The new cybersecurity priorities of 2020
Business couldn't stop for the pandemic — even when security was in question.
Taking the time to strategize deployments, and forecast project outcomes is a hallmark of good cybersecurity. As companies hastily adopted tools to facilitate remote work, security, the IT component that often delays projects to ensure protection, had to keep pace.
But a scattered workforce and fragmented work hours will contribute to more mistakes. Insider threats, malicious or accidental, cause more than one-quarter of data breaches. However, only 17% of businesses are considered "leaders" in cyber resilience, according to Accenture. Leaders outperform their counterparts, or "average performers," in how they "scale, train and collaborate.
Security solutions can only do so much to defend against non-technical employees and an emphasis on user behavior and awareness is more important this year.
"Security is more about protocols of behavior than it is just about the technical things," Lenley Hensarling, chief strategy officer of Aerospike, told CIO Dive. But "that's pretty much always been the case."
Last year was a record year for ransomware attacks and preparation for privacy regulations in the U.S. The convergence of the two could be lethal for companies. This year was set to focus on following data: how it's stored, how it travels, and how secure it is.
"The chance of misdirecting an email or sending the wrong data to the wrong person is probably as big a problem if not a bigger problem when people are sitting at home," Neil Larkins, CTO and co-founder of Egress, told CIO Dive.
Identity management and privacy were fused together to better safeguard personal information. However, legacy systems slow the adoption of identity solution deployment and prohibit building API-based systems compatible with app integration.
This year, industry expected privacy and security solutions to collide as the California Consumer Privacy Act took effect. It was an opportunity for traditional security tools to moonlight as privacy safeguards, if not an opportunity for the privacy market to expand on its own.
Business decisions under COVID-19
With remote work — and data — scrambled across employee households and the CCPA's enforcement date nearing, companies have a lot to lose.
"It's a question of what responsibility we each need to take about privacy and what responsibility belongs to the vendors of applications we use," said Hensarling.
Companies are currently focused on information security management, particularly ISO standards and compliance set by the security operations center.
"Most of that certification is about, who does what and what policies you have," and whether or not protocols have been followed, said Hensarling. "Protocols about behavior still are maybe the most important thing."
Companies with a workforce that was mostly in-office were caught off guard by the overnight move to remote work because they lacked VPN capabilities on laptops. Only a handful of employees, who were already remote, were likely to have a VPN.
Traditional processes and procedures, such as physically sending documents, were obliterated by remote work. Egress had several customers in the financial industry reach out just for that reason: how to move away from physical document sharing. The same concern was true for moving large amounts of data.
"Particularly for my role as a CTO, everything I'm thinking about is how can I assist humans to make better decisions and to avoid making mistakes?" said Larkins.
2021 and beyond
Some applications had security standards that only addressed an elite group of paying users at the enterprise level. But now platforms have to cater to a broader range of employees, their behaviors, and a lack of security knowledge. Vetting solutions and shadow IT CIOs normally wouldn't be bothered by, are at the top of the list.
Organizations that reacted quickly to stay-at-home orders and hastily deployed free or trial solutions highlighted an issue that permeates the open source world: unfettered default security.
Individuals using free versions of Zoom ran into security issues — despite the underlying security mirroring many of its competitors.
Since then, Zoom has iterated its product and added layers of protection. "It's an amazing example of agility, I think, as a tech company, to sort of keep up with the times to plug the holes where people could," said Hensarling.
Prior to COVID-19, companies were not running encryption on everyone's laptop if they worked in an a secured office. Now companies are "thinking about it and purchasing test software and trying to figure out how to put all that in place," said Hensarling. The companies that managed to set up holistic encryption in a virtual office allowed productivity to continue without too much risk.
Companies either had to scale or buy more technologies to maintain security for a remote workforce because the secure perimeter of an office eroded. Virtual desktop infrastructures, though an expensive solution, will scale with a company for as long as it continues remote work.
"If you look at the first three or four weeks of lockdown in North America, in the U.K. and in parts of Europe, the biggest struggle for business was just getting the business operational," said Larkins.
How priorities shifted
The security market is "somewhat more resilient to a downturn," according to Gartner. But companies are having to evaluate where their risk appetite is and how long they're willing to sustain it.
Gartner expects spending on information security to grow about 2.4% in 2020, reaching nearly $124 billion. The firm initially projected and 8.7% growth before the coronavirus pandemic took its toll on the economy.
Spending on network security equipment decreased 12.6% from 2019 to 2020 as cloud-based security solutions increased to facilitate remote work. Spending on cloud security is expected to grow by 33.3% from 2019 to 2020.
Some companies were forced to disable systems with the intention of re-enabling them later. But anytime change is introduced to an environment, security is at risk.
If a company forgets to move something from an inactive laptop to an active one, "now we're not getting patches deployed to it, or we're not getting antivirus up to date or whatever it is, we're not getting our security controls applied to it," said Reck.
The reliance on using personal devices was not as strong as it is now. As a result, security experts were quick to suggest zero trust implementation. But zero trust is a method, not a temporary solution for remote work.
"Rather than talking zero trust, I would just talk about where your most important information is inside your company" Robb Reck, CISO of Ping Identity, told CIO Dive. "Let's just make sure that we know that it's always stored in one of these several approved repositories," such a Salesforce environment, AWS account, or company-owned laptop, therefore tracing data and privilege is known.
Trend to watch:
CISOs were tasked with addressing weaknesses in VPNs once only used for a handful of remote workers, the security of an employee's home router, and phishing attacks feasting on the anxieties of a pandemic.
Prioritizing endpoint security and user authentication — rather than devices — will take hold for the foreseeable future. Human behavior and employee training will be emphasized as the physical security of an office is gone.
Article top image credit: Kendall Davis for CIO Dive