Hadi Jaafarawi, Managing Director – Middle East, Qualys, discusses the ‘new normal’ and how to manage vulnerabilities that this new way of working may present.
A hundred years from now, historians will lack sufficient hyperbole to describe 2020. Even now, we are still trying to grasp the enormity of what’s happened. The worst public-health crisis in a century, followed by an economic downturn on a par with any in living memory. To survive, we accelerated our cloud migrations, both for our health and our Business Continuity.
And so here we are in a working paradigm that was supposed to be many years away. Employees authenticate themselves to corporate networks using devices that may be compromised, through third-party networks of unknown pedigree. Consumers demand better experiences online, leading to rushed development cycles and inevitable vulnerabilities in each release. And businesses, governments and digital service providers tackle these shifts in piecemeal fashion. Legacy, multivendor cybersecurity solutions remain, making it difficult to form a clear picture of multidimensional ecosystems and the risks they face.
Risk. Every competent business stakeholder starts with risk. The Middle East saw a sizeable escalation in incidents on the back of remote working. The UAE alone witnessed a 250% increase in attacks in 2020, according to Mohamed al-Kuwaiti, Head of Cybersecurity for the Government of the UAE, who cited the movement ‘into a full online life’ as an explanation for the surge. It is hardly surprising that bad actors would leverage human misery to make things worse. They will have noticed that the dividing line between consumers and employees has evaporated because those consumers are using vulnerable endpoints to join corporate environments in the new normal.
Feeling vulnerable?
To cope with the heightened complexity of hybrid, multi-network environments, a good start is to address the issue of an expanded attack surface. Vulnerabilities may be widespread, but they can be managed by taking a two-pronged approach. First, compile a comprehensive, no-device-left-behind, asset inventory. Trying to formulate a risk strategy without profiling all the endpoints in the environment is impractical. Once you are aware of each device and its software mix, you can start to get a clear view of just how vulnerable your digital estate is.
Next, it is important to formalise the workflow of vulnerability management. To address every vulnerability in the new hybrid environment would be costly and unwieldy in terms of budget and manhours, so triaging potential issues should be top priority.
Some vulnerabilities are easy to exploit but may not yield great value for attackers. Others may be difficult to crack but may promise lucrative paydays. Some may be old and have readily available fixes; others may be known but unpatched. In the general case, attackers are not just looking for low-hanging fruit; they are looking for low-hanging, juicy fruit. Your vulnerability management approach needs to reflect this, keeping in mind your new, cross-network asset inventory.
Cloud control
But addressing vulnerabilities is just the first step. You live in the cloud now, at least partially. Choosing the right provider will be essential. This must be a trusted partner, capable of protecting you while you concentrate on the business of business. They should not only provide you with the basics of cybersecurity, including all the tools necessary to build your vulnerability-management strategy; they should also be proactive on regulatory compliance, automation and governance tools.
Outside of what they provide to customers in the short-term, providers must also look to the future. They, more than anyone else, should be aware of how life and work models are changing. Over the past year, they will have seen thousands of individuals and organisations retreat to digital spaces to work, shop and socialise. They will also be aware that conventional wisdom predicts that these habits will linger to a large extent, after we receive the much-anticipated all-clear from global health experts.
Providing long-term security for digital natives and millions of freshly minted ‘digital expats’ will require unprecedented levels of intra-industry collaboration. We must start building open cloud platforms with security built into every layer that interoperate with others. Managed Security Service Providers are our future if we are to live all the facets of our lives in the digi-sphere. An open cloud is perhaps the most important step we can take in ensuring those lives are unmolested.
Last year was about learning lessons, but those historians 100 years from now — what will they see? What lessons stuck? Did we finally wake up to the importance of building large digital ecosystems with unassailable walls? Or did we rush too enthusiastically into building capabilities, without taking a shrewd glance over our shoulder to find out who might be waiting to take advantage of changes in our digital environments? If last year taught us anything it was the lesson of adaptability. Being ready for change is important, but we must be safe while we transition to the new normal. For how can we bring lasting prosperity otherwise?