Cyber-mischief, like Zoombombing -- where uninvited guests drop into Zoom online meetings to harass the attendees -- has garnered plenty of attention during the first month of the pandemic.
While troubling, experts said there are far more challenging cybersecurity issues arising from the worldwide lockdown. Security teams have encountered a range of pandemic-related scenarios that put their organizations at risk, from misconfigurations that expose systems to securing a remote workforce that has vulnerable connections into corporate networks.
"We're kind of walking a tightrope," said Marcus Rogers, professor and executive director of cybersecurity programs at Purdue University.
Experts listed multiple security challenges that have arisen with the rush to enable employees to work from home. Many workers are now using personal devices without corporate-level security controls -- or perhaps no security controls at all -- to access company systems.
There are hundreds of thousands of additional people remotely accessing corporate systems, overwhelming VPN connections. Many of those new virtual employees have not received the same level of security training that workers who routinely work remotely have received.
Authorities have reported a spike in cyberattacks where hackers take advantage of the pandemic and related security weaknesses. That's not surprising, experts said, as most organizations rushed to enable a long-term, large-scale work-from-home environment just to keep their business operational. Securing a remote workforce sometimes took a back seat to availability and business enablement.
"The fact is we're living in one big business continuity scenario right now," said Curt Dalton, managing director and global leader of the security and privacy practice at consulting firm Protiviti. "No one anticipated being in a business continuity scenario for a month or more. [Organizations] didn't plan to sustain a remote workforce for that period of time."
Old cybersecurity risk, amplified
Many of the risks plaguing organizations during this pandemic are not new. Federal authorities and security leaders said they're seeing rise in phishing and other email-based scams. Hackers are also looking to exploit weak spots in infrastructure and systems.
Such risks have been around for years, but the current circumstances have given bad actors more opportunities.
"You have that background noise that's always been there that just gets multiplied now," Rogers said.
It's not just the increased volume of existing threats that's challenging to enterprise security leaders and their teams. They're also dealing with some new elements, including personal stress. Their team members are working from home, some are being furloughed and their vendors are facing the same circumstances. In some cases, security teams are dealing with overloaded telecommunications systems.
Marcus RogersPurdue University
At the same time, many are contending with security standards that were lowered to keep the business operational. Many security teams are overwhelmed as a result.
"Security is a Herculean task even in the best of times; now, we're in chaos," Rogers said.
The security threat only increases the longer organizations continue in the current scenario, according to experts. Security teams now need to plan for the long term.
"When things were changing fast, there was a tendency for people to say, 'Hey, security, get out of the way; we need to get this done. Now, CISOs have to go back and assess," said Sounil Yu, CISO-in-residence at YL Ventures.
Take charge, take action on security standards
CISOs should revisit security standards that were downgraded to enable business to continue operations, check for reconfiguration errors and look for opportunities to make improvements or upgrades, Yu said.
And CISOs can tighten up controls and reconsider access management -- perhaps even shutting down systems to some or all remote workers unless they're absolutely critical to keeping the business going. Segmenting the IT environment is another option when securing a remote workforce.
"There's a danger in making the home environment the same as the work environment," Yu said. "Knowing they're different, we have to be careful about how we do that and make sure we don't open up risk."
CISOs should start with a risk assessment and then prioritize accordingly, said David Chaddock, senior manager in the Chicago technology practice of management consulting firm West Monroe Partners.
He advised CISOs to first determine whether existing endpoint protection, identity management and connectivity are adequately secure or whether they need to be enhanced. CISOs should also examine their data controls and data loss prevention program to determine whether those, too, need to be upgraded for the current situation.
Incident management and response policies and procedures should be adjusted as necessary to include the new threat landscape emerging from the pandemic, he added. Then, CISOs should prioritize the work that needs to be done, including adding new controls, encryption, multifactor authentication or other security layers based on the level of risk.