This is part 3 of the series -- which features favorite comments from top cybersecurity experts on their views and recommendations for security success in this post-COVID world. Read part 1 here. Read part 2 here.
Jonathan Ehret, Vice President, Strategy + Risk at RiskRecon, A Mastercard Company:
“In the same way that companies have to assess the security controls of their own environments in their new normal, companies also need to re-assess the security controls in place at their third parties. Perhaps work from home wasn't allowed by your vendor previously but now is required. If proper security controls weren't put in place, your company data may now be residing on endpoints outside of the control of that organization.”
Jeff Styles, VP of Global Field Engineering, FireMon:
“Now more than ever, we are facing the reality that COVID-19 is driving the need for immediate digital-first transformation and this initiative is outpacing security personnel’s ability to keep up with increasingly complex networks. Security issues caused by an acceleration of cloud adoption, shrinking budgets, skilled workforce shortages and cyber-attack spikes are heightened with the fact that most enterprises still rely on outdated manual processes to secure their networks. However, if businesses figure out how to weather the storm now and learn to implement automated tools to support overworked security teams, they can emerge not only intact but stronger when the clouds finally part and normal returns.”
“Let’s take closer look at the rise and risk of security misconfigurations. Gartner research found through 2023, 99 percent of all firewall and cloud breaches will be caused by misconfigurations, not flaws. Lack of automation and reliance on humans is complicating the problem by increasing misconfigurations for cyber-criminals to exploit, and misconfigurations and data breaches will only spike with a dispersed and reduced security workforce because of COVID-19. Automated security tools eliminate guesswork and manual input during the change process to reduce misconfigurations, while reducing operational and security costs. This allows security teams to work on complicated security tasks, not routine changes to stem the tide of data breaches. While the COVID-19 battle continues to rage, forward thinking security teams already have their eyes on a more agile, flexible future with automation.”
Matt Keil, Director of Marketing, Cequence Security:
“The question is: once we’re finally coming out of this crisis and all businesses are open, what will have changed and how do you adapt security approaches and change quickly to secure the new normal? While recognizing the scale of this global tragedy, it’s also good to observe that many companies who were formerly reluctant to allow employees to work from home are now finding that their overall productivity from office workers is roughly the same - the world didn’t stop. But the threat landscape and opportunities have definitely shifted.
We’ll continue to see a dramatic increase in online activities, and unfortunately that will include malicious actors who are striving to mimic employees and customers. These threat actors are now aided by the fact that the behaviors of a lot of remote workers closely resembles those of bad actors. Remote logins from multiple locations, login “misfires” and typos, and multiple logins per known users are all hallmarks of certain cyber-attacks... and now are also the common characteristics of WFH employees. This will make separating malicious traffic from legitimate traffic more difficult and far more important.
In short, the substantial uptick in WFH employees gives threat actors new aircover – unless organizations become more savvy in their threat detection and mitigation.”
Murali Palanisamy, CSO, appviewX:
The global battle against the COVID-19 pandemic has resulted in remote working being firmly cemented as an acceptable practice in corporate settings. Cybersecurity professionals continue to prime network architecture to adapt to this new paradigm, but it's also important to look toward the future. The post-COVID workspace will most certainly be defined by more professionals working remotely -- and ensuring that their organization's IT secure enough to permit this should be a CISO/CSO's #1 priority for the remainder of the year.
To that end, there are a handful of considerations that the executive security team has to give some thought to. Authentication of organizational endpoints and encryption of data in-transit are now more important than ever, given that opening corporate networks to external access will become necessary in the future. Ensuring that flows of information into and out of the organization are protected against theft or illegal surveillance, is a simple, yet powerful security strategy. By enforcing stringent policy, establishing full visibility, and introducing automation into network-wide certificate and private key lifecycles, organizations can ensure that their cryptographic position is structurally sound and sufficiently hedged against potential vulnerabilities or attacks. Crypto-agility will be the need of the hour once workplaces restart, and it would be in the best interests of security leaders to prepare for it in the months leading up to that eventuality.
Laurence Pitt, Global Security Strategy Director, Juniper Networks:
“If I could make one recommendation of something security teams should do right now, it would be to take notes on the current situation to remember what worked and what did not work so well. That way, when analyzing everything in a couple of months, there will be ‘in the moment’ data available.
“This situation will drive changes in remote working policies not just to be better prepared for the future, but also because it’s likely that many users will find that working from home is something they want to do more regularly, once it becomes optional again. Many organizations already have flexible and detailed policies in-place, but it would still be highly recommended to dust them off and make sure everything is up to date. For those that are being challenged today, this will be an opportunity to create a modern policy that supports users and their work. It will need to include technical requirements, such as home-working equipment, methods of access, VPN and multi-factor locational requirements.
“Also, security awareness is important for home workers. It’s easy to be briefly distracted at home by a website you might not normally access in the office, perhaps to show your children something. However, home workers need to be aware of the types of scams that will be targeted at them and how spending more time at home can make them a more likely target.”
Matias Katz, CEO, Byos:
“If organizations have learned anything through this crisis that they’ll take forward with them, it will be that relying VPNs for secure access doesn't work at scale. Sending traffic back into a centralized choke point isn't appropriate for an entire organization when many commonly used applications are SaaS-based and not hosted on-premises. Because of this, I think you will see a faster adoption of Zero Trust security strategies.
“Implementing Zero Trust across a whole organization has been the main challenge for organizations to-date. Complex infrastructures and proliferation of device types, operating system requirements, and legacy devices makes this implementation challenging to navigate. In particular, establishing a baseline level of network security on untrusted Wi-Fi networks, like Wi-Fi in employee homes, will be increasingly crucial for organizations who are now learning that WFH has sustained productivity, but comes with its own risks, given that home Wi-Fi networks are typically shared with family members who don’t understand the risks of spam, and gamers who download executables.
“Finding solutions that are easy to deploy, easy to provision, and easy to enforce security policies, without reliance on complicated software clients, will let these organizations transition to Zero Trust for remote workers both today and in the ‘new normal’ to come.”