Posted on 9/04/2020 by Lauren Stutz
Coronavirus, or COVID-19, has impacted every single aspect of life as we know it, leaving nothing untouched. Whilst the entire world finds themselves forcibly confined inside the walls of their home full-time, industries such as tourism and hospitality have been obliterated; pushed into the dark. Concurrently, as a result of such drastic measures, there perhaps is no brighter light than that which now shines upon IT security.
Cyber resilience has been forced to its pinnacle state, organisations are under immeasurable pressure and the general public arguably never more vulnerable. Sadly, hackers have seized the opportunity, identified weaknesses and preyed on the hysteria; meaning that security professionals are needed now more than ever.
Pre COVID-19, security plans typically focused around gradually migrating to the cloud and operating hybrid infrastructures, as firms were slowly moving away from hardware appliances. Companies had, at best, intermittent remote access for most employees who were expected to be physically present in an office most days. Now, with the arrival of COVID-19, plans have instantly changed as the entire workforce of most organisations find themselves either working from home or simply at home, out of work. This is a wholly unprecedented state and plans have immediately needed to change. Strains on VPNs are now a significant feature, access to work applications throughout the day is front and centre alongside a radically shifted use of digital telecoms and video conferencing
During such a period the most important thing I can do is spend more time speaking with my network to try and understand the challenges being faced and offer as much support as possible. Having spoken to many of the CISOs in my network the main point was speed. IT teams working with their security cousins had to quickly meet incredible level of demand. Away from pace of response there have been two ever present themes coming from these conversations.
Organisations needed to almost instantly move all employees to work from home to try and create a business as usual feel, with no playbook or precedent to follow. Suddenly people are working on their own devices, connecting to their own WIFI and having access to applications outside of the office. Teams are configuring remote access as fast as they can, but this could create more problems further down the line. Risk assessments need to be carried out to work out is the company’s data safe in this working from home environment and everyone has the right access.
It follows naturally that since lockdown began, Access Management remain a key area of demand and doesn’t look to be slowing, unlike other lesser critical hires. This includes the breadth from architects, to design and plan, to delivery analysts, to configure solutions. We expect to see continued requests also, however its worth noting that the speed of response firms had to demonstrate in recent weeks simply didn’t allow time for increasing levels of hiring to cope. It required a ‘round the clock’ response from incumbent teams and realigning of skill to execute the mass shift in the first instance. The results should leave us all raising a glass to IAM teams across the globe, however with a due sense of caution around any undiscovered threats that lying in wait.
Connectivity is vital but companies must also consider data loss prevention. Employees now have access to data that would have been protected within a closed network and on office-based devices and the same isn’t immediately true for personal devices. Additionally, as the majority of our colleagues and customers are now at home, we are more likely to share personal data such as personal email addresses, mobile numbers, addresses, scanned copies of personal documents to ensure operations can continue day-to-day. Companies will provide encryption and malware to avoid attacks, but can a company be sure every employee has the same protection on their own device? It’s fair to say the everyday person simply doesn’t have the same security consciousness or infrastructure at home versus the measures taken for them, behind the scenes, at their place of work. At a time where we are unsure on what is happening in the world, companies need to instil trust in their customers and clients and this needs to be high on the agenda for security teams, where proactive defensive steps must be taken. This is another area where a risk assessment needs to be done and companies need to start working out how to avoid data being stolen from personal devices. Even with such measures it doesn’t stop the potential risk exposure where people live in shared accommodation who, through unavoidable circumstance, could be breaching GDPR and putting their business at risk by accessing sensitive data in full view of, or sharing devices with, outside parties. Data programmes were prevalent market wide in the lead up to, and immediately after, GDPR was brought into force; with BAU teams remaining in situ. It feels some of the more consultative and project minded skills could be called back into action to tackle the imminent and upcoming risks.
As the UK looks like we are about to hit the peak of COVID-19, one thing that’s proven is how quick we collectively can adapt, to change, and adopt, new behaviour patterns. People are working and existing differently now and, impressive as the shift has been to witness, it has highlighted undeniable gaps and security risks. IT Security teams will need to still maintain BAU but also address these increased issues to ensure their service is upheld. This could be a time where Security experts come up with new solutions that pioneer the industry and forever remove the risks we see today. It will involve investment and a realignment of budgets to address issues that have emerged and, more importantly, security and IT professionals alike to redirect their time and attention to ensure robust coverage for the aftermath of our foe, COVID-19