The year 2020 will undoubtedly be remembered as the year that turned much conventional wisdom on its head, and caused us to rethink many fundamental elements of the way we work and live.
As countries and regions move in and out of lockdowns, it’s clear that the disruption is far from over. And instead of looking back at what happened, I’m picking up on how we can apply those lessons from lockdown to provide some helpful observations on the future world of cybersecurity.
You could say that the pandemic was and remains the perfect storm for cybersecurity professionals. It threatens and questions the very fundamentals of many security strategies. Without enabling people to work remotely, many businesses would need to close their doors. The first days of lockdown were an uncomfortable time for cybersecurity teams, suddenly under pressure to grant system access from devices and locations that had never previously been allowed. Now that we have had some time for the changes to settle some of this will be easier, but it’s still important to bear three main factors in mind.
The importance of the human firewall
My first observation is that the human firewall is equally as important as the technical one. Overnight, strengthening their human firewall became an issue of paramount importance for organizations needing to remain resilient in the face of cyber threats. The emphasis here has been on creating additional awareness, backed by specific policies on what is acceptable and what an employee should do should they spot something suspicious. And this inevitably means more training and awareness updates to drive the message home.
The human element is going to remain hugely important for the foreseeable future. A few months ago, very few companies had considered providing security awareness training from the perspective of working from home – or even using a home PC to access the corporate network. Statistics simply make it more daunting: 90% of the data breaches reported to the UK’s Information Commissioner’s Office during 2019 were caused by human error. It’s a pre-lockdown statistic but shows the scale of the problem while users were still inside the corporate network and working from an office environment where they would have had to behave in a way that complied with security policies.
In the transient conditions under which many companies are operating today, it’s essential to be aware that cyber attackers often try to leverage ambiguity and confusion, which is why we saw so many COVID-related phishing attacks over the last few months. These attacks exploit the ambiguity of the current situation and users’ lack of security awareness to give easy access to corporate systems.
The consequences of putting security ahead of usability
Another key learning is that users will inevitably bypass any security that gets in the way of usability, either through necessity or through convenience.
After the dust settled on remote working and staff got into a new rhythm, it became increasingly clear that new tools are needed to enable people to perform their jobs. These range from file sharing to collaboration.
Of course, many of these now-essential tools are shadow IT, blocked by IT security policies. Users often choose work-around technologies because of their ease of use in comparison to corporate tools. In some cases, this has even exposed organizations to risks they didn’t even know about previously.
This places a heavy burden on security teams, who have the uneasy task of deciding on how and where to compromise: on the one hand, taking the necessary steps to enable users to keep calm and carry on while also maintaining security standards. Maintaining that delicate balance is essential to ensure that users don’t just disable their VPN and start using unauthorized technologies “because they work”.
It is not just people who are the problem: As firms shift to online access for customers (such as online shopping or click-and-collect), the usability of these new digital channels has become a new battleground. Firms that offer seamless access to services and offerings have done well and have shone a light on those with inflexible user experiences.
It’s essential to take a future-facing outlook
Today, nobody knows what’s next and how we will do business over the next few years, but the third lesson from lockdown is that everything that transforms digitally must be secure-by-design.
Retrofitting security measures to a technology stack and processes is costly and time-consuming. Organizations that moved quickly to secure remote working promptly were the ones that already had the right security pieces in place. Others were left to scramble for VPN licenses in a panic.
Similarly, the increase in the use of public cloud services is unlikely to revert to pre-pandemic levels. It’s important to remember that while most cloud services are inherently secure, they may have been deployed quickly, without much thought about how corporate security policies would apply. Consequently, organizations could have introduced new risks as they embraced a new agility.
Microsoft CEO Satya Nadella famously remarked that we’ve seen two years of digital transformation in two months. But we have also created new vulnerabilities and possibilities for cyber attackers to exploit. As they plan their future security posture, organizations must evaluate their position today and have a solid understanding of the actions still needed to enable secure transformation.