Editor’s Question: How should CISOs prepare for long-term COVID-19 cybersecurity impacts?

Editor’s Question: How should CISOs prepare for long-term COVID-19 cybersecurity impacts?

In the midst of COVID-19, we’re seeing a pandemic of cyberattacks, says Adrian Taylor, EMEA VP, A10 Networks. “With 2020 dominated by the start of the COVID-19 pandemic, there was a sharp rise in cybercriminal activity,” said Taylor. “From simple phishing attacks to one of the largest DDoS attacks ever recorded, we saw the cyberthreat landscape evolve. We also saw a rapid growth in the tech and cybersecurity industry.

“The challenges arising from these cybersecurity developments – including COVID-19 – will continue to have long-term implications in 2021 and beyond.”

One of these implications is that cybercrimes will experience a surge. “2020 was a busy year for both attackers and hackers, as well as cybersecurity personnel defending against the plethora of attacks to which they were subjected,” said Taylor.

“In 2021, such attacks will not just be more frequent, but they will also be very specific regarding who they target. International cyberespionage will be one of the main motivators for cyberattacks; we will see security vendors being attacked and compromised at an even greater pace. Even the attacks that happened in 2020, like the FireEye or Sunburst attack that targeted the SolarWinds supply chain, will have long-lasting effects. Investigators suspect, for example, that up to 250 organisations may have been compromised in the SolarWinds attack.”

It is expected that such attacks will not only create opportunities for newer attacks, or variants/branches of the existing ones, but will also drive cybersecurity innovation.

“2020 has taught us that vigilance in cybersecurity cannot be taken for granted,” Taylor continued. “We are facing new, persistent threats of all shapes and sizes and we have to make sure that, going forward, we face these threats with the best of our collective abilities. 2021 will be the year of cybercriminal activities, but it will also drive innovations in cybersecurity like never before.”

Therefore, the only way to manage such attacks is to prepare and adapt accordingly.

Mark Belgrove, Head of Cyber Consultancy, Exponential-e: “From securing remote devices, to the need for multi-factor authentication, the pandemic has brought the value of cybersecurity to life. Countless cyberthreats have emerged and grown as criminals have sought to take advantage of the chaos that ensued. Many won’t dissipate once the world returns to normal and CISOs should expect a number of long-term impacts on security, especially given trends like remote working are here to stay.

“Let’s take remote working as our first example. It brings an abundance of remote devices, all of which need to be patched and secured appropriately to avoid potential threats from hackers. This is challenging for those who aren’t connected to network infrastructure, but isn’t the only security consideration organisations have to take into account. Malware prevention and management is also essential to being cybersecure, especially as phishing attacks have spiked in the context of the virus.

“But let’s return to network infrastructure for a moment. Employees need this connection to access company servers and stay up to date with the latest security policies. Most organisations use VPNs to connect employees with their infrastructure, so CISOs must ensure these connections are secure and that controls are also implemented for cloud-based applications which don’t require VPN-based access to corporate resources. 

“This mass migration of infrastructure to the cloud (such as through Office 365) that many organisations have embarked on creates another challenge. That’s because many have failed to implement multi-factor authentication – a vital, additional security layer that helps distance bad actors from infrastructure. We have seen several cyber incidents resulting from the use of weak passwords on SaaS solutions due to this exact oversight.

“CISOs should invest their time and IT budget into new security technologies that are designed to help overcome these issues, which are likely to pervade after the pandemic. Many not only protect systems, but also reduce the risk of unnecessary security side-effects, such as the possibility of latency on devices. SD-WAN, for example, has end-to-end encryption built in to ensure data security both in-flight and in the cloud, and accelerates access to business applications by connecting to multiple cloud estates with ultra-low latency.

“Secure Access Service Edge (SASE), which has piqued the interest of cybersecurity experts, as well as Gartner, is another solution to common security problems. Various solutions on the market claim to be SASE, but many only address one of its key areas, such as network, account management or data, rather than providing a holistic solution. CISOs should therefore be mindful of only investing in SASE technologies that address all the core areas outlined by Gartner and that all appropriate security controls are implemented, as only then can they be sure their organisation’s systems are truly secure.

“CISOs must look ahead and proactively map their organisation’s vulnerabilities, security goals and budget to accurately prepare for these long-term cybersecurity impacts. Doing so will be key to navigating future crises, whether it’s a global pandemic, or something closer to home.”

Tim Mackey, Principal Security Strategist at the Synopsys CyRC (Cybersecurity Research Centre): “Business leaders should be prepared for a post-COVID world where a portion of their staff will prefer to work remotely and will use their COVID experiences as evidence of effective work models. This means that a hybrid data security model is going to be required moving forward.

“With any hybrid model comes risks that data leakage occurs, not through explicit intent, but through gaps in protections. Exploiting weaknesses in processes is precisely the playbook of a cyber-attacker. Countering this playbook requires an understanding of where the distributed attack surface exists and from there, creating a threat model focused on data access and not simply application or network boundaries.

“Focusing on data access helps evaluate the real impact to the business of any remote worker soft target or opportunistic attack. For example, if a remote worker normally has the ability to access any customer record, does that then mean they have the ability to access all attributes of a customer record or all records? Does that access also allow for them to potentially modify fields within the record? While their normal daily job responsibilities might not involve wholesale access or data modification, any approach that relies upon the good behaviour of an employee is part of the potential attack surface. If there isn’t a ready way to distinguish between normal access patterns for an employee versus those of an attacker, detecting the early stages of an attack is made that much harder.

