The impact of COVID-19 on cyber security strategy and management
On January 23rd, when the city of Wuhan went into lockdown, cyber security changed forever.
Within a month, millions of employees around the world were working from home. But although the way in which organizations work had altered dramatically – possibly forever – the threat actors were still out there. And as working modes change, so do the risks.
In April 2020, as global working from home became established as the norm, Control Risks interviewed 16 of its clients, who currently hold positions as chief information officers (CIOs), chief information security officers (CISOs) and security advisers. Collectively these security leaders are responsible for securing almost 750,000 employees. The respondents, who worked at multinational companies, financial institutions, small fintech firms and manufacturing startups, described the outbreak of COVID-19 as among the most challenging periods of their careers.
All of them said that this has been one of the most – if not the most – challenging period of their careers. Companies, governments and NGOs are facing multiple challenges. Initially these have been tactical and logistical: “How do I get 10,000 new users onto my VPN?”. As we move, however, from the ‘response’ phase of the crisis to the ‘recovery’ phase, the challenges are becoming strategic: “How do I plan cyber security when the whole organization has been upended?”
When governments first imposed lockdowns, organizations were forced to ramp up their remote access capabilities. “We had to massively increase our VPN capacity to 150,000 users from 25,000,” said an Asia CISO of a multinational financial institution. Another had to increase capacity 20-fold overnight. Yet from a performance perspective most organizations say the infrastructure on which they ran their systems was able to deal with the sometimes-exponential increase in demands.
In the early stages of the COVID-19 outbreak, organizations faced tactical and logistical challenges. For example, IT teams had to work 24/7 to provide employees laptops and peripherals such as two-factor authentication tokens. Another challenge faced by some, particularly law firms and financial institutions, was printing and scanning documents. “Lawyers like to print out their documents, as well as read, review and sign them,” said an information security manager of a large global law firm. “We had to find a way of doing this securely.” A law firm CIO said: “We were tempted to use a scanning app but decided that the risks were too high and refused to compromise.” MNCs have faced similar challenges. A CISO of a company that employs 30,000 staff said: “[Printing and signing] were problems for the tax department and the legal team.”
While most organizations had rolled out two-factor authentication for certain employees, with the COVID-19 outbreak, this has been extended across the entire operations of most organizations. Although such roll-outs pose logistical and organizational challenges to some, their implementation was straightforward. “We had to roll this out across the organization but with Microsoft it was relatively straightforward.”
Remote working technologies have been a security challenge. Users were divided over the use of Zoom, a video-conferencing tool. One user, an IT specialist in a startup, felt compelled to move away from Zoom, because their company was in the process of raising funds and some investors were uncomfortable using the service. Other organizations decided to move to Microsoft Teams to sync with their use of Office365. Meanwhile, organizations are having to identify ways of managing incident response and updates remotely. “Patching and updating was often done through the intranet. We’ve had to design workarounds because this isn’t available,” said a respondent.
Not all cyber security challenges have been technical in nature. Fears over Covid19, and a desperate thirst for information on the virus, made this a classic phishing lure. Indeed, nearly all the organizations we spoke to reported phishing attacks stemming from the COVID-19 outbreak. Most had responded by alerting users to these attacks and providing the warning messages from their HR teams. A few organizations, however, took a more aggressive approach by sending out COVID-19-related phishing tests. One law firm revealed that it had “sent out [phishing test] emails with CDC and WHO branding on them – which people clicked on!” Another law firm said that the IT security team wanted to do this, but its partners had vetoed the idea, saying that it was not an appropriate time to do so.
The misuse of legitimate communication tools by employees and the need for new tools have forced organizations to review their approach to managing cyber security: “[Working from home] has forced discussion about software management - particularly with regard to exceptions, whitelisting and acceptable use policy - on a global scale. This was triggered by widespread, unapproved adoption of Zoom by individuals with their work email account for internal work.”
These tactical problems have been solved in the most part by a massive effort on the part of IT teams. One CIO described this as “cyber heroics” with his team working 24/7 to ensure that his organization could operate remotely.
Having resolved these tactical issues, cyber security leaders would do well to think strategically about cyber security in the post-COVID era. This is challenging some business leaders who are still in ‘fire-fighting’ mode. A CISO of an investment bank said: “Our biggest challenge is sustaining the pace [of response]…[I am concerned about] how are people coping mentally and physically.” Furthermore, financial and organizational constraints are forcing companies to downgrade their capabilities: “We have a hiring freeze and the director of information security has resigned, so there is no formal second line of security in place,” said an employee from a global manufacturing company . Consequently, long-term strategic cyber security planning and management are falling behind. “The biggest challenge is that all my strategic work has gone out of the window. I can’t think more than a week out at the moment,” said a global CISO.
COVID-19 has also accelerated the cloud computing trend. “We have expedited the release of some applications because of this. If this had taken place six to nine months from now, all this would have been in place,” said a regional CISO of a large investment bank.
This aligns with the ongoing redefinition of what the organization looks like and what cyber security means to an organization . For example, erstwhile office-focused law firms are evolving a new work culture that revolves around working from home. “Our London partners had been opposed to working from home, but this will now be different after COVID-19.”
And given that large global companies have multiple lines of business, their resources do not tend to be distributed evenly. “We have a number of smaller businesses and offices in Asia that don’t have their own capability…keeping them secure has been a real challenge” said a CISO for a global apparel company.
The new forms of working are only going to increase this challenge, with the breakdown of boundaries between home and office, in turn breaking down the boundaries between the enterprise network and domestic network. As one CISO said “Security has now moved from the perimeter… [and] we are now operating a zero trust framework… we are moving from defending lines to defending dots... “
Here are a few takeaways:
- While organizations have been addressing both tactical and logistical challenges, such as increasing their VPN capacity tenfold, they need to think more holistically by asking: What will cyber security look like in the post-COVID 19 world?
- While cloud adoption has gained significant traction in the corporate world, it is now integral to the new distributed operating model.
- Cyber security has traditionally been viewed as defending a perimeter – or “protecting the line”. Working from home has effectively upended this and shifted to “protecting the dots”, that is, securing the individuals and endpoints that comprise a post-COVID business.