Thoughts and practices in cybersecurity have evolved rapidly over the last year, in part due to the wider adoption of remote working, but also because the threat landscape has changed significantly, says Craig Lurey, CTO and co-founder of password manager application Keeper Security.
Among other agencies, the international police organisation Interpol reported a sharp rise in cyberattacks, and noted that vulnerabilities in relation to remote working will see cybercriminals continue to ramp up their activities and develop more advanced and sophisticated means of attack as the pandemic continues.
Covid-19 has required companies across every sector to swiftly embrace new digital tools and processes. These changes have impacted IT and security work across five key different, but interconnected, areas:
1. The office became distributed
The most obvious difference comes from the nature of lockdowns and the requirement for people to work from home wherever possible. In just a few weeks, organisations became distributed, with online collaboration tools and videoconferencing fast becoming the new and only ways for teams to work together.
The longstanding but already outdated idea of a strong network perimeter around a central physical location, protected by IT, within which employees could operate safely was broken down and businesses struggled to maintain their security posture.
What might once have been taken for granted as a sturdy, protected wall – however notionally – was shattered. This state of affairs is likely to continue. Many companies have discovered that the location of employees has not hindered productivity. For some it has enhanced it, and many have already committed to hybrid working for staff for the foreseeable future.
2. Employees needed help to stay secure
The speed with which lockdowns were imposed left many businesses hugely unprepared with regard to cybersecurity. As a result, a mammoth catch-up operation has been forced upon them. According to a survey conducted by the Ponemon Institute, half of businesses had no policies at all regarding cybersecurity when the pandemic hit in early 2020.
Over six months later, in October 2020, the majority (57pc) of businesses were still without any programmes in place to educate employees and mitigate against the risks incurred through remote working.
Cybersecurity had been the responsibility of IT alone in many traditional businesses, using firewalls and centralised tools to guard the perimeter so individuals didn’t have to. Adding new layers to this model has been crucial: extending awareness, zero-trust initiatives, and new tools to protect endpoints.
3. Cybercriminals shifted tactics to identity-based attacks
With sparse teams and workforces underprepared in the face of cybercriminals, the nature of the attacks have changed markedly. Many business systems had little in the way of defending themselves beyond password security. At the same time, employees struggled to understand how best to ensure safe working, while hurriedly trying to get to grips with new systems. Sensing that these conditions created new points of weakness, cybercriminals have doubled-down on identity-based attacks over the last twelve months, notably phishing and credential stuffing.
As a result, UK businesses saw a marked increase in phishing and other social engineering attacks during 2020. Research conducted by Microsoft, for example, found that 73% of CISOs indicated that their business had encountered leaks of sensitive data and data spillage in the last 12 months. Many of these attacks have taken advantage of the fear, uncertainty and doubt surrounding the pandemic, for example fake government and healthcare messages.
4. Budgets have been lean
While the volume of security threats have increased, companies’ ability to respond comprehensively has been lessened as a result of the economic impact of Covid-19. According to a survey by McKinsey, 70pc of security executives believe their budgets will shrink looking ahead, with large projects put on hold.
Budget reductions in cybersecurity have varied by size of company and industry: with smaller companies and those in sectors whose revenue has been hit hardest by lockdowns expected to suffer most. This is not an advised strategy. Deloitte predicts that once the pandemic is declared over, some organisations may cut areas of the business considered ‘non-critical’ and worryingly, cyber operations would be included. Yet this will only further increase the impact of attacks on such businesses.
5. Quick wins rather than big projects
With these tight budgets and continued uncertainty over the future of the workplace, there’s likely to be a continued focus on smaller, pragmatic steps to secure endpoints and networks against threats. Guidance and education play a key part. Smaller technical measures such as an improved VPN, or an advanced password management system that works alongside existing identity management solutions will be a simple yet invaluable help.
At the start of the pandemic, PWC advised organisations to “apply quick-win technical controls” where possible. Measures such as switching on multi-factor authentication (MFA) where it’s available, or limiting access to tools like PowerShell and Microsoft Office macros would apply here. A series of these small-scale, inexpensive or free acts can make an enormous difference. And they continue to remain very relevant over one year on.
The current crisis will pass but the old normal is unlikely to return in full. Fortunately, the security challenges, changes and lessons of the past year will not be wasted. As our society and economy recover, moving to a fully zero-trust approach to security, already desirable in an era of cloud computing, will be the next logical and desirable step.
