Cybersecurity in the post-COVID landscape
COVID-19 has brought not only economic turmoil, but a massive increase in cybersecurity dangers. Since February this year, the number of cyber-attacks has skyrocketed, with the average attack costing an organization US$350,000 to US$400,000. Unsurprisingly, statistics from the World Economic Forum indicate that cyber-attacks and data fraud are the third biggest COVID-related business concern, ranked after global recession and a surge in corporate bankruptcies.
One major vulnerability is remote work. Studies have linked the rise in cyber crime directly to remote work, largely because of the rushed and incomplete nature of the transition. Even after companies have successfully implemented remote work and employees have settled in, cybersecurity remains unresolved. In one pulse survey conducted by cybersecurity professionals' association (ISC)², respondents highlighted the hasty adoption of non-secure technology and the failure of vendors to build security into products as contributing factors, along with employees' general unfamiliarity with cybersecurity and their natural anxiety about the situation leading them to behave in a less-than-safe manner.
Then there is the sheer amount of personal data of all kinds now being collected by governments and individual organizations. Matt Bennett, Senior Director at endpoint security firm VMWare Carbon Black, cautioned that attackers today are targeting applications or websites used for contact tracing, which could potentially yield enormous amounts of highly valuable data. "The chaos and disruption of the entire pandemic situation is a perfect environment for attackers," he said. "I don't think we will ever go back to the kind of 'normal' that we were at back in January."
With COVID-19 having led to multiple weaknesses in the cybersecurity framework, it's clear that companies need to look into ways of improving cybersecurity in both the short and long term. Here are some possible measures.
Keep your cybersecurity people on their original duties, and let them come into the office
The vast majority of companies acknowledge that cybersecurity is an essential function, especially during this period, and research by professional bodies such as global IT governance association ISACA has found that fully staffed cybersecurity teams are more confident in their ability to respond to threats.
Yet industry surveys over the last few months have surfaced a problematic trend of companies cutting back their security budgets to save costs, and redeploying their cybersecurity professionals to other duties related to supporting remote working. Furthermore, many of these professionals do not have the tools to carry out their work remotely—one ISACA survey found that 41 percent of cybersecurity teams are not equipped to perform their jobs effectively from home.
Instead of repurposing the cybersecurity teams, let them do the work they are specialized for, and find ways for them to come into the office.
Educate users on the need to take personal responsibility for cybersecurity
User behavior has long been the greatest weak point in any organization's cybersecurity defenses. Now, COVID-19 has turned the average employee into a heightened potential security risk, one that they may not even be aware of. According to one study by security firm Barracuda Networks, 51 percent of decision makers believe that their workforce does not have a proper understanding of the cybersecurity risks associated with remote working.
By various estimates, as many as half of employees worldwide are now accessing company systems and data through their own personal, unsecured devices. Fleming Shi, the Chief Technology Officer of Barracuda Networks, highlighted this as one major security challenge. “Opportunistic hackers are on the lookout to target vulnerable organisations, which may have weak security infrastructure in place during this difficult time," he warned. "The risk when cybersecurity is de-prioritised or neglected by businesses, is that hackers can target untrained, susceptible remote workers with increasingly sophisticated and incredibly realistic-looking email phishing attacks."
Furthermore, hackers are now playing on people's concerns about the situation, their natural need for information and interaction, to drive cyber attacks.
There is an urgent need to step up educating employees about cybersecurity, social engineering methods used by hackers, and what employees as end users can do to protect themselves as they work from home.
Take a more open approach to hiring for cybersecurity positions
The global talent shortage in cybersecurity is eye-popping. Research by Cybersecurity Ventures indicates that by 2021, up to 3.5 million cybersecurity positions will be unfilled globally, and the number will only keep growing. Industry surveys indicate that between half to two-thirds of organizations have understaffed cybersecurity teams; the average open position takes six months to fill. And the longer an organization takes to fill a position, the more attacks it suffers in any given year. It's becoming clear that companies need to radically advance the way they hire and retain cybersecurity talent.
Kurt John, the Chief Cybersecurity Officer of Siemens USA, said: "We can ill afford to arbitrarily limit access to talent due to historically pre-conceived notions of what constitutes a good candidate—like having a four-year degree on the resume."
Pointing out that the current speed of technological change makes it impossible for graduates today to have learned everything about the field, he encouraged companies to embrace all forms of diversity and inclusion when hiring for their cybersecurity teams.
Extend cybersecurity policies beyond the organization
Research by Accenture has found that 40 percent of security breaches are indirect, with attackers targeting weak links in the supply chain or elsewhere in the business ecosystem. In some cases that made headlines in the past, data breaches have been the result of vendors carelessly handling databases, or through unsecured third-party equipment that had been connected to the organization's systems.
Some ways for companies to ensure that their business partners have good cybersecurity practices include: auditing contractors, vendors, and other service providers for sound security controls and procedures; extending cybersecurity education and coverage to the business partners; or even limiting the vendor's access to sensitive data and systems to whatever extent is reasonable.
Focus on the cybersecurity basics, from the beginning
"We should protect ourselves from cyber-viruses just as we protect ourselves from the coronavirus," said Matt Bennett from VMWare Carbon Black. "Patching your systems should be as fundamental as washing your hands. If you don't start there, you're far behind the game."
In other words, IT personnel need to emphasize cybersecurity needs on the operational level every bit as much as HR personnel emphasize health and safety precautions now. And it goes further back, to the way security is viewed today. Companies need to consider the security of their digital setup as a whole, said Bennett, but currently, many companies only pick up on the need for cybersecurity when they encounter an attack, a threat, or a disruption to their business; and then they look for a security product just to address that problem, essentially plastering the breaches over as they become visible.
"We need to move towards the idea that security should be embedded in the solution itself. It shouldn't be after the fact," Bennett said. "From a security point of view, we are moving towards a model where we have to pull together thousands of data points along the value chain to derive the right kind of detection and response framework. Whether we are looking at it from an application point of view, a networking point of view, or virtualized estate—whether it is a multiple cloud, a private cloud, or a hybrid cloud—any given company will have all those things, and so you want that seamless approach that can cover all of them at the same time."
It's uncertain whether companies already battered by COVID-19 and dealing with multiple urgent priorities will be able to get their defenses up before they fall prey to a cyber attack. But the pandemic has accelerated the speed and effectiveness of both technology adoption and cyber crime, and organizations will have no choice but to make sure that their own security can keep up.