Security Researcher, Engineer, Tech Columnist | https://hey.ax/
These unprecedented times have pushed us to adapt distinctive lifestyles contrary to what we’ve been used to for a millenia. Industries like finance, law, banking and the public sector where culture has traditionally frowned upon working-from-home, are compelled to succumb to such mandates out of necessity. As much rampant the unfortunate layoffs, hiring freezes, and budget cuts across travel and hospitality industries are, data breaches have been on a steady rise. And this is an important observation that we can’t afford to overlook.
Increased reliance on digital technology, VPNs and network infrastructure calls for a greater need to protect them, lest one drew attention from adversaries.
To dig deeper into the reality of the 'new normal', I decided to interview over a dozen businesses and security experts asking for their insight into the matter.
“It’s no secret that most businesses struggled with IT security before the COVID-19 crisis. Many lacked the infrastructure and security required to handle the shift to remote working while keeping critical systems secure,” says Jordan Rackie, CEO of Keyfactor, a leading provider of secure digital identity management solutions. “Working from home has accelerated the number of connection points in the network and the certificates and keys they rely on. Ensuring visibility to and the security of those connections is mission critical – lack of adequate management can lead to systems disruptions, outages and even breaches.”
Ray Watson, VP of Innovation at managed services provider Masergy notes, “[We have] seen a huge increase in demand for VPN connections since working from home began (peak of 762% on April 6), as well as a 100% increase in the number of abuse email notifications sent.” They’ve been busy helping clients navigate how to modernize current IT structures with a focus on security.
Then there’s the never-ending series of data breaches impacting major players and making headlines. From Ghost, DigiCert, and other SaltStack breaches, to the hacked law firm representing big names like Lady Gaga and Madonna, there’s chaos all over. Not to forget, a second wave of ransomware attack (‘Maze’) that got the postal tech giant Pitney Bowes. And, the MobiFriends dating app breach impacting some 3.6M users. And lastly, the return of Thunderbolt data extraction flaw, dubbed “thunderspy” this time around: all within a thirty day span, and at a time when businesses are most vulnerable.
From an executive and managerial standpoint, cutting immediate losses in these unforeseen times seems to be the pragmatic step, and is often necessary. However, looking at the bigger picture, one must be careful that any such step undertaken with the objective of curbing spending doesn’t backfire, resulting in even bigger problems in near future. And that is often the paramount issue when organisations scrutinise their security budgets, and contemplate cuts.
“We have definitely had to cut our cybersecurity budget. Unfortunately right now it comes down to paying payroll, or making temporary cuts where we can. Cybersecurity was the last of these cuts,” says Dan Bailey, President, WikiLawn. “We’re not without any protection [and] we take security risks very seriously. Every employee has to be more accountable now, as a [breach] will almost certainly fall on our shoulders.” Bailey hopes the disruption would be ephemeral and intends to reinstate the necessary resources immediately, once the funds allow for it.
On the contrary, Sean Nguyen, Director of Internet Advisor states his company has had to augment their budgets: “Cybersecurity has been one of our big concerns, since we had to transition everyone to full-time remote. We did increase our cyber-security budget, and we provided everyone with training and software, to limit our vulnerability as much as possible. Our research shows that at least half of these kinds of attacks happen because of employee breaches, so we’re on top of it. Obviously, we’re relying on our website more than ever, and the last thing we need is an attack.”
Surely, temptation arises to put aside that cash cushion and halt any activities deemed unnecessary. But that is a risk too big to take, when discussing information security—effectively a tangible form of insurance your infrastructure thrives on.
“Enterprises should make sure cyber security remains a top priority and not let their guard down,” says Mounir Hahad, head of the Juniper Threat Labs at Juniper Networks. “It doesn’t take much for a threat actor to infiltrate a network, once a vulnerability is exposed. Sometimes, it means reaching beyond the corporate perimeter to top employees’ homes to help them have the correct set up. A Wi-Fi access point with cloud management capability goes a long way towards securing the access your C-suite needs to have from home, for example.”
With increased dependency on a totally remote workforce more so than ever, and no immediate plans to return to the office, there’s a lot at stake for businesses. There’s the obvious risks of employees falling for ransomware and phishing scams. But now, unless a company’s security controls can extend to an employee’s home-office setup, there is little visibility into the possibility of insider threats, such as data exfiltration and insider trading.
