Just a year ago, we could not have imagined how drastically our lives were about to change in every respect. As COVID-19 grew and spread throughout the world, the modern work environment experienced a drastic evolution. Now no longer just a perk given to employees with family or health issues, remote working arrangements became the way to do business. They also became the way for cybercriminals to get a foothold in sensitive systems.
Responding to the COVID crisis has put the cybersecurity world to the test. Unfortunately, there is a significant shortage of trained cybersecurity professionals, and this fact is not lost on the hackers.
Organizations now must be increasingly diligent with respect to the end-to-end security of all of their remote and online operations. To keep up with the hackers, companies must invest in not just strengthening their cybersecurity programs but making cybersecurity part of their DNA.
In this article, we will discuss some of the steps an organization should take to address the evolution of cybersecurity threats resulting from the COVID crisis. The challenges are tremendous, but, just as the people of the world will do, the cybersecurity industry will eventually emerge from the crisis stronger and more agile.
Ensure security is part of the development process
As organizations develop more applications to assist remote workers, they must ensure that security is properly built into the application and software development lifecycle (SDLC). Running security testing at various points during the SDLC is one way to ensure that vulnerabilities are identified and corrected as quickly as possible.
A number of tools are available, including static application security testing (SAST), dynamic application security testing (DAST), and interactive application security testing (IAST), each of which is most effective at specific points in the SDLC. SAST, for example, is best employed early in the SDLC to analyze an application for vulnerabilities during coding.
As discussed by cybersecurity expert Mark Preston of Cloud Defense, SAST “allows dev teams to use such scanners before finalizing various code features and functions…[and] any security problems identified can be dealt with before extra time and work is wasted.”
Build a strong cybersecurity culture
Unfortunately, at the onset of the COVID crisis, world industries and educational institutions had not developed a culture that promoted cybersecurity and were simply not ready to quickly move to a new normal model based on telecommuting and tele-learning.
While remote work arrangements, both formal and informal, had already been slowly increasing in the years prior to the COVID crisis, the explosion in these arrangements beginning in early 2020 was unprecedented. By the end of 2020, over 40% of the workforce was working remotely and one study suggests that more than 25% of the workforce will continue to work remotely throughout 2021.
But organizations that had not developed a culture where cybersecurity had been infused into every activity were unable to effectively respond to new threats. In addition to the lack of employee knowledge about how to work securely, particularly when remote, organizations lacked sufficient IT personnel for a wholesale restructuring. They also lacked sufficient infrastructure, and the secure tools and software necessary to accommodate a primarily remote workforce.
One way to learn of breaches in your company’s website is from customers. It’s vitally important that you have systems set up in place so customers can alert you quickly if they believe there have been security-related issues. This is why you should set up an automated help desk software system that can easily integrate with your email so you get notified and can respond as quickly as possible.
Even if the assumption that remote work is the new normal eventually proves incorrect, organizations still need to teach their employees that cybersecurity is not just a priority, but something that they need to consider every day, in everything they do.
Lead from the top
Building a culture that recognizes the importance of cybersecurity is not simple. It often requires that employees do things they find inconvenient, like using strong passwords that change frequently and employing multi-factor authentication. Problems with buy-in arise at all levels of the organization, including the C-suite.
But it is the C-suite that must set the example for the rest of the organization. C-level executives need to understand that they must not only make the decision to invest in cybersecurity (including personnel, applications and services), but they also must fully implement the organization’s policies personally and then sell their value to everyone else in the organization.
While building a self-enforcing security culture is highly desirable, it is also valuable to consider how to make certain cybersecurity efforts essentially invisible. One valuable way to ease the cybersecurity burden on both the C-suite and other employees is to increase the level of automation in the organization’s cybersecurity program.
Effective spam filters are a very simple example of automation, and their utility continues to increase as their filtering algorithms are improved through use of artificial intelligence and machine learning.
Cybersecurity automation is also important in areas that employees never see. The sheer number of attacks occurring on a daily basis mandates that an organization’s cybersecurity controls be able to operate quickly and preferably without extensive manual intervention.
This is doubly true given the lack of available professionals. An organization can use utilities such as security orchestration and automated response (SOAR) and robotic process automation (RPA) to effectively enhance its security operations.
Routinely train employees
As an organization’s workers spread out around their town, state, country, or even across the globe, the need for effective cybersecurity training increases substantially. Phishing attacks, where cybercriminals will disguise themselves as trustworthy entities and innocently ask for sensitive information, have risen dramatically since Covid hit.
For example, last year Google reported that Gmail alone was receiving over 240 million spam emails every day, and was blocking over 18 million phishing emails alone related to COVID. And, naturally, this does not mean that spam and phishing emails that were not COVID-related stopped during that time frame.
Lack of proper employee training remains a problem especially considering the prevalence of BYOD and remote work environments. The degree of failure to train employees about cybersecurity risks is stunning given that the vast majority of successful cyber attacks involve social engineering. And the danger has only increased during the COVID crisis.
Employees must be informed of the steps they need to personally take to ensure the organization’s security, be given the tools necessary to take those steps, and be given appropriate support structures so that they properly implement the steps.
And the tools are not limited to securing networks, but also can and should apply to everyday tasks. As an example, employees should be trained to work with secure digital signatures, which can be used to verify individuals and ensure that a paperless message is indeed authentic. Along with S/MIME certificates for email security, these tools can go a long way to help protect your employees from phishing attacks.
Remember that training will not be effective if it is a one-off event; the organization must take every reasonable opportunity to reinforce and update the training and provide new tools as they become available. Without effective training, an organization may end up wasting all the other resources it has invested in securing its systems.
While COVID-19 may not have permanently altered the cybersecurity industry, it has unquestionably ignited a fire under organizations to reinforce and expand upon their existing cybersecurity efforts and created a substantial need for more trained cybersecurity professionals.
With their employees widely spread out, organizations must invest in both cybersecurity staff as well as advances in cybersecurity technology to provide the most secure environment possible. And just as people have had to adjust the way they manage their everyday lives to deal with COVID, so too must organizations adjust the cultures of their organizations so that cybersecurity is a front-of-mind thought every day.