Cyber for the autumn of COVID: a three-part series – part 2

This blog is part two of a three-part series on cyber for the autumn of COVID. Stay tuned for the exciting conclusion!

• Part 1: How COVID has changed IT
• Part 2: How COVID is shaping the cyber landscape for 2021
• Part 3: Six key takeaways for 2021 cyber planning

Part 2:  How COVID is shaping the cyber landscape for 2021

In the first part of this series, we saw how COVID has changed IT in 2020. In this article, we consider how we expect COVID will shape the cyber landscape going into next year.

The BBC reported in June that many of the impacts of the COVID era are here to stay. These impacts may range from re-openings taking much longer than originally planned, to long-lasting shifts in personal behaviors, daily habits, work commutes, and purchase patterns. Changes have included transformations of urban area rush hours, closing of corporate offices, and shopping patterns that have become online-first, and in-person second. These shifts may then be driving strategic business changes including investments in COVID-ready product lines, relocating of staffing centers, and reducing or even eliminating corporate headquarters facilities. Safe to say that many employees who were “kicked out” of the office are not going to be going back, for a variety of reasons both personal and professional.

Along similar lines, ComputerWorld reported in September that COVID is driving significant IT shifts to cloud, digitization of work processes, and investments in employee connectivity and collaboration tools. Going into the fall, and looking toward 2021, we can expect that these trends may play out in a couple of ways for businesses. First, the uncertainty of the present situation seems destined to continue. While originally planned as a brief “lockdown” followed by getting back to business as usual in the summer, surging cases in the US, Europe, and elsewhere, are making the present situation more uncertain than ever. Businesses are conserving cash to prepare for all possible contingencies, including new lockdowns and widespread recessions. In addition, they are finding that switching to virtual offices and teleconference calls has not been as disruptive to productivity as was feared, and could easily be sustainable for the long run, especially when the potential real estate cost savings are considered.

What does this mean for cybersecurity over the year to come? To put it simply, cyber is going to have to “keep up” with the shifts in IT and the business environment, and the security changes those shifts necessitate. As IT has been central to organizations successfully teleworking, cyber for those teleworking capabilities has become critically important, even in cases where it might not have been critically important in the past. As organizations have leveraged the cloud to ramp up their IT capacity, cybersecurity for those cloud services has become important, even in cases where cloud services might not have been utilized in the past. Four cyber trends that we believe will be important going forward are as follows:

• Hunkering down for the long haul: Clearly, COVID is no longer a short-term inconvenience to be dealt with over a couple of weeks and then back to business as usual. Instead, we should treat the present arrangement as a “new normal” and adjust our resources, planning, and priorities accordingly. While it is entirely possible that things may start shifting back a year from now, it is looking increasingly unlikely that things will change much within the next several months. Therefore, our cyber posture needs to be positioned to protect our IT systems the way they are operating today, with the expectation that we may continue operating this way for the foreseeable future.
• Addressing cyber compromises and technical debt: Many organizations put in place interim arrangements to address the increased IT needs of remote workers, isolated customers, and tele-collaboration for sales and support. These arrangements may have included adding additional capacity or engaging cloud resources, or relaxing security protections such as network security boundaries, user authentication requirements, or cyber compliance controls. Now that we are hunkering down for the long haul, these compromises and the risks they entail should be addressed. Specifically, organizations should consider the following measures to improve their cyber posture, especially if that posture has been compromised to meet expedient needs:
  • Enforce MultiFactor Authentication (MFA) for internet-facing systems and services, especially those that handle sensitive, proprietary, or regulated data. This may include accounts not only for employees, but also for contractors, partners, customers, and systems administrators.
  • Limit enterprise data on personal and third-party devices when those devices have been allowed to connect to the enterprise network or access its data. In cases where non-organizational devices have access to sensitive data, consider measures to reduce access, protect data, and detect malicious activity.
  • Enhance cloud security where cloud services have been enabled or expanded to meet the needs of the crisis, but without adequate security controls in place. Pay special attention to cloud data interchanges, cloud-based data repositories, and administrative access to cloud services.
  • Enhance compliance where regulatory or audit requirements may have been reduced or exempted to meet the needs of the immediate crisis. Look at ways to enhance security controls to meet obligations without impairing the capabilities needed by the business.
• Accelerating cloud migrations: Many organizations, as part of handling the uncertainty of the COVID crisis, have accelerated their migrations to the cloud for key capabilities, enterprise applications, and IT infrastructure. Business drivers for these moves include conserving cash by shifting capital costs to operational expenses, reducing operating costs through eliminating on-site infrastructure, and achieving greater flexibility through scalable and elastic cloud services. In addition, present business uncertainties favor cloud services that can be quickly ramped up to increase capacity, or ramped down to reduce cost, as appropriate. As these migrations accelerate, security controls must be tailored to the unique needs of cloud environments and applications. In particular, organizations should pay close attention to protecting cloud administrator accounts so they are difficult to compromise and to limit the damage that compromised accounts might cause.
• Strengthening cyber defenses: Finally, many organizations, after they address their cyber compromises and technical debt, will want to strengthen their cyber postures going forward. A key driver for this is the increased importance of IT to tele-collaboration, and the reality that the present dependence on online services, digital processes, and network-based collaboration is not going anywhere soon. Cyber defenses can be strengthened using multifactor authentication (MFA), network access control (NAC), data rights management (DRM), virtual desktop infrastructure (VDI), and mobile device management (MDM), to name a few. In addition to enhancing preventive controls, organizations should also consider detective controls like log monitoring and analysis. With good detection, intrusions and breach attempts can be identified and disrupted.

Stay tuned for Part 3, where we turn this knowledge into actionable recommendations for your 2021 planning.

To learn more about how you can better secure your organization in today’s environment read:

Cyber Services – Remote Capabilities

Chris Williams

Expert in Cybersecurity strategy

I have been involved in the IT security field since 1994 with a combination of commercial and military positions.
I joined Capgemini through its acquisition of Leidos Cyber in 2018, and currently focus on enterprise cybersecurity, defense against advanced threats, and regulatory compliance strategy.  I have advised commercial clients in the Financial, Industrial, Energy, and other critical infrastructure industries, and also hold a patent for secure e-commerce technology.
I regularly advise my clients on advanced cyberdefense topics including Advanced Persistent Threat, nation-state adversaries, Identity and Access Management, and cloud solutions using SaaS, IaaS, and PaaS technologies.  I have also performed cybersecurity assessments using the NIST CSF, FISMA, FedRAMP, HIPAA, FFIEC, CSC-20, and other frameworks.
I am a frequent public speaker and have presented on cybersecurity topics at RSA, MILCOM, HIMSS, (ISC)2, ISSA, the Smart Card Alliance, B-Sides and other forums.
I have co-authored four books on cybersecurity:
Enterprise Cybersecurity: How to Build a Successful Cyberdefense Program (Apress)
Enterprise Cybersecurity Study Guide (Apress)
Understanding Security Issues (de Gruyter)
Building an Effective Security Program (de Gruyter)
I am also a former Ranger-qualified paratrooper with the 82nd Airborne Division, and hold degrees in Computer Science and Information Assurance.