Ilia Sotnikov, VP of Product Management at California-based cybersecurity firm Netwrix suggests, “investing into automation of laborious tasks, such as change auditing and user behavior analytics, so the IT team could focus on more strategic areas. Moreover, such solutions will speed up detection and investigation of potential incidents, and if you set alerts on suspicious user behavior patterns, you will be able to quickly address security issues without sacrificing other IT tasks.”
An increased attack surface also favours malicious actors preying on the weakest link, and opens up doorway to remote attacks geared towards unsavvy employees.
“The simple fact is that the likelihood of data breaches will only increase as systems become more interconnected, employees continue to decentralise and work remotely, and bad actors become more sophisticated in capitalising on security weaknesses,” notes Morten Brøgger, CEO of Wire, a secure collaboration platform.
Brøgger stresses, “Not only can a data breach or cyber attack inflict severe financial damage, it can freeze up digital assets which are the lifeblood of an organisation. Without them, there is no product, no service, no sales.”
“It’s not necessarily about spending more, but spending smarter. Many solutions require a lot of set up and manual intervention to keep current, which is not sustainable and forces artificial choices between security and affordability. Newer, smarter solutions, however, automate the implementation of security to eradicate the need to choose. If companies can deploy these newer solutions, they can often strengthen their security within their budget constraints,” suggests Benny Lakunishok, CEO and cofounder, Zero Networks.
“People are still responsible for operating, whether it’s local or in the cloud, and humans make mistakes. Even if they can’t invest in security software due to tight budgets, a company’s leadership should dedicate time each month in security awareness training, such as how to spot an email that could potentially be a phishing scam,” says Nick Santora, CEO and Founder of Curricula, the creators of “security awareness trainings your employees will love.”
Additionally, Courtney H. Jackson, a cybersecurity expert and CEO of Paragon Cyber Solutions suggests running phishing simulation exercises. “There are a number of organizations that offer free online courses that cover best practices that you can implement for your business. I recommend taking this a step further, and running simulated phishing tests for your staff. That will identify your staff members that need additional security awareness training.”
Ahmad Zoua of Guidepost Solutions had some practical tips to share on the networking front. “Companies can increase their network security without impacting their spending, through several tactics: if possible, move [your] services to a robust and secured cloud solution, implement layer 1-4 TCP/IP model network security best practices, utilise multi-factor authentication, encrypt all types of data communication, and [lastly,] install and update antivirus and antispyware on all machines.”
In the open source scene, there are a plethora of “community editions” and free versions of popular security products that can be leveraged by IT professionals and developers alike. And they often cost nothing.
“With all the focus on changes introduced by work from home, it’s easy to lose sight of the fact that most prominent attacks these days focus on deployed applications. Those applications can have latent vulnerabilities sitting in the open source components that comprise about 80% of the code base these days. It’s easy to do an assessment to find out what’s lurking inside your applications,” says Brian Fox, CTO of Sonatype, the company behind OSS Index: “a free catalogue of open source components and scanning tools to help developers identify vulnerabilities, understand risk, and keep their software safe.”
Tyler Young, Senior Manager and Head of Cyber Security at Relativity additionally offered insight into some free tools businesses can adopt: “There are a surplus of phenomenal open source tools, such as Bro (network monitoring), Snort (intrusion prevention and detection), Moloch (full network packet capture), and The Hive (open source incident management platform). Most importantly, use this time to level up your employees. Employees are the first line of defense and a force multiplier when it comes to security. Simple things like teaching strong and effective password hygiene as well as running phishing simulations will increase security awareness with little to no cost.”
In conclusion, there is no end to strengthening security at an organisation, and never a guarantee that a business is immune to cyber attacks despite best efforts. After all, businesses are made up of people and the human element remains the weakest link in the game. Implementing the aforementioned security measures, however, provides a substantial relief and can deter hackers by a long shot for your business.
Author’s Note: Thank you to all the businesses and experts from the security community who responded to requests for comment and interviews. I received over five dozen pitches, and while I regrettably couldn’t feature all of them, I sincerely thank everyone for their valuable time and insight.