Sapsiwai - Fotolia
Cybercriminals love disasters --- which provide them with business opportunities to prey on concerned citizens surfing the internet for information. COVID-19 is no exception. According to the Federal Bureau of Investigation's Internet Crime Complaint Center, cyberattacks have roughly quadrupled since the COVID-19 pandemic began. The sudden, unanticipated shift to remote working has increased the number of possible failure points in a security system and created a large distracted workforce that is vulnerable to socially engineered cyberattacks.
Other work-from-home habits -- like password reuse and letting family members access corporate devices -- are putting critical business systems and sensitive data at risk. A recent survey by CyberArk says that 77% of remote employees use unmanaged, insecure BYOD devices to access corporate systems, while 37% save passwords in browsers on their corporate devices.
Adjusting to the new normal
The massive overnight remote working shift put enterprises at the mercy of employee cyber hygiene. A study by cybersecurity firm Promon found that two in three workers haven't received any form of cybersecurity training in the past 12 months. Enterprises need to address the weakest link in the chain -- the remote employee.
Businesses must establish a culture of robust cyber hygiene, by providing necessary resources to the workforce and managing access and monitoring activity on critical assets. This is critical since current remote access systems were never built to carry such a level of secure data. In the rush to onboard new applications and services that enable remote work, combined with insecure connections and dangerous security practices of employees, the attack surface has significantly widened. The perimeter is now the device at home.
Changing face of risk management
Several new cyber-risks have come into play due to remote working. Employees with access to sensitive information or access to USB with local administrator privileges which could be misused for data leakage is the most common threat. Employees making use of their home workspace without adequate physical segregation or with insecure personal endpoints used to connect to the organization network add vulnerabilities. Other dangers organizations need to consider include negligible security in home networks along with weak connectivity models to organization networks.
In this new reality, securing the network that includes a worker's home needs to be a shared responsibility -- part of a more holistic approach to security. Cybersecurity can no longer be restricted to being just part of the IT function; it must be part of a strategic approach driven from the top. While the IT department cannot be responsible for the home Wi-Fi of the user, it will be responsible for the security of the device (laptop or mobile), the user (identity) and secure access to data and applications (VPN, Zero Trust Network Access).
Learnings from the initial phases of remote work should shape future cybersecurity strategies, prompting another look at the security of processes and architectures. Cybersecurity leaders should prioritize, adopt and accelerate the execution of critical projects like zero trust, software-defined security, secure access service edge and identity and access management as well as automation to improve the security of remote users, devices and data. This paradigm shift will necessarily occur under tightening budgets and scarce resources, changing risk management and driving innovation in the field.
Organizations ought to focus on a multipronged approach such as, but not limited to:
- Embedding frictionless security with improved cybersecurity controls, while not compromising on user experience and business agility;
- Maintaining zero tolerance toward poor IT hygiene with close tracking and monitoring aimed toward achieving continuous improvements;
- Cyber resilience to be ingrained into the business, to address any eventuality which could pose a risk to the business; and
- Imbibing a security culture across the organization.
Building and sustaining a cybersecurity culture
With remote working being the new normal, organizations must relook at their on-premises and remote work models post-COVID 19. To achieve and sustain a level of cybersecurity culture, organizations may take up several initiatives such as regular dissemination of mailers to employees including those from senior leadership on cybersecurity awareness supplemented by periodic and mandatory security awareness courses. Holding talks and sharing cybersecurity blogs authored by leaders in the organizations, establishing secure coding practices for the software developer community and running internal phishing campaigns are some other practices that organizations can follow.
Humans are the weakest link in an organization's cybersecurity fabric because despite millions spent on cybersecurity posture enhancement, if an employee is compromised due to social engineering or phishing, the environment stands to be exploited by malicious users with a risk of the business losing its reputation and possible statutory penalties. Security culture management within an organization hence becomes imperative to bolster cyberdefenses.
Taking the long-term view for amplifying cybersecurity
Cybersecurity technologies and approaches are just one aspect of this highly complex revolution. Many leaders are taking a long-term view and asking themselves what's next for remote work within their organization. Hybrid models are bound to arise that split employees' time between home, office, on-site locations or even an extreme work-from-anywhere option -- all of which have different cybersecurity risk profiles. Taking the lead from tech companies, more and more offices may be used for hot desking and not permanent workstations. Other technology-driven innovations like hoteling, identity aware network and virtual offshore development centers will also find their place in the workplace of the future.
The biggest cyber-risk will be data security risk. Access restriction, data access expirations, multistep (and multiperson) approval processes for any information sharing and limiting access to sensitive information to certain working hours must become de rigueur. Ultimately, cybersecurity is about culture, behavior and awareness. Developing programs to build a cyber- and data-secure culture must be on the priority list.
Over the next few years, complexity will intensify further, owing to the explosion in connected devices. The evolving IoT landscape will surpass the traditional network in use today, further exacerbating privacy and cybersecurity challenges. As work and our relationship to it continue to be redefined, humans will remain central to the evolving triad of cyber threats, technology and disruption.
About the author:
Vishal Salvi is senior vice president, chief information security officer and head of the Cyber Security Practice at Infosys. He is responsible for the overall information and cybersecurity strategy and its implementation across Infosys Group. He is additionally responsible for cybersecurity business delivery, driving security strategy, delivery, business and operations enabling enterprises security and improving their overall posture. Salvi has over 25 years of industry experience in cybersecurity and IT across different Industries. Prior to joining Infosys, he performed various leadership roles in cybersecurity and information technology at PwC, HDFC Bank, Standard Chartered Bank and Global Trust Bank.