No one could have predicted the kind of volatility and tectonic shifts within the cyberspace that came along at the same time as the COVID-19 pandemic. We, the social beings we are, were forced to physically isolate ourselves from the world and stay in the confines of our homes, as corporations were dealt a serious strain to their workforce, operations, and cyber resiliency. Cybersecurity seemed to be strangely a priority for some and secondary to others, as organizations scrambled to provide remote capabilities, capacity, and security to continue operational viability along with weighing the risk and impact to themselves. The corporate ecosystems around the world were also forced to evolve rapidly to stay competitive. As a result, “work from home” became commonplace way sooner than expected. Educational institutions adopted online classes to continue imparting knowledge to students in a virtual environment they weren’t ready for. SMBs embraced new technologies to continue streamlined operations as well as exploring pivots to ensure viability to their business model and workforce. The lack of digital readiness seemed to show its relavance and priority as the pandemic severely impacted economies around the world, the severity of this impact was realized if your organization was digitally ready or not. However, this shift towards digital solutions also opened a plethora of opportunities for cybercriminals around the world to exploit. Be it educational institutions or small and medium-sized (SMBs) businesses, and even Governments, a range of organizations didn’t possess the cyber hygiene or digital maturity required to ward off any potent cyber-risk. With major breaches simultaneously reaching multiple companies and governmental organizations, the SolarWind Cyber-Attack was unprecedented and should be a cautionary lesson that we are never secured enough only to find that it was always waiting for the right opportunity to be exploited. In this article, we’ll discuss how the post-pandemic normal brings with it a whole bunch of cybersecurity challenges, how to allocate your cybersecurity budget, and some tips to avoid a cybersecurity incident during the next future pandemic. So let’s get started.
Top Cybersecurity Challenges in the Post-pandemic World
Threats accompanying remote working model
The first set of cybersecurity challenges popped up for organizations transitioning from an organized system to a relatively informal “work from home” workforce. Earlier, these organizations used to maintain cyber hygiene with secured local area networks as well as desktops and machines. There were also in-house teams that were readily available to deal with any potential internal technology or cybersecurity issues. However, now that most of the workforce is operating under remote conditions, the cyber resiliency of a professional workforce is tough to maintain and outside the parameters of the defined security environment. Individuals are now using their home networks, and most of them usually don’t have the cyber awareness necessary to stay safe on open networks, or worse organizations weren’t set up for a majority of their workforce working remotely. Additionally, it isn’t easy to ensure the devices used by the remote workforce are used for official work only. Sometimes kids end up using these devices and expose them to an open internet full of cyber risks. Enterprises often promote the use of VPNs so that their employees work on secured networks, but such minor negligence can often lead to significant damage. The risk of a breach significantly increases as your workforce is within their home “Safe” environments, which tend to relax security awareness and practices that you would normally be in your work environment.
Targeting specific people and organizations
It’s often said that humans are the weakest link in the cyber risk mitigation initiatives of any organization, and with the new normal forcing humans to work in isolation, the systems are at more risks than ever. Social engineering and phishing attacks have significantly increased in numbers. Research shows that phishing attacks in the aftermath of pandemic rose by 667%. Cybercriminals are trying to leverage the pandemic situation to scam unsuspecting individuals and with the chaos of a pandemic, this can easily be done with multiple areas of concern that are demanding your attention. They make users click on harmful links by putting them under the veil of critical information. The perpetrators have also been found to specifically target people holding key positions in organizations such as network administrators. Even though it is significantly challenging to con such people because of their superior cyber hygiene and operational protocols, they are still susceptible to scams due to the value of data their systems possess and the heightened state of a global event “Pandemic” and operating abnormally to ensure business continuity.
Educational institutions are not spared any more
The other kind of easy targets for cybercriminals are the institutions that weren’t traditionally required to have a beefed-up cyberinfrastructure. We are talking about educational institutions, medical facilities, and the hospitality industry. An IBM study states that data breach costs in the healthcare sector were the highest at USD 7.13 million. In a pre-pandemic world, these institutions would usually work in a tight-knit, and secured environment where connecting the system to an open internet was never a necessity or if it were, would be secured in ways that limited or protected their exposure. So, these institutions did not need to invest in cybersecurity before, since their operating model was more in-person. However, now it’s nearly impossible for them to function without opening themselves to the dangers of an open internet as they were forced to move to an online environment. These institutions have valuable and critical information to protect, which, in the wrong hands, will always prove detrimental to the organization. Since the databases of these institutions often contain private information of clients, customers, patients, and students, the consequences of the leak are incomprehensible. It is, therefore, necessary to educate the employees on the importance of cybersecurity, as confirmed by a study conducted by Knowbe4. According to Knowbe4, around 30% of employees failed to pass a phishing test, but it came to 5% after cybersecurity training.
