In 2020, organisations went from conventional work arrangements to flexible and fundamentally new ways of working to protect people from the threat of COVID-19. This approach may have protected humans from the virus; however, it created additional headaches for cybersecurity teams looking to protect data and networks. It’s important for organisations to learn from the mistakes and successes of lockdown to improve their cybersecurity posture for the future, which is likely to be characterised by further disruption.
There are three key lessons to be learned from lockdown:
Cyberattackers have increased their use of social engineering, phishing, and spear-phishing attacks to take advantage of an environment where people are outside the corporate firewall protection and not compelled to comply with security policies. Companies have to strengthen the human firewall and reduce the human element of risk to remain resilient. Creating awareness, backed by specific policies and advice on what to do if employees notice something suspicious, is crucial. This requires increased communication, more focus on security policies, and cybersecurity training and awareness programs.
A common piece of advice is to avoid clicking links in emails. Yet, in the remote working environment, users click on links in emails all the time to join online meetings. This demonstrates that policies need to be updated to account for evolution in the work environment and the threat landscape.
If users are stymied by security measures, they’ll inevitably find a way to work around them, creating security gaps that often go under the radar for cybersecurity teams. In the past, this led to the rise of shadow IT where employees implemented cloud-based and mobile solutions that let them work more flexibly but didn’t necessarily include strong security features. Now, those same applications and solutions are essential to keep remote teams working productively. They include mobility solutions, remote access and file sharing solutions, and collaboration suites such as Microsoft Teams.
This places a heavy burden on security teams who have the uneasy task of deciding how and where to compromise policy. On the one hand, they need to keep the organisation safe. On the other, they need to empower users to work efficiently. It’s essential to maintain a delicate balance and implement revised security standards, especially around secure VPN, cloud security, and email and web security.
Everything that transforms digitally must be secure by design. Retrofitting security measures is costly and time-consuming, and doesn’t always address vulnerabilities. Organisations that moved quickly to secure remote working during lockdown were the ones that already had the right security pieces in place, while others were left scrambling. Cloud, in particular, is a key area for review when it comes to security.
Decision-makers often assume they will automatically benefit from the strong security offered by large public cloud providers. However, they must ensure their own apps and data are secure within the cloud. The cloud provider is like the foundation of a house. If the rest of the structure is weak, then it will crumble in a storm, leaving only the foundations standing. CISOs need to look at their cloud applications to ensure they’re resilient against attack, configured using best-practice guidelines, and that access is tied down using multifactor authentication.
With the rapidly accelerated digital transformation across industries, cyberattackers have plenty of opportunities to gain access to organisational data and applications. As organisations conduct business planning, they must build security into everything they do and continue to assess the actions they need to take to ensure a strong cybersecurity posture during business transformation.
Martin Holzworth, Head of Cybersecurity (Asia Pacific), Fujitsu