A 63% increase is usually a good thing. 63% increase in sales? Great. 63% increase in customer satisfaction? Even better. 63% increase in cyber-attacks? Not so much. According to a survey by ISSA and ESG, that’s the increase cybersecurity professionals saw in cyber-attacks related to the pandemic. Tack on the fact that the survey was conducted before we saw high-profile breaches, such as the recent SolarWinds hack, and it becomes clear that right now, it’s even more important than ever to keep advancing security programs. With the current climate in mind, I’m going to give you 5 key reasons you should not only resist the temptation to put off your cybersecurity projects until after the pandemic levels out, but why you should prioritize growth in your program right now.
Reason #1: Work from home is here to stay.
March and April brought about a shift to work from home (WFH) at a pace that tested the contingency plans of many organizations. After transitions that often included a mix of VPNs, remote work policies, and home network security guidelines, many have come to embrace that WFH in varying capacities is here to stay. A drawback of WFH environments is the broadened threat horizon. Whether it be insecure IoT devices, outdated router software, or even loose printed documents, WFH deployments usher in a myriad of potential attack vectors. Such vectors have commonly been coupled with a decrease in visibility and control due to necessary (albeit hasty) deployment of WFH strategies. Companies need to be sure that they are strengthening security programs to not only minimize the likelihood these threats materialize, but also remain in control of their systems as remote work endures. Uncovering and closing security gaps in these evolving environments will be a process that requires your ongoing attention.
Reason #2: Attack frequency and complexity are increasing.
As mentioned, the shift to remote work has brought about a drastic increase in cyber-attacks. In fact, as I am writing this, I am aware of three separate incident response engagements our organization has taken on in the last 24 hours alone. It should be noted here that as cyber-attack occurrences have steadily increased for quite some time, the spike likely represents a steep section in an otherwise steady incline. Harder to measure but equally as evident has been the advancing complexity of attacks we are seeing. While phishing and other end user-based attacks will plague companies for the foreseeable future, advanced attacks targeting third-party vendors are becoming more common. In the case that a particular target may be difficult to breach directly, compromising a third-party vendor can allow an attacker to gain more discrete, persistent access to systems. In some cases, we have seen attackers start with a vendor of a vendor, working their way back to the initial target. 5 key vendors that each have 5 vendors of their own turns into 25 potential points of failure in the absence of third-party vendor management. These examples are why we are seeing frameworks and compliance requirements place such an emphasis on third-party security management. Properly vetting and regularly assessing third-party vendors to keeps their security issues from becoming your security problems.
Reason #3: Security technologies are evolving.
For every (hacking) action, there is an equal and opposite (security) reaction, right? Either way, security technologies have advanced to combat frequent and complex attacks. From an authentication standpoint, the growth of Zero Trust security and passwordless environments represents a secure and more user-friendly development. Next-gen firewalls incorporate technologies such as deep packet inspection, intrusion protection, and quality of service to enhance protection and increase visibility compared to traditional firewalls. Advanced endpoint protection technologies support early identification and response to malicious activity on devices, providing enormous benefits for both remote and in-house endpoints. I could write all day about new and exciting security tech, but for the sake of brevity I will stop at those three.
Reason #4: Privacy is a big deal.
In the last few years we have seen a great deal of progress on the data privacy front. While there is not a central, federal data privacy law such as GDPR in the United States yet, privacy laws have either been enacted, passed, or are pending in a majority of US states. In fact, between GDPR, CCPA, and 5 other state laws, a large chunk of businesses must already comply with some form of data privacy law. For the others, it is only a matter of time. Thankfully, there are many things we can do to navigate and prepare for the requirements together. One great resource is the NIST Privacy Framework. Designed in a similar fashion to their Cybersecurity Framework (CSF), NIST released version 1.0 of their Privacy Framework in 2019. The framework can be leveraged to supplement or prepare for various data privacy laws. In addition, NIST’s design of the framework allows users to pair it with the CSF to take a holistic approach to both privacy and security. . While it may be possible to have security without privacy, it is impossible to have privacy without security. Strong planning and leverage of available resources allows companies to bolster security and privacy programs in tandem.
Reason #5: Security and Privacy are competitive advantages.
Good security and privacy programs accomplish a handful of things. They foster protection against attacks, fulfill laws and compliance requirements, and readily adapt to new and changing environments. Great programs go beyond that. Great security and privacy programs are competitive advantages. People care about their data. From a marketing perspective, say you are researching two similar solutions. They both solve the same problem, but one company consistently demonstrates a commitment to prioritize your data security and privacy. The growing emphasis on security and privacy presents an advantage for companies that commit resources to effective programs. An example of this is Apple. Apple’s marketing department has taken the company’s commitment to security and privacy and made it a selling point. They recently ran a commercial campaign with a focus on user privacy. There are a variety of commercials, but my favorite one includes a woman shouting out her credit card number through a megaphone. While the commercial is comical, it contains a strong message to users that Apple is committed to user privacy. Strong security and privacy programs go beyond compliance and safety to set companies apart from their competitors.
Security and privacy programs must be constantly evaluated and improved to keep up with changing threats and requirements. Even though I’ve titled this blog post with a reference to being in the “Middle of a Pandemic”, I do hope we are much closer to the end than the middle. Either way, though, what we can take from this season is that there will always be something standing in the way of taking the next security steps, which is exactly what attackers are banking on. We have to be committed to strengthening and hardening environments even and especially during times of crisis.
Talk to a representative at TRUE today to see how you can capitalize on the opportunity to grow your program in the middle of, or after the pandemic.