Tips to Avoid Cybersecurity Incidents in the Post-pandemic World
Here are some tips to help you avoid the above challenges and safeguard yourself from the clutches of cybercriminals in 2021:
- Cyber Awareness – Organize cyber awareness programs in your institutes and company regularly. Highlight the dangers of common cyberattacks such as social engineering attacks, Business Email Compromise (BEC) scams, etc., and mitigation strategies.
- Risk Assessment and Management Model – Ensure the implementation of a proper risk assessment and management model. It will help the managers and executives make informed decisions on cybersecurity resource allocation, tooling, and security control.
- Cloud Security Strategy – Adopt and implement a security strategy for cloud services as there is an increased risk of phishing attacks on cloud storage environments along with misconfiguration. Cloud Security Guidance from Cloud Security Alliance.
- Multi-Factor Authentication (MFA) – Implementing Multi-Factor Authentication (MFA), can drastically reduce password compromises while working remote or even as an improvement and add an additional layer of security to standard password policies your organization enforces.
- VPN Policy – Organizations should make it mandatory for employees to use VPN while working on corporate digital assets.
- Vulnerability Assessment and PenTest – Organizations should conduct a vulnerability assessment and penetration testing of their corporate resources periodically to check for vulnerabilities in their infrastructure system.
- Zero-Trust – Adopt and Implement a zero-trust network design where you do not trust anything, both inside and outside the organization’s perimeters, and verify everything and everyone. We recommend a complete architecture review since organizations are expanding beyond endpoint protection for their WFH employees as an unintended consequence of pandemic disruption, opening up a potential weak point of entry into organizations.
- Cyber Resiliency – Review and update your business continuity plan (BCP) and disaster recovery plan (DRP) to ensure the lessons learned from this Pandemic or the Solarwinds cyber attack are corrected and implemented within your organization. Check out cyber resiliency information from one of our Strategic Partners, IBM.
- Incident Response Plan – Reviewing and Implementing an Incident Response Plan (IRP), conduct a table-top exercise for identifying any flaws in the incident response activity and update accordingly for future events.
Improvements Without Spending Significant Money?
All too often there is an industry-wide assumption that you have to spend money to find better tools that provide more security protection for your organization. We have identified a few areas that wouldn’t cost much for your team to implement other than your normal payroll for your team resources and maybe some OpX budget spends and with a little finesse, maybe some CapX spending to help improve the internal security of your organization.
Implement Zero-Trust Architecture/Design
There are very simple ways you can start implementing Zero-Trust within your current architecture, this mostly is more a software configuration but there will be some changes internally to your infrastructure and architecture that will significantly be a huge security improvement from previous practices. There are great guides from trusted sources that can provide significant knowledge into how Zero-Trust can be leveraged within your organization, here are a couple for review (Microsoft, Microsoft, Google).
Implement Multi-Factor Authentication (MFA)
Multi-Factor Authentication (MFA) is readily available on most applications and login setting configurations that can easily be activated and implemented. This is a huge plus for mobile devices and applications that you want to have an extra layer of security for authentication. Microsft has a good blog article for understanding Multi-Factor Authentication (MFA), for authentication security improvement internal to your organization.
Where to Spend Your Cybersecurity Budget?
Globally 30,000 websites are hacked daily, and nearly 64% of companies experienced at least one form of cyberattack in 2020. It is evident that cybercriminals spare no one in the present world. This year will bring in new costs to uplift your cybersecurity space. According to a study by Canalys, the cybersecurity budget in 2021 is expected to rise by 10%, and Dyzana Consulting would argue that this is to increase significantly depending on the impact the pandemic had on your organization from less than adequate cyber hygiene. The global move to the ‘work from home’ ecosystem without proper cyber hygiene has left many institutions and businesses scrambling and grappling to protect their data from dynamic threats. Many of these threats are rapidly progressing and are constantly evolving and reprioritizing; These are never the same per organization but can provide a good list of items for review: Here are some key items that should find a place in your cybersecurity budget in 2021 and beyond.
