Rethinking Cyber Security in the Wake of COVID-19
COVID-19 has had a significant impact on information and cyber security. With a wholesale switch of work environments from office to…anywhere at all, it was hard to avoid. Given the vast business benefits, remote work has now become a permanent fixture among even the most risk-averse organizations. Now more than ever it’s important to understand our new-world cyber security challenges and have a plan to mitigate them. Read on to find out the Top 5 cyber-security challenges facing organizations in 2022 and the three things you can do to manage them.
How the pandemic changed the way we work
The pandemic has changed everything. Not only did 81% of global organizations experience increased cyber threats during COVID-19, according to leading IT security software firms[1], but the proportion of previously unseen attacks rose from 20 to 35 per cent[2].
The pre-pandemic proliferation of IoT and BYOD devices used for remote work was already putting strain on the traditional model of perimeter security in the context of the central physical office. The rapid disintegration of enterprise perimeters caused by the pandemic pushed many work environments to the breaking point. Pandemic realities have shown executive management teams in no uncertain terms how dependent they are on sharing data effectively, safely, and in compliance with increasing focus of privacy regulation, all while IT operations becomes more challenging.
As a result of these changes, many companies decided to quickly accelerate their digital transformation to maintain productivity. As part of that process, IT teams realized the need to substantially rethink information management to reduce overall risk to their business. In fact, many companies now realize that information and cyber security need to form a core pillar of their overall corporate strategy.?
??5 top cyber-security challenges of 2022
Information assets are worth more than ever. The list of business types that couldn’t operate if IT assets were compromised has grown by leaps and bounds. The information and cyber security landscape has evolved in line with that rise in value. From phishing and malware, to collaboration tool issues and remote-updating woes, here is a look at the top challenges facing us in 2022 and beyond.
1.???Phishing up 600%+
Phishing exploits, in which users are fooled into clicking on a link in a malicious email, quickly shifted to take advantage of pandemic-born fears. Stories and information related to COVID-19 abounded. Emails on vaccination availability, variants, symptoms and prevention drove instances of phishing emails up 667% according to Infosecurity Magazine[3]. Given that 47% of employees have been duped at one point or another[4], phishing has become a threat that can’t be ignored
Employee security awareness lies at the core of any Information Security Management System. Companies that keep employees up to date about ongoing security threats, especially when it comes to being vigilant when engaging with external contacts, are creating a security-minded culture that will go a long way to combatting social engineering-type attacks.
2.???Rise in Malware and Ransomware
Malware, which is software or code embedded on a user’s device to exploit a security vulnerability, is growing both more prevalent and more varied. Malware can serve many purposes, from harvesting personal data, and user and administrator passwords, to holding company data for ransom.
In the past two years, more and more ransomware exploits have made the evening news, with hackers encrypting company data until a ransom is paid, which (hopefully) results in decryption. Ransomware production has been commoditized on the Dark Web, where entire industries specialize in the components needed to create an exploit.
Now, even smaller companies are susceptible to a ransomware attack. Malware and ransomware are real risks that need to be managed at the executive level, as the impact on the overall business can be significant.?Regularly reviewing the changing risk profile of malware will ensure that companies are adapting to changing trends in the hacking world. A well-defined business continuity plan and an active security incident response team will empower organizations to respond quickly in the event of a malware or ransomware attack. A fast, well-orchestrated response will enable the business to get back up and running with minimum impact and cost.
3. Increased Dependence on Collaboration Tools and Technologies
Microsoft Teams, Zoom and similar applications are hugely popular for remote-team collaboration. But the use of these tools provides a new vector for hackers to gain access to sensitive information, including user details as well as private meetings and discussions. The ease with which hackers can leverage these handy apps depends on the diligence of the apps’ creators. Even the most trusted tools entail some risk, as witnessed by vulnerabilities found in Zoom and Microsoft Teams[5].
Getting a sound Information Security Management System in place will allow executive management teams to leverage the best tools and technologies available, while continuing to meet data-privacy obligations and manage potential risks associated with tool vulnerabilities.
4.???Software Patching and Update Gaps
A surprising proportion of the software that businesses use regularly was never engineered for frequent remote use. For years, software patching and updating worked on the assumption that workers would be on the main corporate network most of the time, where company devices like laptops are fed update
With a great number of devices now in remote use close to 100 per cent of the time[6], software is going un-patched for longer periods of time, greatly increasing the risk of an exploit—especially given the security levels of most home networks. In some cases, the onus is on the individual worker to monitor and manage their own patches and updates.
Corporations that quickly enable a secure work environment for both office and remote employees will see increased connectivity, realize an advantage over competitors, and experience overall faster business growth than those that struggle to adapt to hybrid setups.
5.? Lack of Device Control
Back when devices were primarily used in the office, ‘work’ laptops and other tools were generally reserved for work purposes.
领英推荐
How times have changed. Corporate laptops can now be found in use by everyone in a household, including children who use them for remote learning, gaming, or interacting with each other. The more family members that use a corporate asset, the more attack vectors against that corporation there are to be exploited.
On the other hand, more than 50% of remote workers now use personal computers for work[7], which spreads corporate data across devices that likely lack sufficient protections. To make matters worse, when work computers share home networks with less-protected personal devices (like smart TVs or gaming stations), they are more vulnerable to attack or malware from within the home network.
As corporations adapt to hybrid work environments, Information Security Management Systems need to adapt security controls that increase the level of logging and endpoint monitoring. They need to deploy remote-working environments that segregate work data from personal data, and make use of network analytics tools to better identify potential threats that may come from the remote-work portion of the corporate environment.
?Improve Your Information Security Management
Step 1: Start by developing an awareness of the changing threat environment and your organization’s approach to information security management, with particular focus on building a security minded culture that has adapted to the ‘new normal’ of pandemic-engendered remote work.
Step 2: ?Increase device access control (and monitoring) to better authenticate user identity and authority to use a device, regardless of its location. At the same time, think about progressing towards the use of ‘self-managing’ information assets. These are active, adaptive technologies that leverage machine learning and artificial intelligence to monitor and manage network security and data authorization through increased event surveillance and subsequent pattern matching.
Step 3: Consult with an information and cybersecurity expert who can help you refine or create work policies, processes and explore tools. In the past, adherence to corporate IT security policy was often sacrificed in the name of employee productivity. Now is the time to pause and review remote work policies, tools and processes to ensure proper positioning for the future.
Capital Ridge Can Help
Capital Ridge can help you understand your unique IT-security business challenges, uncover and quantify the risks, and give you a roadmap for mitigating them. We recognize that your security needs are unique to you and driven by your strategic goals, your current position in the market, and the overall security requirements of your customers.
Capital Ridge Cybersecurity Consulting Services encompasses a broad range of IT-security consultants, ranging from specialists to generalists.
Unlike some cybersecurity specialists, Capital Ridge Cybersecurity Consulting doesn’t sell tech products of any kind. With us you get unbiased expertise, on-demand expert assessments and tailored cyber security risk mitigation strategies.
We start by getting to know your business. We then perform a security gap analysis of your business processes to identify and prioritize risks. We will then provide you with tailored strategies to improve IT-security risk mitigation, as well as implementation if required.
The first step to building a sound Information Security Management System is to understand your company’s risk profile, and your current ability to meet those risks. Our expert assessments and tailored cyber-security risk mitigation strategies include:
·?????Risk and Security Assessments to identify your Information Security maturity and readiness to deal with potential threats.
·?????Supplier Assessments to address supply chain challenges, especially with respect to downstream requirements associated with your Data Privacy regulatory obligations.
·?????Threat Risk Assessments for the entire IT security environment.
·?????Privacy Impact Assessments that examines the data privacy of customers, suppliers and employees in relation to your company’s legal obligations under PIPEDA and similar client-data security legislation.
·?????Security Awareness Training that enables staff to identify and improve employee behaviours that can alter your corporate cyber-security risk profile.
A successful IT security-risk mitigation strategy typically involves improving or switching technologies, as well as improving employee behaviour. Which one is trickier? Good IT-security habits can take a long time to build, since they are the result of corporate culture, effective IT security-related education, adherence to protocols, and other factors—all things that Capital Ridge cybersecurity consulting services can help with. To learn more, contact us at [email protected].
[1] Cybercrime in a Pandemic World: The Impact of COVID-19, McAfee Enterprise / FireEye https://www.mcafee.com/enterprise/en-us/about/newsroom/press-releases/2021/20211109-01.html
[2] Impact of COVID-19 on Cybersecurity, Deloitte https://www2.deloitte.com/ch/en/pages/risk/articles/impact-covid-cybersecurity.html
[3] #COVID19 Drives Phishing Emails Up 667% in Under a Month, Infosecurity Magazine https://www.infosecurity-magazine.com/news/covid19-drive-phishing-emails-667/
[4] Impact of COVID-19 on Cybersecurity, Deloitte https://www2.deloitte.com/ch/en/pages/risk/articles/impact-covid-cybersecurity.html
[5] Critical Vulnerabilities Found in Zoom and Microsoft Teams, Hacker School https://www.hackerschool.in/critical-vulnerabilities-found-in-zoom-and-microsoft-teams/
[6] 2021 Remote IT Management Challenges Report, Action1, https://www.action1.com/2021-remote-it-management-challenges-report/
[7] Majority of new remote employees use their personal laptops for work, WeLiveSecurity, https://www.welivesecurity.com/2020/06/23/most-remote-employees-use-personal-laptops-work/