Cyber for the autumn of COVID – part 3

This blog is organized as a three-part series. Here is the conclusion!

• Part 1: How COVID has changed IT
• Part 2: How COVID is shaping the cyber landscape for 2021
• Part 3: Six key takeaways for 2021 cyber planning

Part 3:  Six key takeaways for 2021 cyber planning

In the first two parts of this series, we considered how COVID changed IT in 2020, and how it is shaping the cyber landscape for 2021. In this third part, we turn what we have considered into key takeaways for your 2021 cyber planning.

As this year’s end is rapidly approaching, it is painfully apparent that the “adventure” of 2020’s COVID response is looking like it will continue into 2021, and many of the impacts of the present crisis will likely be felt for some time to come. Localized outbreaks and other issues may drive lockdowns to be reinstated and re-openings to be rolled back, at least on a temporary basis. It is probably realistic to expect that the present measures will remain in place for a while and it will be even longer until people’s behaviors change back to the way they were before the present crisis began.

So as we wrap up 2020 and plan our priorities for 2021, here are six key takeaways that you should consider for your organization’s cybersecurity posture:

1. IT is even more critical now than ever before.
   Even the most low-tech organizations have had to switch to telework and online collaboration for at least some of their employees, partners, and customers. All of these capabilities are powered by the internet, information technology, online accounts, and connected computers. Even a minor disruption to these systems, when everyone is reliant upon them to do their jobs, can have devastating impacts on the business’s ability to operate.
2. What was okay for the crisis of March/April/May should be revisited going into 2021.
   Even the most robust and “by-the-book” organizations have had to compromise to address the business needs of the present crisis. Whether these compromises involved using IT systems beyond their rated capacities, negotiating with technology providers for exceptions to licensing agreements, pressing obsolete technology to continue working after its replacement date, or relaxing cybersecurity controls to enable continued operations, the technical debt that has resulted from these actions is going to come due at some point. Organizations should look closely at the compromises that were made in the name of expediency six months ago, and ask tough questions about whether those compromises should be sustained in the long term. While not every issue can be addressed immediately, the business risk resulting from these compromises should be tracked, prioritized, and mitigated in a systematic fashion.
3. Cloud services shift the perimeter from networks to identities.
   Many organizations have addressed their expedient IT needs in the present crisis by expanding their use of cloud services. Cloud services have many advantages, including rapid scalability, easy provisioning, reduced capital expenditures, and usage-driven cost models. However, one of the disadvantages of cloud services is that they tend to shift many aspects of the organization security perimeter from physical facilities and network boundaries, to the identities, accounts, and permissions of the individual users accessing the cloud services. It is very easy to migrate an internal application “to the cloud” and realize too late that the application’s security architecture leaves it wide open to attack and exposes its internal components for all to see on the internet. Organizations should look carefully at the capabilities that have been shifted to the cloud this year, and make sure that those capabilities’ security postures are optimized for the cloud IT environment, as appropriate.
4. Use MFA to protect internet-accessible systems, proprietary information, and privileged accounts.
   The past ten years have shown that MultiFactor Authentication (MFA) is one of the most powerful security tools to protect against compromise of online user accounts, internet-facing applications, and sensitive systems administration channels. While MFA is far from perfect or impregnable – there are known vulnerabilities and attack methods against almost every available MFA technology – it represents a vast improvement over conventional username/password authentication. Also, when MFA is combined with enterprise single-sign-on (SSO) and privileged account management (PAM), the end-user experience can be comparable to, or even superior to, having to remember and type in complex multi-character passwords over and over again.
5. Make sure you are monitoring your IT systems to detect attacks and intrusions.
   While locking down cloud services and deploying MFA can do a lot to improve cybersecurity protection for your organization’s critical IT systems, the fact remains that an ideal impenetrable cyber defense is simply never going to be achieved in the world of real people and real IT. Thanks to the challenges of integration, complexity, and ever-present cost pressures, there will always be gaps and vulnerabilities in cyber defenses that can be identified and exploited by enterprising attackers. Therefore, while prevention is good, monitoring and detection are key to achieving a balanced cyber defense that both works well and fails gracefully. With good monitoring and detection, along with skilled analysts performing incident response, organizations can build cyber defenses that are comprehensive and robust enough to be effective not only when things go right, but also when things inevitably go wrong.
6. Give serious thought to resilience and recovery.
   Finally, even with the best protection, monitoring, detection, and response, even the slightest cyberattack is bound to do some level of damage to sensitive IT systems. Resilience and recovery capabilities help the organization quickly contain and repair the damage that occurs to restore normal IT operations. You should use segmentation to contain cyberattacks and reduce the damage that occurs from a single cyber defense failure. You should maintain backups of your endpoints, servers, applications, and critical data, along with streamlined processes to deploy those backups to operations. Your restoration processes should include realistic and achievable recovery point objectives (RPO) and recovery time objectives (RTO). For critical business capabilities like online marketplaces and employee remote access, you should have fully-redundant backup systems that can take over on short notice. Finally, all of these capabilities should be regularly tested, so you can have confidence they will work, when they are really needed.

With these six points in mind, your cybersecurity program should be able to keep up with today’s rapidly-changing IT, and address not only the needs of the present crisis situation, but also the needs of future twists and turns in the business situation.  Best of luck, and here’s to 2021!

To learn more about how you can better secure your organization in today’s environment read:

• Secure Remote working and collaboration solutions

Chris Williams

Expert in Cybersecurity strategy

I have been involved in the IT security field since 1994 with a combination of commercial and military positions.
I joined Capgemini through its acquisition of Leidos Cyber in 2018, and currently focus on enterprise cybersecurity, defense against advanced threats, and regulatory compliance strategy.  I have advised commercial clients in the Financial, Industrial, Energy, and other critical infrastructure industries, and also hold a patent for secure e-commerce technology.
I regularly advise my clients on advanced cyberdefense topics including Advanced Persistent Threat, nation-state adversaries, Identity and Access Management, and cloud solutions using SaaS, IaaS, and PaaS technologies.  I have also performed cybersecurity assessments using the NIST CSF, FISMA, FedRAMP, HIPAA, FFIEC, CSC-20, and other frameworks.
I am a frequent public speaker and have presented on cybersecurity topics at RSA, MILCOM, HIMSS, (ISC)2, ISSA, the Smart Card Alliance, B-Sides and other forums.
I have co-authored four books on cybersecurity:
Enterprise Cybersecurity: How to Build a Successful Cyberdefense Program (Apress)
Enterprise Cybersecurity Study Guide (Apress)
Understanding Security Issues (de Gruyter)
Building an Effective Security Program (de Gruyter)
I am also a former Ranger-qualified paratrooper with the 82nd Airborne Division, and hold degrees in Computer Science and Information Assurance.