“Tying things back to a hybrid data security model, any behavioural monitoring needs to incorporate an understanding of where the employee is located in order to ensure any access attempts are legitimate. After all, if an attacker attempts to use compromised credentials from within the network perimeter while the employee is remote, that’s just as problematic as any unexpected access attempt from a remote location.”

Haider Pasha, Chief Security Officer at Palo Alto Networks, Middle East and Africa (MEA): “The COVID-19 pandemic has created new opportunities for bad actors, and it has become important for CISOs to draw upon their business skills to reinforce a strategic view of risk reduction in conversations in the boardroom and the corner office. CISOs are now in a stronger position to offer their guidance about how cybersecurity drives and aligns with business goals, so they have to think and act more as business visionaries than as purveyors of technical advice. The four main ideas I suggest considering for your cybersecurity strategy are:

  1. Rebalance your priorities. CISOs need to commit to a rebalancing of priorities based on the new realities of work and cyber-risk. Automation, in particular, must be a major priority for CISOs for two reasons: the lack of sufficient manpower resources; and the increasing innovation displayed by cyber-attackers.
  • Review your organisation’s risk model. As organisations transition from a new work model based on a dramatic acceleration of the shift away from headquarters-based work, the risk model must change accordingly. We have all written about, talked about and experienced what happens with remote work operations, in terms of infrastructure resilience and risk related to home networks, shared devices and personal cloud services. Your employees will continue to be targeted and they too must be educated about risk.
  • Rethink your relationship with the board of directors. Not long ago, many CISOs were thrilled just to be invited to a board meeting speak. Now, we expect to be an integral part of meetings and board communications. But the CISO’s relationship with the board must shift from ‘informing the board’ to ‘educating the board’ and eventually ‘leading the board’ on risk assessment and mitigation.
  • Reset your technology mind frame. As you reassess risk in the context of business strategy, undoubtedly you will need to modernise and even transform your cybersecurity technology approach. One thing to consider is jettisoning the traditional best-of-breed approach in favour of a more integrated, platform-based approach to cybersecurity defences. Cyber-risk and the technologies needed to address that risk is becoming more complicated and diverse than ever. Managing dozens or even hundreds of cybersecurity tools across the enterprise — and the escalating number of technology suppliers associated with it — is no longer efficient. You’ll need more cybersecurity functionality in the post-COVID era, but that doesn’t necessarily mean you need to buy more products from more vendors. Instead, focus on integrated functionality at a platform level from a smaller number of strategic, proven and innovative partners.

“Technology will certainly become more important in identifying, preventing and remediating cybersecurity threats, both during the pandemic and beyond. CISOs and CIOs will need to work closely now more than ever to ensure that their business evolves but with the right level of risk exposure.”

Josh Neame, Technology Director at BlueFort Security: “COVID-19 changed everything. CISOs are now faced with addressing the impact of a rapid deployment of tools, technologies and processes that enabled their organisations to maintain Business Continuity through the pandemic. Many of these changes now pose some major data security issues – which are further compounded by the impending shift to a permanent hybrid working model and a constantly changing corporate IT environment. When addressing the long-term impact of these changes, CISOs should keep in mind two key gaps now present in most security organisations:

Gap 1: Collaboration sprawl

“Collaboration tools acted as a lifeline for many organisations new to remote working and are clearly now a cornerstone in IT infrastructure. During the pandemic, employees spent months rolling out collaboration tools like Microsoft Teams, Slack, Zoom and OneDrive in a hurry to remain operational and productive. However, as a recent report from Aternity showed, this resulted in a significant increase in collaboration application sprawl, with employees adopting numerous collaboration tools for internal, external and ad hoc communications. This extends the organisation’s threat surface and has the potential to impact data governance. CISOs are now faced with not only with gaining visibility into these new applications, but effectively monitoring, managing and securing these platforms.

“Closing this security gap will require a renewed focus on training and employee engagement, particularly around data governance. Now that sensitive information is moving off premises and into new collaboration platforms, CISOs must ensure employees are using and securing data properly.  Beyond that, conducting a full cyber-risk audit is virtually the only way to fully understand the impact of this new landscape. 

Gap 2: Fit for purpose pen testing

“With employees now working far beyond the four walls of the protected corporate environment, CISOs should be rethinking traditional approaches to penetration testing. In the past, millions of pounds have been spent trying to keep networks protected, often without an understanding of where the exploitable vulnerabilities are in the threat surface – until, of course, after a breach. With employees working from many different locations and devices, manual point in time pen testing will no longer be sufficient.

“CISOs now have to keep up with corporate networks that are constantly changing. New configurations, tools, users and locations all present new risks. While a manual pen test or annual risk audit may identify security gaps on any given day or week, the likelihood is that in the days afterwards, new risks will emerge. Change is now the new constant, so testing must also be continuous. CISOs will need a consistent view of potential issues on a continuous basis to secure the ever-changing hybrid corporate network. This means harnessing the power of automation software to identify gaps in the security environment at scale and at speed.”

Browse our latest issue

Intelligent CIO Africa

View Magazine Archive