Improving the skill-set of your existing staff
Even before the onset of the pandemic, many organizations were hinting at making the switch to permanent remote working. Their reasoning predominantly revolved around saving costs related to infrastructure, electricity, inter-branch travel, and so on. However, these organizations never factored in the role of cybersecurity and threats that came along with the remote working model. Employees who work from home require additional training to be able to recognize and prevent security breaches instantly. They need to understand that it is their responsibility to keep the company’s digital assets protected. As a bare minimum, they should be trained on basic types of cyberattacks and handling them in the absence of trained cybersecurity personnel. Organizations that invest in education or its team members with training to know how to handle cyber-incidents and ransomware attacks are going to be key team assets along with proper risk management.
Draft an Incident Response Plan
Did you know that more than 77% of companies do not have an Incident Response Plan in place? Companies should make a logical estimate of the number of incidents that are likely to occur and calculate the cost to establish a valid and robust incident response plan in line with the results. It’s no secret that a business should spend more money to make more money, but if some of that money isn’t being spent interally for cyber resiliency improvement, this could put your organization at risk. If you think there is even a remote chance of your digital assets getting hacked, then Incident Response should be the area you should put your money on. Every CISO (or virtual CISO / vCISO these days) should apprise their CEO or Executive Leadership along with the Board that they cannot afford to overlook an Incident Response Plan beyond 2021. A real team priority in the COVID-19 aftermath is having organizations revamp their cyber resiliency by reviewing through tabletop exercises their incident response plans (IRP), business continuity plans (BCPs), and disaster recovery plans (DRPs); this pandemic has brought black swan events to reality and now organizations have an opportunity to respond to future events better prepared to increase their state of cyber resiliency.
Replace or upgrade software and hardware
Ever since the concept of work from home surfaced, everyone’s (including those working from the office) digital assets were under constant threat. Older laptops with outdated security software can attract cybercriminals like bees towards flowers. It can prove costly to your organization to manage cybersecurity threats even with a corporate firewall in place and a dedicated IT team for cybersecurity. With a distributed workforce, things worsen as employees are exposed to the open internet without efficient firewalls. For this reason, companies must consider replacing aging hardware and software resources to reduce the chances of a cybersecurity incident. Look at new product offerings in Next-Gen Technology such as CyberAI tools, CyberAutomation, Digital Cyber, and Digital Protection, etc.
Given the volatile nature of cybersecurity, a major chunk of businesses might argue that cyber insurance is never worth the premiums. But COVID-19 has changed all of that as the number of cyberattacks has increased vehemently. Thanks to the remote work culture and the increased risks that come along with it, the need for good cyber-insurance has ballooned in recent times. While insurance premiums might seem like a heavy expense to bear at the moment, but they will far outweigh its costs in the event of a major cyber attack. With the impact of COVID-19, threat profiles have changed significantly, having the proper adjustments for cyber-insurance are important along with mitigating those risks, as your threat profile evolves.
Hire on a good cybersecurity consulting firm
We have saved the best for the last. While following the above tips and educating the employees about cybersecurity will help, a business can’t manage this on its own. Lack of resources and knowledge on where to start can often hamper their efforts to beef up their cybersecurity hygiene in 2021. This is where a cybersecurity consultant can help. A good consulting company can guide your operations to a safer environment and not just offer a remedy in case of damage. Some consultants have developed into full-spectrum security-as-a-service providers. They entirely take care of your cybersecurity space and let you focus on other mission-critical aspects of your business.
Why Should You Choose CyberMass as Your Cybersecurity Consultant?
Dyzana Consulting, LLC and its cyber brand company CyberMass has a highly experienced team offering cybersecurity consulting services to clients as one of our core offerings. CyberMass offers a wide array of cybersecurity products and services such as advisory/consulting services, professional services, and managed services. CyberMass has top-tier managed services provider (MSP) offerings, providing cybersecurity products and services that are aligned with your organizational security needs. One of our responsibilities as experienced principal cybersecurity consultants is to offer our knowledge and best resources to keep organization-wide digital assets safe and manage and mitigate risk for businesses to focus on their growth. We go beyond best practices in the industry and constantly devise innovative cybersecurity strategies and solutions to secure your organization’s digital assets from the ever-changing risks of cyberattacks in the post-pandemic world. To know more about how Dyzana Consulting and CyberMass can help, contact us now.
Dyana Consulting, LLC provides management consulting services, such as product management, development, strategic planning, marketing product analysis, and market opportunity investments through venture projects.