A dual cybersecurity mindset for the next normal
As the COVID-19 pandemic swept across the world, most organizations made a quick transition to a remote workforce and a more intense focus on serving customers through digital channels. This created a rapid surge in demand for digital capabilities, products, and services. Cybersecurity teams, for their part, were largely successful in taking on a dual mission of supporting business continuity and protecting the enterprise and its customers.
The digital response to the COVID-19 crisis has also created new security vulnerabilities. Attackers seek to exploit the gaps opened when telecommuting employees use insecure devices and networks. Threat actors also use known attack techniques to exploit people’s COVID-19-related fears. For example, Google tallied more than 18 million malware and phishing emails related to the novel coronavirus on its service each day in April. It also reported identifying more than a dozen government-backed groups using COVID-19 themes for these attempts.
The COVID-19 pandemic and the efforts to contain it have had serious economic and business consequences. These are affecting core dimensions of the business environment, from digital strategies to operational and enterprise risk appetite. Supply-chain configuration and business interactions with regulators are likewise being reshaped, as are the ways we think about the very nature of work. A McKinsey survey of digital sentiment revealed that most employees who are now telecommuting do not expect to return to the workplace soon. Seventy percent of those responding believe that the ability to continue telecommuting will factor into their next job choice. Customers express similar sentiments: 75 percent of respondents using digital channels as a result of the COVID-19 crisis say that they will continue to do so.
Chief information-security officers (CISOs) and cybersecurity teams will need to approach the next horizon of business with a dual mindset. They must first address the new risks arising from the shift to a remote digital working environment, securing the required technology. They will also need to anticipate the next normal—how their workforce, customers, supply chain, channel partners, and sector peers will work together—so that they may appropriately engage and embed security by design. The new context of changing customer and employee behavior and a constantly shifting threat landscape must also be considered.
The pandemic response has underscored the vital role that security plays in enabling remote operations, both during and after a crisis. As companies reimagine their processes and redesign architecture amid the COVID-19 response, cybersecurity teams are being perceived anew. They must no longer be seen as a barrier to growth but rather become recognized as strategic partners in technology and business decision making.
Addressing risks and fortifying gains
Throughout the crisis, cybersecurity leaders responded with a focus on three activities as companies shifted to new processes and technologies: assessing and knocking down hot spots, fixing and mopping up operations, and fortifying incremental digital gains. Efforts in each area occur simultaneously and are ongoing. Cybersecurity teams may only just be arriving at the point where they are fortifying initial incremental gains; they may also have to reevaluate prior efforts as new technologies or processes are introduced. Here are some of the experiences in these three areas companies and cybersecurity leaders have shared with us.
Assessing and knocking down hot spots
As employees began working from home in less secure environments and, in many cases, with less secure personal equipment, security teams have had to remediate immediate operational, process, and technology gaps related to the pandemic-induced response and the shift to remote working. Leaders have had to address training gaps, lead virtual all-hands meetings, and call on workers to maintain digital hygiene, such as patching their computers and updating mobile software.
For example, a large financial-services company was able to support its remote workforce swiftly by distributing Wyse thin-client terminals to all call-center staff for secure remote connections. Some initial issues with bandwidth and performance were resolved by performing virtual-private-network (VPN) split tunneling as well as upgrading firewall infrastructure. The company also enabled remote patching to all end-user devices by upgrading all its AnyConnect remote servers.
In another case, a large bank adjusted several security policies in response to the COVID-19 crisis. The company ran more frequent awareness campaigns (with tailored pandemic-themed content), resulting in a 95 percent improvement in employee click rates during monthly antiphishing tests. Additionally, the organization introduced restrictions on USB connections and put critical patches on a 30-day cycle.
Fixing and mopping up operations
In the early days of the pandemic response, many companies were forced to accept new risks, including reduced control standards, to keep operations going. As employees and customers became accustomed to the changes, companies evaluated these residual risks and tightened controls.
