It’s been four months since COVID-19 was declared a global pandemic by the World Health Organization (WHO). In that time, enterprises and organizations of all sizes have worked overtime to revamp their IT infrastructures to accommodate what is rapidly turning into an almost certain permanent work-from-home environment for employees.
Now that companies’ tech stacks and infrastructure have been updated, and the proverbial bleeding has stopped, what comes next?
Now that the initial scramble to get employees up and running from home—including investments in cloud service, video conferencing platforms and collaboration tools—is over, it’s time to rethink security policies when it comes to the risks that organizations are willing to take. This also includes how staff is trained to handle emerging cyber-threats related to COVID-19.
For observers such as Steve Durbin, the managing director of the non-profit Information Security Forum, it’s all about organizations’ data, who can access it, and how it must be protected and secured going forward. These are the types of conversations that CSOs and CISOs are having about the risks their organizations face in a permanent work-from-home world and how cybersecurity policies need updating to reflect that.
“What has happened in the current situation is that we know we can access stuff in the cloud, but a real concern for security people is around the way in which that data is then being accessed, and how do I secure that effectively,” Durbin told Dice. “We’ve now got all of these people working from [remote] locations, and frankly, we can’t necessarily always assure ourselves of the security from those locations.”
What makes planning new security strategies in a world trying to recover from a pandemic difficult is that most organizations typically focus on one-off disasters—a single, localized incident. “When I talk to organizations about their disaster planning and business continuity, it’s never based on the fact that there’s a global pandemic and, effectively, a global shutdown. It’s always based around the fact that there are isolated outages,” Durbin said. “So you might not be able to operate in Wall Street, but don’t worry, because we’ve got a back-up facility over the river in New Jersey, or we have an operation down in Florida.”
Now, those rules have changed and it’s time to rethink security plans, deployment of data in the cloud, and what risks organizations can justifiably feel prepared to handle.
New Threats Emerging
Recently, ISF published its Threat Horizon 2020 report that looks at how the security landscape and emerging threats to organizations will change over the next several years. The study was compiled before COVID-19 became a pandemic, but Durbin believes that its lessons still hold true for those planning what the world will look like six months down the road (even if it’s not what was expected as the year started).
“For me, what COVID-19 has done is reinforce the fact that we need to be a little bit more rigorous, perhaps, in some of the definitions of our risk appetite and some of the validation of emerging threats,” Durbin says.
Those risks can range from the proper deployment and use of VPNs to allow remote access, to how to create new security policies for employees who need Zoom for video conferencing, to ensuring that supply chains are kept secure during uncertain times.
And many cybersecurity professionals and CISOs are asking for their companies to do more to ensure the best security policies are in place—and to support these changes. In April, the International Information System Security Certification Consortium (also known as (ISC)2) released a survey of 256 security professionals and found that about 80 percent of respondents indicate that their organizations view security as an essential function.
An even larger number (about 90 percent) report that their organizations are using best practices in securing their remote workforce. The survey does note, however, that about half of respondents believe their companies could do more to lock down remote workers’ processes and tech stacks.
The (ISC)2 study found that, while many new policies were rushed into place and have held so far, it’s now the job of CISOs and their staff to ensure that issues such as VPNs, collaboration tools and cloud service remain secure for as long as work-from-home exists.
As the study noted: “Another respondent says companies are rushing to implement VPN, remote access and collaboration tools without due diligence or taking security into account. Yet another said: ‘IT wants to relax security controls without due process and analysis, and the times we are in are exactly the WORST time to do that.'”