localized epidemics in the past, he says, so he saw testing his company’s response to a pandemic as a responsible move.

The exercise tested the company’s “3+2” strategy, which was designed to ensure that its disaster recovery, supply chain and workforce (the “3”) as well as its repair depots and distribution centers (the “2”) were resilient enough to handle the event.

“Having done that exercise, we found ourselves reasonably prepared when COVID hit. It was still challenging. It took a lot of people putting in a lot of energy to make sure we executed properly. But what we weren’t doing was running around, saying ‘What do we do?’” Zachman says.

The company had a command-and-control plan, and it had enough VPNs to support widespread remote work. Its workers had their devices with them, as the fall 2019 drill reinforced for them the need to take their laptops home at night to ensure business continuity should a sudden emergency arise.

However, Zebra still encountered a few shortcomings in its cybersecurity operations that needed to be fixed, Zachman says. It found, for example, that some of the configurations on its laptops didn’t offer adequate protection for long-term remote access gained through individual workers’ home internet networks. And it had less visibility into the at-home laptops’ network traffic, prompting Zebra to speed up its journey to a more mature zero trust environment.

As Zebra’s experience shows, the pandemic uncovered security shortcomings in even well-prepared organizations. The shortcomings run the gamut from minor to significant and, regardless of their size and nature, are keeping CISOs extra busy as they and their organizations move forward amid continued uncertainty and extended work-from-home scenarios.

“It might be, ‘Hey, these are our gaps’ or it could be ‘We’re further behind than we thought,’ but everyone learned something from COVID,” says Kory Patrick, risk and security practice leader for IT service management company TEKsystems.

Security shortcomings exposed

Numerous reports in recent months have found that the number, types, and severity of attacks were on the rise in 2020. NETSCOUT, for example, reported in its threat intelligence report covering the first half of the year that there were 4.83 million attacks during that time, a 15% increase over the prior year. Such statistics reinforce what CISOs have been saying since March: that the pandemic is constantly testing the strength of enterprise security.

The pandemic also revealed numerous weak spots. Security leaders and experts listed some common gaps that have been exposed:

Shelly Waite-Bey, founder, Waite SLTS

Inadequate preparation and planning. Many organizations realized in the early months of the pandemic that their attention to and investment in security programs were lower than needed, says Shelly Waite-Bey, founder of Waite SLTS, a cybersecurity solutions and consulting services company, and a member of Women in Cybersecurity (WiCyS). “There were many who were caught short, and those businesses are rectifying the situation now by looking to improve their security,” she says.

Second-class standing with the board. Kathryn Salazar, vice president of IS and CISO with McBride, says many CISOs still don’t have that full seat at the executive table and still face boards that don’t want to adequately address cyber risks—until there’s an incident. “CISOs aren’t getting the funding they need to secure their organizations as they should be in this new environment,” she says.

Kathryn Salazar, vice president of IS and CISO, McBride

An October 2020 report from SafeGuard Cyber confirms her observation, noting that there remains “a significant disconnect and tension between the perceived security and compliance needs and the level of organizational planning. Despite perceived digital risk around unsanctioned apps, ransomware attacks, securing various tech stacks, only 18% of respondents cite security as being a board-level concern.”

Continued reliance on perimeter defenses. As organizations scrambled to enable remote work for their employees, many CISOs realized that they didn’t have enough VPNs to support the load nor was their security infrastructure capable of guaranteeing that only authorized individuals were able to access only the data they needed at the time when it was required. Patrick blames the continued heavy reliance on perimeter defenses, a reliance that made securely scaling remote work difficult and sometimes nearly impossible. To counteract that, experts say CISOs are accelerating their adoption of advanced identity and access management solutions as well as zero trust principles.

Problems with patching. The events of 2020 also exposed weaknesses in enterprise patching programs, says John E. Stoner, a cyberthreat intelligence analyst and a member of the veteran cybersecurity group VetSec as well as WiCyS. Stoner says some organizations in general didn’t put enough time into applying patching while others didn’t have strong asset management programs that would allow them to effectively manage patching. Still others had a good record of patching corporate assets but aren’t able to push patches to personal devices used for work.

John E. Stoner, cyber threat intelligence analyst

Hackers have noticed, too, with successful attacks on known vulnerabilities that remain unpatched going strong. “We have seen a lack of patching lead to intrusions, including some at large companies,” Stoner says. The 2020 Security Operations report from Arctic Wolf identifies problems with patching protocols as a key issue, noting that critical vulnerability patch time has increased by 40 days during the pandemic.

Insufficient visibility and controls. Cybersecurity consultant and vCISO Gina Yacone says she is advising her enterprise clients to consider the vulnerabilities that their newly remote workers are introducing. “I’m worried about their personal home network—the router, their Wi-Fi—they don’t really offer enterprise-grade protection unless they’re purchased that way,” she says, adding that home networks generally don’t have encryption and some don’t even have password protections. Such scenarios are particularly problematic if companies aren’t using VPNs or if their workers are handling sensitive data of any kind. “Are workers equipped at home to really protect data as it’s required?” Yacone asks. According to the Arctic Wolf report, the number of devices connecting to open Wi-Fi networks increased by 243% since March, which means that “without proper controls in place, geographically dispersed workforces face increased risks of attacks of unsecured networks.”

Matt Miller, VP global information governance advisory services, Consilio

At the same time, organizations that didn’t have mature data classification, strong asset management processes or mature monitoring programs have had challenges gaining the visibility they need in those areas to ensure they’re adequately secure, says Matt Miller, vice president of global information governance advisory services at Consilio, a provider of risk management and legal consulting services. He cites as an example one client company with 5.5 million Social Security numbers contained across 6,000 spreadsheets that were neither password protected nor encrypted. Miller says such scenarios sent enterprise security teams rushing to develop and implement policies and solutions to gain improved visibility into and control of endpoints, data flow and network traffic.

Lack of agility. Some security teams had trouble scrambling from one challenge to the next over the past few months, Miller says. Granted, they had a daunting list of crises to handle, but the resulting difficulty in quickly tackling tasks nonetheless showed many CISOs that their security departments were less agile than they’d like. Experts tie limits in agility to long-standing issues within the security space, namely the lack of enough people and a lack of automation to free staffers from handling routine, manual chores so they can work on the higher-value projects. Regardless of the reasons, the implications are significant. “The consequence of not being agile, of not being able to shift quickly enough, is that they’re overexposed with the risk level dramatically increased,” Miller says, noting that he saw some organization take months to address security gaps. “It has now come to light that they need to be more nimble to be able to handle situations that are out of the norm.”

Lessons learned

Although the events of 2020 highlighted weak spots within the enterprise security apparatus, security experts say many of the issues were already known problems that CISOs had plans to fix on their long-term roadmaps.

Kory Patrick, risk and security practice leader, TEKsystems

“Many organizations had been counting on a longer timeline to make changes, but COVID accelerated those plans as COVID exposed a lot of organizations’ security issues and directly impacted the availability of the business,” Patrick says.

Now that remediation work is happening.

Patrick and others say they see an increasing number of CISOs moving to, or maturing, their use of zero trust architecture to better ensure security as the last of the corporate network perimeter dissolves and as endpoints proliferate with both the remote workforce but also the growth of connected devices.

CISOs are also strengthening endpoint management programs, and they’re advancing their data classification and controls.

All that should create stronger security across the board—a silver lining, perhaps, to an otherwise dark cloud.

“I see CISOs who weren’t particularly prepared for the particular events of this year,” Miller says, “but who are now saying, ‘Let’s take a look at how to improve our disaster recovery and business continuity plans and future proof against whatever may come down the line next.”