Firms that bypassed cybersecurity processes in a rush to deploy remote-working technologies created security gaps and are now left with the challenge of playing catch up.
“Once Covid happened, you were able to get a lot of funding to push a lot more over the line that you historically have been,” says Belton Flournoy, director at Protiviti. “At the same time, that caused you to push deployments out faster than you typically would have.
“Tons of organisations deployed Microsoft Teams across the organisation, but [some businesses] didn’t think about some of the security implications of making it available for everybody.
“Organisations are now trying to catch up with the work that’s been deployed. In every sector, strategy implementations were able to progress quite quickly. Now, we’re looking to do security checks to make sure that everything is following suit.”
Eighty-one percent of cybersecurity leaders said the pandemic forced organisations to bypass cybersecurity processes, according to a report from EY.
Flournoy says audits will become increasingly important to give cyber leaders the assurance that some of the big programs they didn’t account for are fit for purpose and that there are not any security flaws or gaps that were inadvertently missed.
Internet-facing security controls
With many organisations now implementing remote and hybrid working models, the security perimeter for the business has expanded, creating a new set of challenges. In fact, 43 percent of chief information security officers (CISOs) have never been as concerned as they are now about their ability to manage cyber threats, the EY survey found.
Jitender Arora, CISO at Deloitte UK, says “one of the biggest cyber risks for businesses with a remote workforce is that laptops or other devices, and the people using them, are no longer protected by the traditional security controls usually in place in an office environment.”
These devices joining home and other networks could have a myriad of other untrusted or unsecured devices connected. As such, it’s essential to have the right security controls and technology in place, he adds.
“Almost all business-critical security needs to be internet facing, be it endpoint (laptop and device) management, patch management or vulnerability management,” says Arora.
“It’s worth also remembering that hybrid workers will not necessarily be signing into an organisation’s virtual private network (VPN) all the time to connect to such services, especially if an organisation has split VPN tunnelling in place to provide better user experience and network performance.”
Similarly, Craig Lurey, CTO at Keeper Security, argues that a strong cybersecurity policy should include a centralised management platform for passwords as a minimum.
“Password managers encrypt the information placed inside of them [and] act as a vault for credentials that could otherwise give cyber attackers the keys to your kingdom.
“Just because you can’t see a threat doesn’t mean it isn’t real and couldn’t destroy your business. It is therefore essential that you put as much emphasis on protecting your digital assets as you would on any physical ones.”
However, Simon Creasey, solutions architect at Spyrosoft, says it’s a good time for businesses to review standard processes for user, device, and application lifecycle management before implementing new security technologies.
“Gaps in your asset management can render any service management and monitoring ineffective. Patching firmware, OS and applications to current versions is crucial to removing vulnerabilities.
“Any legacy groups, old laptops and duplicate applications which can be streamlined will simplify the environment and improve the chance your security monitoring will pick up a future anomaly.”
Similarly, Flournoy warns that organisations shouldn’t overload themselves with too many security technologies from different providers as they all create their own security risk.
A cross-functional approach
Arora says “an organisation’s ‘cyber culture’ is going to be key to its post-pandemic cyber security strategy. Any organisation’s first and best line of defence remains its people, and with hybrid working in place this is truer now than ever before”.
“User experience can be enhanced significantly, and the cost of security made more manageable, in organisations whereby users demonstrate ‘cyber-first’ behaviour.”
Having cross-functional teams across the organisation plays an important role in ensuring the whole business carries that cyber-first behaviour. Flournoy explains this will ensure that the deployment of different programmes and initiatives carries security considerations with it.