Organisations across the world are finding themselves newly vulnerable to cybercriminals looking to exploit mass uncertainty, but this could be just the push needed to transform cybersecurity.
With a minute’s countdown to a crucial video conference, a remote worker will click on any link that gets them into a meeting on time. Yet that’s the trojan horse criminals are using to breach defences during the coronavirus pandemic. People aren’t the only ones being infected; devices are too, with COVID-19-themed phishing and malware. It’s no wonder cybersecurity is now topping the business-risk agenda.
“This new work-from-home experience makes everyone vulnerable, especially because threats are harder to track over personal home networks,” explains Chris Boyd, lead intelligence analyst at Malwarebytes. The rapid shift to a distributed workforce has been a golden opportunity for cybercriminals, even coining a new phrase – Zoom bombing – where video calls are hacked.
In March alone, the UK’s National Cyber Security Centre removed 2,000 online scams related to the pandemic, including 555 malware and 200 phishing sites. “This is why IT teams are rethinking the levels of oversight they have over network activity, especially as it now takes place across so many more disparate devices and locations,” says Carl Leonard, principal security analyst at Forcepoint.
Digital assets are now sprawled across many soft targets, rather than a handful of centralised harder ones; it means the business risk is greater. “It’s currently open season for criminals. Distracted, afraid, frustrated, confused and isolated from colleagues, it would be impressive if we found a way to make remote workers into easier targets for cyberattacks than they are right now,” says Dr Patrick Scolyer-Gray, associate research fellow in cybersecurity at Melbourne’s Deakin University.
Tracking and tracing digital assets
Faced with this threat, companies are waking up to the risk of remote working. Password-less technologies are now more prevalent, as is multi-factor authentication. One-time password tokens and biometrics are also being implemented.
“User behavioural analytics, which leverages artificial intelligence, can establish a baseline of normal behaviour for individual devices and create a new layer of security,” says Ronan David, vice president of strategy at EfficientIP. “Many companies have also expanded their reliance on the cloud, whether in-house or third party. But as an increasing number of apps and devices connect to the cloud, they become harder to keep track of.”
The pandemic has been the single greatest accelerant for digital transformation and can be accompanied by a security transformation
It helps that businesses are rolling out cyber-resilience plans that highlight digital hygiene to employees. Remote workers are required to stay alert, do some training and take a more proactive approach when it comes to cyber-threats. “The fact is many employees are just not that vigilant around security when at home compared to when at work; it’s an issue,” says Phillip Larbey, managing principal for Europe, Middle East and Africa at Verizon Enterprise Solutions.
But let’s not forget remote working is not a new phenomenon; security experts were prepared, but the sheer scale of those doing it is novel. “Basic security principles haven’t changed. What has is the need for everyone in a business to know how to apply them right now,” says Amanda Finch, chief executive of the Chartered Institute of Information Security.
“This democratisation of security across the whole organisation is likely to become the great change in the coming months and years, as organisations recognise cybersecurity culture has to be embedded in the individual not the environment. There will also be a need to do more with less.”
Recession, risk and regulation
Security budgets are feeling the pinch from COVID-19 as enterprises tighten their belts to get through this period, despite pleas from the Cybersecurity Tech Accord not to compromise on cybersecurity and to see it as an investment, not a cost. But with a recession inevitable, budgets for, say, upgrading to cloud-based services with enhanced security or getting in third parties to mitigate business risk are unlikely to be forthcoming.
“However, you can expect zero-trust network architectures, where employees are only provided with the level of access to data and systems needed to perform their role, to become more prominent over time,” Ollie Whitehouse, global chief technology officer at NCC Group, points out.
The big question is whether data privacy and compliance will be compromised with dwindling budgets and a dispersed workforce, even though the General Data Protection Regulation and fierce fines still loom large. But the regulator, the Information Commissioner’s Office (ICO), is sympathetic.
“We acknowledge our responsibility to take into account these exceptional circumstances. We’ve set out the flexibility the law gives us to be a pragmatic and empathetic regulator. We also confirm our efforts will be focused on the greatest threats,” the ICO says.
As fallout from the pandemic continues, the ICO will no doubt experience a growth in its workload. What’s also likely to come out of this, as the business risk of remote working and access to digital resources continues, is a much more vibrant identity management industry. It will move to centre stage for all operations and security will be firmly on the C-suite agenda.
“Coronavirus is unlikely to be the last of these types of crises, therefore strong user enrolment, identity verification and authentication will be essential to ensure the resilience of any enterprise in the future,” says Mathew Newfield, chief information security officer at Unisys.
Once remote working is truly established as a major part of an employee’s existence, no longer novel or a work in progress, regulators as well as enterprises will have to hold this way of working to account in terms of business risk, cybersecurity and data breaches in exactly the same way it does for office-based work.
“Unfortunately, there’s no privacy and cybersecurity pixie dust that can be sprinkled on organisations to ease their woes,” says Dr Zulfikar Ramzan, chief technology officer at RSA Security. “The good thing is the pandemic has been the single greatest accelerant for digital transformation in recent times. This can also be accompanied by a security transformation.”