It’s March 2020. Mandatory stay-at-home orders have just gone into effect, and your organization is scrambling to nail down WFH policies while your IT team is tasked with rapidly deploying technologies that can support a newly remote workforce.
Did your heart rate increase just remembering this time? IT departments are probably still recovering from the stress, and truthfully, your security posture might be too. In July we spoke with CISOs and industry analysts during a Cloud Security Alliance (CSA) webinar to discuss how security leaders should adjust their strategies to weather a recession. One question that emerged during their chat was this: Did 2020 open a security ‘Pandora’s box’ that we have yet to close?
The answer is probably. Let’s explore further.
In 2020, speed drove increased risk
While some organizations were already equipped to be fully remote, the majority of companies did not have robust systems in place. Remote working might be par for the course now, but at the beginning of 2020 it was still something of a novelty. Most companies were not prepared for the way that the shift to remote work would surface new attack vectors and alter the security landscape. While office workers are usually protected by enterprise prevention and detection systems, home Wi-Fi networks and remote working tools are much more vulnerable.
Below is a roundup of how the COVID-19 pandemic impacted cybersecurity:
- During a U.S. House meeting in June 2020 on illegal digital activities, representative Emanuel Cleaver reported a 75% spike in daily cybercrimes.
- A Malwarebytes report on COVID-19’s impact on business security found that 20% of companies faced a security breach because of a remote worker’s actions. Contributing to this was the fact that 45% of companies failed to analyze the security of WFH software tools, 44% did not provide WFH cybersecurity training, and 28% had employees use personal devices for work.
- Video conferencing services were a new target for hackers. Between February 2020 and May 2020, more than half a million people fell victim to a Zoom breach and had their personal information stolen and sold on the dark web.
- By mid-April 2020, the amount of brute force attacks observed per day was more than six times pre-pandemic numbers, according to research by Kaspersky. Attacks on remote desktop protocol (RDP) and other collaboration tools contributed to this dramatic increase. According to a Check Point report, Citrix attacks rose by 2,066%, Cisco attacks increased by 41%, VPN attacks grew by 610%, and RDP hits went up by 85%.
Anne Marie Zettlemoyer, CSO at CyCognito, suggested that speed was to blame for the lax security policies that opened organizations up to new risks:
“It was speed that drove it. What we saw was a relaxation in security policies. We saw risk opening up. … They weren’t thinking of thin clients or … people using their corporate devices as extra personal devices at that time for kids to do all this stuff. They just thought about how to get people to log in and start working.”
Turns out, Anne Marie is right: Netwrix’s 2020 Cyber Threats Report found that 85% of CISOs admitted to sacrificing cybersecurity to quickly shift to remote work. Pandora’s box was definitely opened; the question now is whether we have yet to close it.
The risks are still there today
In all likelihood, many organizations are still reaping the consequences of the strong emphasis on connectivity over all else at the beginning of the pandemic. What we’re experiencing with incidents like Log4j is the effects of opening up Pandora's box, not seeing the risk initially because it can take months for it to reveal itself, and proceeding with business as usual.
As Anne Marie put it: “They weren't considering the controls. And what happens is that you open up the control, you open up the risk to enable the function. They opened it up. They didn't see a lot of risk … which is … a misnomer because you're not going to see a breach or an incident for months usually because the attacker will live in there forever and they're not looking for it. So then they start to become braver or perhaps more apathetic to what could happen from a security incident. And they start to think it's not a big deal until it happens again. … In the first COVID hit, we opened up everything, and I guarantee you that there was a propensity of organizations that left that risk open and still have.”
Now, security leaders have a responsibility to assess the gaps in their strategy. They need to quantify the risk to show how devastating incidents can be if we continue to loosen security or cut resources in this area in advance of a downturn.
'There's that human condition'
Below is an excerpt from “A CISO’s Guide to Security Strategy During a Recession,” a July 2022 webinar panel with CSA. This panel was moderated by Sounil Yu, CISO at JupiterOne, and featured Anne Marie Zettlemoyer, CSO at CyCognito, alongside Fernando Montenegro, Sr. Principal Analyst at Omdia.
You can find the full webinar here, but check out this clip below to hear the panelists dive deeper into how our inclination to ignore controls and prioritize speed can create ongoing security risks:
More advice on recession-proofing your security
The COVID-19 pandemic is a case study in what can happen if we let security measures fall by the wayside during times of crisis. If we’re not careful, there will be a slew of new statistics about the aftereffects of relaxing cybersecurity measures and slashing budgets during a recession. For more discussion on how to approach security in the event of a downturn, watch the full CSA webinar here. You’ll also get access to an interactive transcript so you can dig into the insights in more detail.
