Navigating Cybersecurity Gaps in Uncertain Times
If cybersecurity leaders and teams think this year will be quieter and easier than 2020, they are mistaken. The remote work trend launched by COVID-19 is morphing into a new hybrid environment that has some employees working at home full time, others at corporate facilities and many working at either location depending on the day of the week.
Securing this new work model is just one area of concern. The cybersecurity threat landscape is in constant flux, and that will never change. As a result, organizations will face many security risks this year. Here are some of the more important ones security programs need to address in order to keep their organizations safe from data breaches, malware attacks and other incidents that could cause significant damage.
Remote/Hybrid Work Environment
By now, organizations should be fairly experienced at supporting and securing remote workers. But that does not mean the cybersecurity issues have gone away. The new hybrid work environment can be even more challenging, from a cybersecurity standpoint. That’s because many employees will be operating from multiple locations and, perhaps, using different devices depending on where they are working.
With a more flexible workforce – at least in terms of location – introduces new security vulnerabilities as devices move into and out of the office. Employees might be working in unfamiliar spaces, and companies might not have adequate security at branch office sites. In addition, given that many people will still be working from home, they will continue to be at risk of social engineering and phishing attacks.
The best way to deal with these gaps is through education. Security programs need to train and retrain employees in the proper use of devices, how to handle suspicious email messages, securely access corporate networks and recognize social engineering attack attempts.
Internet of Things (IoT) and Smarter Homes
The internet of things (IoT) has become a reality, and the potential security risks are significant, if left unaddressed. Companies in industries such as manufacturing, healthcare, retail and others are deploying IoT to gather large volumes of data from sensor-equipped assets, products, buildings and vehicles.
Many homes — including those where remote workers are now based full- or part-time — are equipped with devices that are continually connected to the internet and constantly sending out data. In addition to smartphones and tablets, these might include virtual assistants, utility meters, lightbulbs, doorbells, baby monitors and more.
Without proper monitoring, these connected devices can represent a significant security threat. In many cases, all of these possible entry points for attackers are connected via the same networks used by home office workers, putting company data and applications at risk for potential exposure.
Organizations can address these threats in a number of ways, including deploying tools like containers, device management platforms and multi-factor authentication.
Shadow IT
Shadow IT — the phenomenon of business executives and end users making technology purchases without the approval or oversight of the IT department — has the potential to become even more common when so many people are working remotely.
Individuals don’t take part in shadow IT for malicious reasons, but out of convenience and expedience to do their jobs. For example, during the pandemic, many business departments might have quickly launched video conferencing platform accounts in order to provide easy collaboration without first notifying IT.
Despite the good intentions, these actions can introduce security risks such as data loss or leakage. If the IT/security team is not aware of the purchase and use of IT products and services, they can’t weigh in on what provisions need to be in place to protect information they will store and carry.
While IT and senior business leaders shouldn’t go so far as to ban non-sanctioned technology deployments, there should be policies in place that can ensure proper security settings for all applications and platforms.
Third-Party Relationships
Having effective digital supply chains and transactions with business partners has become a priority for organizations, especially during the pandemic, when businesses have been forced to change their delivery processes for health and safety reasons.
Vendors and other third-party organizations might present security gaps, and these can go unnoticed without regular due diligence. Vetting third-parties, and doing so frequently, is a key best practice to ensure that they do not pose a risk to the organization or its customers.
This is all the more important today, with so many transactions being conducted electronically and new threats emerging. Not only do enterprises need to keep up with threats, they need to make sure their third-party partners are keeping up, as well. Regularly assessing the cybersecurity posture of third parties is vital.
Skills Shortage
Organizations need to address these security gaps while facing another monumental challenge: a shortage of skilled cybersecurity pros. A September 2020 report by cybersecurity career development platform Cybrary said a majority of organizations worldwide continue to experience skills gaps.
Cybrary surveyed more than 800 security and IT professionals and found 72% agreed or strongly agreed that their security teams are experiencing gaps in skills. About two-thirds of the respondents agreed or strongly agreed that this was having a negative impact on their teams’ effectiveness.
Further, the report noted companies face a lack of qualified candidates for key positions and that improving the skills of current staff is essential to stopping data breaches and protecting IT infrastructure. This can exacerbate other challenges organizations are facing in security because they lack the staff and critical knowledge to effectively implement tools and fight attacks.
To help address the skills gap, organizations need to establish ongoing cybersecurity education and professional development programs. For many companies, especially those with limited resources, the best solution could be to hire a managed service provider to handle security functions. This can ensure experts versed in the realm, and up to speed on the latest threats and new vulnerabilities, are at the helm.
These are just some of the security gaps organizations are facing today. By taking steps to address them, they can improve their cybersecurity program in uncertain times.
