THE COVID-19 SECURITY HANGOVER

Remote working became standard for millions of people from early 2020, with IT managers becoming the unsung heroes during a phenomenally high-pressure period. Most IT managers have no doubt breathed a sigh of relief at seeing the back of this Covid-19 ‘calendar year’ but it’s not over yet.

The landscape shifted from worrying about the confines of the four walls of an office building to an individual site for every home for each member of staff. Let’s take a company with 200 users. At no stage during planning in 2019 did any IT manager consider that instead of a building with 200 people, they would have 200 offices scattered everywhere.

If an IT manager was asked in 2019 to plan for 200 offices, they would plan properly i.e. understand the business requirements, assess the risk, the business and the infrastructure and security requirements for such a task. This could take six-nine months of planning, testing, procuring, securing and more however, like the rest of the world, this was not the case. They were forced to do this in a matter of weeks … or days! Getting a business operational across 200 sites in such a time frame undoubtedly would have required certain short cuts, skipped steps and little or no due diligence.

Security Oversight?

As in most cases, what is left out in such a rush is security. Security can sometimes be seen as the blocker, something that slows things down and is expensive. This can be true, but doesn’t have to be, especially if an organisation works on a "secure by design" methodology. The rush for a remote workforce may have succeed in delivering the necessarily tools for the workforce to conduct their day to day jobs but at what cost? The focus for all organisations should be further securing what they are doing today.

Security is not just ‘antivirus and firewalls’. Security for a business is keeping it alive while guaranteeing confidentiality, integrity and availability, even in the event of an ICT disaster. The focus for all organisations following this pandemic crisis should be further securing what they are doing today. They should not be sitting back now that all the "hard work" is done. IT managers need to be fully confident that all the corners that had been cut are being revisited and enhancing their security posture even further as new threats arrive on a daily basis.

Some of the major issues that we saw very shortly after the rapid shift to remote working were things like:

· Network security issues - Too many people using VPNs that were designed for only a small number of users in an organisation. Firewalls were hitting peaks, VPN solutions not scaling, performance was heavily being impacted. As security features and functionality were being disabled, applications were made publicly available, bypassing VPNs, security solutions and features.

· Application security issues - Applications were being made publicly available which meant they were being exposed to the "wild west" [AKA the www internet]. If they were not undergoing regular updates and vulnerability scans, they were highly open to potential attacks from hackers randomly scanning for weaknesses. If you are hosting confidential information in these systems, you should get a PEN test and consider Web Application Firewalls to ensure that you are covered.

· Identity and access management - Lack of single sign-on, multifactor authentication and overall identity governance meant that legacy accounts were still being used by staff that may have left the organisation, staff had access to systems they shouldn't have, and attackers were easily able to phish users and get access to corporate networks and emails without breaking a sweat.

· Lack of scalable infrastructure - The increase of things like remote desktops in the datacentre meant that performance of DCs were heavily impacted for compute and storage. Obtaining new hardware in a short time frame became a huge issue and backups and disaster recovery replication was no longer suitable or fit for purpose. This had a major impact and risk for business continuity.

· Lack of secure communication - Phone systems, contact centres and collaboration solutions had been designed for in-office use and not for use across multiple sites across VPN. Very poor performance being experienced by end users and customers leading to use of personal phones and shadow IT communication services.

· Prolific use of personal devices - People were forced to work off their own personal PCs, mobile phones and tablets. Personal unsecure PCs are now connecting into your network and easily ready to spread malware or be utilised as a conduit into your network by attackers. Personal PCs that had no encryption, patching, no antivirus, riddled with malware was connecting to corporate networks. Corporate data is now also being stored on unsecure, unencrypted devices which is a huge risk especially to those that are holding any GDPR or company sensitive data.

· Remote end point management and security - Corporate devices were not visible unless connected to the VPN. Devices were not getting patches or updates, no control or visibility of what was happening on the end point. No ability to block storage of specific data such as PII.  The client device has no ability to get AV updates, security updates, encryption monitoring and had no local firewalling or web filtering.

· Lack of cloud security - People need to realise that putting something in the cloud means it is fully secure. The cloud is a shared responsibility model and businesses need to understand the line of demarcation and the roles and responsibilities. Secure connectivity, hardened builds, secure connectivity, encryption management, backup and recovery are some of the many items for consideration.

· IT Operations - Change freezes were coming into place, making it extremely difficult to patch, manage and monitor an extremely busy estate or core infrastructure and work from home end points (mobile, PCs, tablets, printers etc).  Management and monitoring tools were only designed for the corporate network and were not sufficient for home use. Staff were overstretched and overworked. Mistakes were happening and short cuts being made.

· Security operations - Security monitoring solutions were only designed for Corporate LAN use. There was already a major lack of security solutions implemented pre-Covid. Things like phishing simulation, security monitoring and logging of end point a, network and data centres, vulnerability scanning and more.

· Lack of awareness and training - There has been a significant rise of phishing attacks this year. 80% of the attacks we asked to assist with had started with a phishing email stealing credentials. If you do not have multifactor authentication in place and good cyber awareness in the form of phishing simulation and regular bite sized training, you can be guaranteed to suffer a breach. If you think you haven't, the chances are you already have you and are just not aware of it.

For business owners and IT managers out there, you need to be comfortable with these factors:

· You know your estate. You know all your systems, data you are collecting, how it is being accessed, where it is being accessed from and how you can control access to it.

· End-user cyber awareness - You need to be certain people are taking part in regular awareness training. One day a year will not cut it. It should be regular snippets of training on a continuous basis.

· Patching - Knowing everything you have is patched and up to date (PCs, applications, phones, tablets, printers, servers, storage, firewalls etc). A lot of people only focus on patching the OS. Don't forget the rest.

· Multifactor authentication – MFA is in place across all possible services. If not multi factor the introduction of conditional access for corporate/BYOD enrolled devices.

· Monitoring - Ensuring that you can securely monitor and manage your estate from mobile device, to datacentre, to cloud.

· Bring Your Own Device controls - Ensuring that if there is BYOD that there are levels of posture checking and control in place so that corporate data is secure.

· Test your systems - Backup, DR, security tools, applications (PEN testing etc.) Vulnerability scanning.

· Secure your cloud - Ensure that your SAAS, IAAS and PAAS solutions are secured and protected. Don't just assume it is already done.

In normal times, starting this can be a difficult journey and but here are some steps to help you think about how to approach Cyber Security.

· Identify - Identify ALL your ICT assets, data, people and systems. Know in real time what you have (avoid spreadsheets!)

· Protect - help protect those assets from attack or loss with a layered proactive approach. Not just a firewall and AV.

· Detect - work with solutions to give central and full end to end visibility and methods to detect if an event is unfolding. (Most organisations don’t even know that they have been breached!) or outsource the responsibility of this.

· Respond - Be in a position to respond. Go through the different types of scenarios and know that you have the ability to react. People, Processes and Technology!

· Recover - Have a backup plan. Be sure you have tried and tested backup and recovery solutions in order to get back up and running as quick as possible.