One year in cyber lockdown - what did we learn?
In the wake of the pandemic, not everyone was comfortable going digital. An intuitive transition for some - techies, e-commerce gurus and even call centre staff - it has been a much more challenging adjustment for others. Teachers, judges and public sector workers had to reinvent the way they operate.
By Steve Bradford, SVP EMEA SailPoint
Yet, despite all the disruption and devastation of the health emergency, we have persevered as a society, learned to collaborate while being physically separated, and kept our productivity and spirits up. We’ve made a giant leap towards digital innovation, setting us up for more flexible and inclusive living once the pandemic is behind us. We’ve also realised that digital tools and dispersed working have potentially made companies less cyber secure.
For those businesses enabling their staff to work remotely, what did we learn as a result of one year in cyber isolation?
- Digital yields great power, and requires great responsibility. Our computers are a window into the world. If we don’t keep up our cyber hygiene up, we expose ourselves to risks, unless we deploy the zero-trust model. People are the weakest cybersecurity link simply because they are human. We know that a quarter of Brits compromised their security at home during the first six months of the pandemic, sharing work passwords and equipment with a flatmate, partner, friend or family member amid increased home-schooling and a pressure to remain productive.
This is why the recent cat filter video call mishap - when a lawyer used his assistant’s computer for a live hearing and the filter meant his visual identity could not have been easily verified - is as much a piece of entertainment as it is a cause for concern. A third of cyber attacks in 2020 included phishing or social engineering tactics. Imagine a situation where someone is posing as your digital alter ego, while using seemingly secure enterprise channels - which could be the case if your device is borrowed or stolen. Worse - with access to someone’s passwords a hacker can compromise and ‘impersonate’ their enterprise identity remotely without even requiring one’s smartphone or laptop. It could then take months before any irregularities are spotted.
- Passwords are only effective when changed often. We know that phishing and fraud are on the rise amid increased personal information sharing online, potentially leading to our work identities being compromised as a result. Based on our own study, only 20% of Brits have changed their work passwords within the last 30 days, while 43% haven’t changed their passwords in over six months. It’s the digital equivalent of having your front door unlocked when leaving the house and trusting the silverware will remain in place when you return. Employers will do well to make regular password changes compulsory.
- AI and automation with pattern analysis are the only ways to keep tabs on the insider threat. The majority of organisations (69%) don't believe the threats they're seeing can be blocked by their anti-virus software. To make matters worse, the explosion of shadow IT and the number of ungoverned SaaS apps downloaded by staff throughout the pandemic has been on the rise, as the workloads of IT teams and digital workers have increased with staff working longer hours and taking on new responsibilities. We’ve also seen a number of cases when attacks have been orchestrated by multiple hackers working together in teams. Meaning, identity security is key not only when it comes to individual employees. Therefore, specialised and increasingly sophisticated technology must be used to analyse patterns across the enterprise perimeter to be able to spot early signs of a large-scale attack mounting.
With work and personal lives blurring together amid ongoing restrictions, cyber security has to become the C-suite priority in order for businesses to stay a step ahead: four in five attacks are preventable with the right tools and processes. As businesses digitise and scale operations in the cloud at speed, designing and enforcing identity security for employees at all levels is a must.
Although it seems the number of breaches diminished in 2020, based on the data we have so far, it is not the time to lower our guard. The average life cycle of a breach lasts almost eleven months from initiation to containment. While we’re only bound to get the full bill of our cyber security health for 2020 later this year, organisations can do something to ‘inoculate’ themselves against cyber threats today. Investment in identity security and staff training is a must for those organisations planning to continue with a hybrid or dispersed workforce model, as we start getting the virus under control.
While the ability to work from anywhere may be among some of the hottest workplace perks right now, we’ve learnt all too well that enjoying the privilege safely will, no doubt, require some time and education for both businesses and individuals.