Cybersecurity challenges arising from the work-from-home mode
On 23rd January 2020, when the city of Wuhan went into lockdown, cybersecurity changed forever.
Within a month, millions of employees around the world were working from home. But although the way in which organisations work had altered dramatically—possibly forever—the threat actors were still out there. And as working modes change, so do the risks. Ben Wootliff of Control Risks discusses the common cybersecurity challenges encountered by organisations as their workforces logged in from home, and other key findings from a recent survey.
In April 2020, as remote working became established as the global norm in response to the COVID-19 outbreak, 16 chief information officers (CIOs), chief information security officers (CISOs) and security advisers took part in a survey on the demands the new situation has placed on them. Collectively, these security leaders are responsible for securing almost 750,000 employees. The respondents, who work at multinational companies, financial institutions, small fintech firms and manufacturing startups, described the outbreak of COVID-19 as among the most challenging periods of their careers.
Companies, governments and non-governmental organisation (NGOs) are all facing multiple challenges. Initially, these were tactical and logistical: “How do I get 10,000 new users onto my [virtual private network] VPN?” As we move, however, from the ‘response’ phase of the crisis to the ‘recovery’ phase, the challenges are becoming strategic: “How do I plan cybersecurity when the whole organisation has been upended?”
When governments first imposed lockdowns, organisations were forced to ramp up their remote access capabilities. “We had to massively increase our VPN capacity to 150,000 users from 25,000,” said an Asia CISO of a multinational financial institution. Another had to increase capacity 20-fold overnight. Yet from a performance perspective, most organisations say the infrastructure on which they ran their systems was able to deal with the sometimes exponential increase in demands.
In the early stages of the COVID-19 outbreak, organisations faced challenges in continuing operations.. For example, information technology (IT) teams had to work 24/7 to provide employees with laptops and peripherals such as two-factor authentication tokens. Another issue faced by some organisations, particularly law firms and financial institutions, was printing and scanning documents. “Lawyers like to print out their documents, as well as read, review and sign them,” said an information security manager of a large global law firm. “We had to find a way of doing this securely.” A law firm CIO said: “We were tempted to use a scanning app but decided that the risks were too high and refused to compromise.” Multinational companies (MNCs) have faced similar difficulties. A CISO of a company that employs 30,000 staff said: “[Printing and signing] were problems for the tax department and the legal team.”
While most organisations had previously rolled out two-factor authentication for certain employees, with the COVID-19 outbreak, this has often been extended across the entire operation. Implementation was relatively uncomplicated: “We had to roll this out across the organisation, but with Microsoft [software], it was relatively straightforward,” said one CISO.
Remote-working technologies have been a security challenge. Zoom, a video-conferencing tool, initially was very popular, but users were divided over using it due to privacy concerns. One IT specialist in a startup felt compelled to move away from the app because their company was in the process of raising funds and some investors were uncomfortable using the service. Others surveyed decided to move to Microsoft Teams to sync with their use of the company’s Office365 software suite. Meanwhile, organisations are having to identify ways of managing incident response and updates remotely. “Patching and updating was often done through the intranet. We’ve had to design workarounds because this isn’t available,” said one security expert.
Not all cybersecurity challenges have been technical in nature. Fears over COVID-19, and a desperate thirst for information on the virus, made it a classic phishing lure. Indeed, nearly all respondents reported phishing attacks stemming from the COVID-19 outbreak. Most had responded by alerting users to these attacks and providing warning messages from their human resources teams. A few organisations, however, took a more aggressive approach by sending out their own COVID-19-related phishing tests. One law firm revealed that it had “sent out [phishing test] emails with Centers for Disease Control and Prevention and World Health Organization branding on them – which people clicked on!” Another law firm said that the IT security team wanted to do this but the firm’s partners had vetoed the idea, deciding that it was not an appropriate time to do so.
The misuse of legitimate communication tools by employees and the need for new options have obliged organisations to review their approach to managing cybersecurity: “[Working from home] has forced discussion about software management—particularly with regard to exceptions, whitelisting and acceptable use policy—on a global scale. This was triggered by widespread, unapproved adoption of Zoom by individuals with their work email account for internal work,” said an Asia CISO.
These tactical problems have been mostly solved by massive efforts on the part of IT teams. One CIO described this as “cyber heroics”, with his team working 24/7 to ensure his organisation could operate remotely.
As a next step, cybersecurity leaders would do well to think strategically about the post-COVID era. This is proving difficult for some business leaders who are still in ‘fire-fighting’ mode. A CISO of an investment bank said: “Our biggest challenge is sustaining the pace [of response]…[I am concerned about] how are people coping mentally and physically.” Furthermore, financial and organisational constraints are forcing companies to downgrade their capabilities: “We have a hiring freeze and the director of information security has resigned, so there is no formal second line of security in place,” said an employee from a global manufacturing company. Consequently, long-term strategic cybersecurity planning and management are falling behind. “The biggest challenge is that all my strategic work has gone out of the window. I can’t think more than a week out at the moment,” said a global CISO.
COVID-19 has also accelerated the cloud computing trend. “We have expedited the release of some applications because of this. If this had taken place six to nine months from now, all this would have been in place,” said a regional CISO of a large investment bank.
This aligns with the ongoing redefinition of how an organisation is structured and executes its work, and therefore what cybersecurity means to it. For example, erstwhile office-focussed law firms are evolving a new work culture that revolves around remote working. “Our London partners had been opposed to working from home, but this will now be different after COVID-19,” said a law firm CIO.
And given that large global companies have multiple lines of business, their resources do not tend to be distributed evenly. “We have a number of smaller businesses and offices in Asia that don’t have their own capability…keeping them secure has been a real challenge,” said a CISO for a global apparel company.
The new forms of working are only going to increase this challenge, with the breakdown of boundaries between home and office also impacting those between the enterprise network and domestic network. As one CISO said: “Security has now moved from the perimeter… [and] we are now operating a zero-trust framework… we are moving from defending lines to defending dots… “
Here are a few takeaways:
- While organisations have been addressing both tactical and logistical challenges, such as increasing their VPN capacity tenfold, they need to think more holistically by asking: What will cybersecurity look like in the post-COVID 19 world?
- While cloud adoption has gained significant traction in the corporate world, it is now integral to the new distributed operating model.
- Cybersecurity has traditionally been viewed as defending a perimeter – or “protecting the line”. Working from home has effectively upended this and shifted to “protecting the dots”, that is, securing the individuals and endpoints that comprise a post-COVID business.
Note: The findings in this article came from a survey carried out by Control Risks in April. For further detail on COVID-19 business recovery, visit https://www.controlrisks.com/covid-19
Control Risks is a specialised risk consultancy committed to helping clients build organisations that are secure, compliant and resilient in an age of ever-changing risk and connectivity. Clients include national and multinational businesses in all sectors, law firms, government departments from many parts of the world, NGOs and SNBs, both national and international.