By Mark Sangster, Vice President and Industry Security Strategist, eSentire
If anything has become clear over the past six months, it’s that COVID’s tentacles have crept into almost every facet of our lives, both personal and professional. Most are in ways we could have (and did) predict, but there have been a few surprises along the way, such as teaching pods and Zoom fatigue.
The good news is that people are, in general, pretty adaptable. Thousands of years of civilization have shown that when faced with a problem, a little human ingenuity goes a long way. Some of the world’s greatest inventions have been born out of necessity, or in some cases, out of an idea that fills a need we didn’t know we had (smartphones, anyone?). So, as COVID was causing epic changes large and small, far and wide, cyber criminals were adapting right along with it. In fact, for many ne’er do wells it was a boon. Suddenly, companies whose IT teams were equipped to protect networks, where perhaps 15 percent to 20 percent of its workforce was remote, were faced with an almost 100-percent remote workforce overnight.
The move to home didn’t just mean that employees were working from home offices and dining room tables — it meant employees were now outside the protection of traditional security perimeters, including firewalls. Devices that had previously been protected by enterprise-grade security technologies were now at the mercy of consumer-grade internet routers, many of which were left unsecured by home users. For companies with a focus on the perimeter, this rendered much of their security practice moot.
Without virtual private networks (VPN), two-factor and multi-factor authentication (2FA and MFA, respectively) controls, the doors to the henhouse were wide open, and foxes were free to stroll in. Criminals could easily connect to unprotected WiFi networks and install scripts on internet routers to collect unencrypted data, including corporate assets and credentials, which in turn could be used for credential stuffing attacks down the road.
Needless to say, many enterprises realized they needed to double down on their security spend, with the majority spend focused on protecting remote workers’ home operations.
Companies lingering in outmoded, perimeter-based security lacked the ability to protect remote workers, cloud-based assets, and distributed management systems. No wonder then that they felt the increased security spend hardest, driven by the adoption of technologies that protect distributed workers and the assets they access. These organizations were quick to snap up encryption technologies such VPNs and multi-factor authentication, which provide an additional layer of protection to credential-based systems; endpoint protection (next-gen AV); and endpoint detection and response. And that’s not cheap.
And for a few unlucky ones, even greater spending came about as a result of a data breach or operational disruption born from COVID-camouflaged attacks in the form of ransoms, clean-up costs, penalties, and the like.
The genie is out
You can’t put the genie back in the bottle. Many companies are continuing with remote, or at least hybrid, operations, and now that the risk is understood, it would be negligent to revert to old security methods.
After the attacks on 9/11, New York based businesses changed their security and business continuity practices to include back-up systems and work centers outside their main offices. For banks in lower Manhattan, this meant backing up data and services in New Jersey. In 2012, Hurricane Sandy struck the eastern seaboard and not only flooded lower Manhattan, but disabled back-up centers located across the Hudson river. The previous influence in business continuity fell short when faced with a new type of natural threat.
With COVID-19, companies more broadly understand that they had made a similar miscalculation, thinking that protecting the network perimeter would secure their business. Organizations must now protect remote worker’s devices (endpoint protection), and the means by which they connect to business systems and assets (VPN and MFA). When the next forcing factor emerges (hopefully no time soon), it will again reshape the way we approach cybersecurity fundamentals With luck, thousands of years from now, our descendents will marvel not only at how we successfully navigated a global pandemic, but how by applying human ingenuity, we emerged stronger and with a few new tools under our collective belts.