For example, to catch up with a surge in adoption of various cloud-based collaboration tools, a large telecommunications provider accelerated the rollout of new cloud-aware monitoring capabilities within its security-incident and event-monitoring (SIEM) tool. Additionally, it reviewed its security and monitoring controls for third-party vendors to ensure that restrictions that had been temporarily lifted were put back in place.
Along the same lines, a large bank conducted threat modeling on its new collaboration tools that employees had been using, including unauthorized tools introduced during the shift to remote working. The bank also updated security controls or replaced products based on acceptable-risk thresholds.
Fortifying security gains
As employees became comfortable working from home, companies began standardizing procedures for remote work environments and explored technologies to reduce long-term risk.
Some companies introduced stronger consumer-security and fraud-prevention controls. A large bank expanded its biometric- and device-based authentication for sensitive customer transactions across new, critical digital channels. The bank also accelerated implementation of a state-of-the-art, artificial-intelligence-based fraud-detection platform. As a result, incoming transactions could be analyzed in 300 milliseconds or less, compared with the hours this took before.
In another instance, a national insurance company updated policies and procedures to institutionalize the security controls required in a remote work environment. It established a new policy and standard to mitigate the risk of cybercriminals infiltrating the network through unsecured home printers. Except for approved business cases, all employees were restricted from printing remotely through personal printing devices.
Anticipating the next normal
As cybersecurity leaders are increasingly getting a handle on the first stage of the pandemic, CISOs are now shifting to anticipating how the business environment will be affected by new conditions. They are adapting to incorporate these expectations of the next normal into both current cybersecurity activities and long-term cyberrisk strategies (Exhibit 1).
Secure the workforce in new ways of working
The COVID-19 crisis has fundamentally changed ways of working, as many companies are extending the remote-working policies that became necessary during the pandemic (see sidebar “A case example on securing the workforce”). Organizations could emphasize the following cybersecurity initiatives:
Dynamic security. Static, network-based security perimeters will no longer be sufficient. The security dynamic among users, assets, and resources must be the new focus. Define identity as a perimeter with scaled-up capabilities in identity and access management, privileged-access management, multifactor authentication (based on devices or biometrics), key management, and heuristics based on log-on behavior. For assets, consider a strategy using a software-defined perimeter and enhanced network segmentation (using logical microsegmentation through next-generation firewalls). Protect end-point assets and utilize real-time anomaly detection with end-point-detection and -response systems. Protect data assets through enhanced block-mode data-loss-prevention tools and utilize a model of preapproved sites as a default for external access.
Cloud-based tools and infrastructure. The need for greater agility and flexibility will accelerate the use of the cloud. Restrict localized data storage for the remote workforce and transform end-user infrastructure through increased adoption of virtual desktop and desktop as a service. Support the increasing shift to a multicloud environment and cloud-based services through access controls at points where policy is decided and enforced; implement a cloud-access-security broker.
‘Contact aware’ workforce privacy. Heightened security will require new agreements with employees. Factor in the implications of workforce privacy and employee consent to introduce contact-aware tools, such as contact tracing and temperature taking, in the workplace (as enabled, for example, in the API for contact tracing that is integral to the recent iOS 13.5 update).
People defense. Companies will need to extend their operational defenses as working from home becomes standard. Roll out insider-threat-detection programs and explicit policies for a safe remote workplace. These could include restricted remote printing and prohibited sharing of company devices with family members. In addition, companies could consider helping employees manage stress levels, offering support in the current circumstances. Protecting employees is not just a leadership imperative: it will also reduce vulnerabilities created by worker anxiety.
Remote cybersecurity operating model and talent strategy. The new ways of working will have implications across the enterprise. Rethink the cybersecurity operating model and continuity plans for physical-location-constrained operations, including automation opportunities. Derisk by design and further embed in application-development processes the principles and capabilities of DevSecOps—the linkage among development, security, and operations. Use the imperative of remote working as an opportunity to gain access to a broader pool of cybersecurity talent where there is an existing gap in local talent pools.
Article has been taken from McKinsey&Co please see the original article below: