Securing the Office of the Future

Our latest episode of “The CyberHero Adventures: Defenders of the Digital Universe” focuses on answering the question: How do organizations secure the office of the future? Businesses have demonstrated that they can quickly shift their workforce from on-premises to remote, with 73% calling it a “success,” according to  PwC’s recent remote work survey. However, many acknowledge that they still have a lot of work to do to prove that their remote working systems are secure. Should the remote office of the future come with the price of a cyber attack? Watch this episode and find out!


Transcript

Gary Berman: Hello, and welcome to “The CyberHero Adventures: Defenders of the Digital Universe” show. Today’s show focuses on answering the question, How do organizations secure the office of the future? Businesses demonstrated that they can quickly shift their workforce from on-premises to remote, with 73% of executives calling it a success, based on PwC’s recent remote work survey. However, many admit that they have much more to do to prove that the remote work arrangements are secure. And there isn’t much time, with 62% expecting risks from use of non-enterprise devices and software in the next six months due to remote work according to PwC’s “Digital Trust Insights Pulse Survey.”

CSOs also face unique opportunity to both secure and enable their businesses, but must make strategic investments, with budgets likely to remain flat for the foreseeable future. Should the transition to the remote office of the future come with the price of a cyber attack? Stay tuned to find out.

Our mission is to shine the light on the people and organizations who keep us safe online while at work, home and school, and to serve as a business to business networking platform for the cyber security and IT communities. We learned that 55% of human communications is nonverbal, that’s why we include a video feed so that you have the option of seeing our guests or simply to just listen. You never know who you’re going to connect with and how you’ll be able to maximize opportunities resulting from hearing from our great guests.

As the victim of a series of cyberattacks, I’ve learned that the only time you hear about hacking or cybersecurity is when the criminals win. Well, not anymore.

I’m your host, Gary Berman. Let’s begin by saying thank you to today’s panel of unsung cyberheroes, who represent the countless people who toil in anonymity to keep us safe at home, work and school.

Sean Joyce is PwC’s Global and U.S. Cyber Security Privacy and Forensics Leader, working with clients in various sectors, providing strategic guidance, leading transformational initiatives and advising on incident breach response and how to use cybersecurity and resiliency as business enablers. Sean previously served as the deputy director with the FBI and had daily oversight of the 36,000 men and women of the FBI and its $8 billion annual budget. Hey, Sean!

Sean Joyce: Thanks for having me.

Berman: Dr. Deniz Caglar is a leading practitioner in strategic cost transformation for strategy at PwC’s strategy consulting business based in Chicago. He has deep expertise in organization design, corporate function efficiency and effectiveness, shared services and outsourcing offshore. He primarily focuses on consumer packaged goods and retail industries and also has extensive experience in automotive, healthcare and financial service industries.

Hi, Deniz—great to see you!

Deniz Caglar: Hey, Gary. Glad to be here.

Berman: Emily Stapf is PwC’s cyber security privacy and forensics integrated solutions leader, specializing in incident and threat management, crisis management, cybersecurity strategy and product and service strategy and leadership. Ms. Staff serves as a strategic adviser to commercial clients for complex cybersecurity investigations, cybersecurity strategy, trust, resilience and business enablement solutions, and regulatory and litigation matters involving sensitive information.

Hi, Emily! Welcome to the show.

Emily Stapf: Hi, Gary.

Berman: Sean, we’re gonna learn a lot about what all of you do on today’s show. However, I’d like to begin by asking—why do you do it? What’s your mission? Tell us your origin story.

Joyce: Well, Gary, I think all of us really do it for what I would consider the right reasons. It’s really to protect these companies in probably a broader PwC mission. It’s a mission with purpose, which is really, you know, doing something for society as a whole and bringing that—really bringing that benefit. And, you know, I think what our practice really does is help companies each and every day, you know, deal with some people out there as you know are trying to do harm.

Berman: One of the things that I’ve noticed about everyone in the cybersecurity community is this tremendous humility, you know, the sense of service, the sense of belonging, the sense of giving back. Is that a valid assessment, you know, from your experience?

Joyce: So, this is what I will say. I think it is really, you know, I am so fortunate as the leader of the practice to have, you know, hundreds and hundreds—well, thousands of people, like, doing this job each and every day, and the credit is to those people, right? And I am humbled by the great work that they do each and every day.

So, like you said, I can’t take—I really can’t take credit for the great work that those people do, and they come to work every day. You know, there was one company that called us this morning that was under a ransomware attack and really, you know, getting a group of people there, helping them out, and really getting them back online and being able to help them function as a company, I think people get a lot of, I think, you know, good feeling out of that.

Stapf: And I’ll add to that, Gary. It takes a village, and PwC is about a lot more than just our individual cybersecurity privacy and forensics team. When we’re going to the market and talking with clients, we’re understanding the breadth of their issues. From cybersecurity events to strategy in the boardroom, and success is really bringing together an entire team that can share in that problem-solving.

Berman: Indeed. So, Emily, tell us your origin story.

Stapf: I’ve got an interesting 20 plus year—I’ve learned to drop the number after the 20—experience advising clients in various IT matters, but mostly revolving around cybersecurity breach response. So, I’ve been all over the world, and I’ve helped hundreds of clients in all different industries and sectors respond to unplanned events.

So, that can involve insiders behaving badly as, Gary, you’ve experienced in your own personal and professional background. It can involve threat actors penetrating your network. There are many different shapes and sizes that these threats come in. And keeping us on our toes every day is staying abreast of them and trying to stay in front of them to protect our corporate networks and the sensitive information that we hold most dear as corporate citizens.

Berman: You mentioned, you know, corporate citizens. I had a very interesting conversation with some folks about the MITRE ATT&CK framework. And, to me, what was really incredible is just how massive it is, how many different attack vectors there are, you know, and the complexity of it.

Can you share with us an unplanned event and a real life example of what you’re referring to?

Stapf: You know, we have great pride in helping our clients stay under the radar when threats emerge. And I often say that success in this business is keeping our clients out of the newspaper. So, the vast majority of the things that we see every day are things that you never read about or hear about. It’s the proverbial iceberg diagram.

That being said, in this interesting and very unique time that we are in, there is a commonality—and Sean’s actually already mentioned it once today—there are two major attack patterns that we’re seeing over and over, and these are not new things, they’re just very opportunistically preyed upon right now because of COVID and because of the remote work environment, but that’s ransomware and kind of spear phishing or regular old phishing attacks. Because people are at a distance and expected to be working virtually today and threat actors know that, so they’re getting better and better at laying booby traps, if you will, and e-mail to get people to click on attachments and other sorts of links.

That, as you know if you’ve spent some time studying the attack framework, is a principal initial vector to get in and then establish the remaining network movement activities that a threat actors wants to do to maintain his persistence.

Joyce: And I just wanna add to that. I think there’s a couple of things we’re seeing. We’re definitely seeing an increased activity by nation states. So, we’re seeing that especially in the healthcare field, the bio life sciences, as you can see the race for the vaccine and we’re seeing nation states very active in that area. In addition, as Emily cited from the criminal perspective, right, we’ve just seen, the quote was given to me, “I’ve never seen so much phishing in so many languages.”

So, it just an incredible increase in the number of social engineering attacks, right, that are happening via phishing, and then let’s not forget the business e-mail compromise. As we’ve moved to the remote work force, I think that has become more prevalent and we’ve seen a sharp uptick.

And then ransomware is really off the charts. So, you know, I know you’re familiar with Maze and then Qakbot, but there’s been several others and, you know, globally, when I talk to my leaders throughout the world, they’re seeing the same increase. So, this isn’t something that’s really unique to the United States, it’s really global, and something that I think, you know, everyone’s seeing that sharp increase.

Berman: Coincidentally, or perhaps not coincidentally, one of the characters in our comic is called Phoebe the Phisher, and we were very deliberate about creating that character. She has a harpoon, of course, which is for, you know, whale phishing. She has a spear for targeted spear phishing, and she also has a, you know, phishing rod for kind of regular, you know, spray and pray kind of phishing.

Deniz, let’s hear about your origin story, your mission, and why do you do what you do every day?

Caglar: Well, I’m a newcomer to this group. As you mentioned in my introduction, I primarily work with clients on their organizational issues, their organization strategy, organization design, workforce strategy. And frankly, since the pandemic hit, going back to early March, just about every one of our clients has been consumed with what’s going to happen to their people, how do they think about their organization, how do they continue to operate around the company, what are the implications for their people.

So, I’ve refocused my efforts on what’s going to happen to the companies during the pandemic and post pandemic. I’ve been spending a lot of our time focusing on what we coined the office of the future, thinking about who’s going to come back to the office when, how long we’re gonna be in the office, what is the office for at all, if we come back to it. And if we’re going to continue working from home at a substantial clip into the future, even the post pandemic, what does that mean in terms of how we work together, how we interact, how we engage with each other?

But part of the reason I’m here today is, what happens to the security of all the data and the information the company possesses? A lot of what Emily and Sean talk about in terms of the attacks, as well as just basic, good old negligence or fraud of the employees who hold that data. It used to be in the company’s offices, now it’s in people’s living rooms, kitchens, bedrooms, wherever they’re working. How do you make sure the data information the company has is going to be secure and trusted going into the future of the work from home office, so.

Berman: You’ve asked a really good question, Deniz. I’d like you to answer it, please. [Laughter]

Caglar: Sure. So, Gary, I think many of our clients have been working from home at a substantial clip since the pandemic. I spend a lot of my time in financial services, but also work with clients in other industries, too. Just about everybody—anybody who has office workers, they’ve been working maybe 90%-plus, somewhere around 95% of their employees have been working from home the past six, seven months. And the consensus is—that’s going to continue into the new year and probably closer to the summer. It very much depends on the vaccine schedules or the therapeutics, but a lot of our clients are finding out that working from home has worked for the pretty well, and there’s a lot of risks of coming back to the office, exposing the company’s employees, and ultimately the company’s business to more risk, perhaps undue risk. So, they’re going to continue working from home.

So, it’s going to be a good year if you think about coming back to the office some time in April, since we vacated offices and started working from home. Employees are getting used to it, they enjoy spending time at home, being flexible with their times, avoiding lengthy, painful commutes. So, there’s a lot of goodness on the employee side, and we’re expecting that some sort of work from home is going to be here to stay. So, that doesn’t mean company offices are dead. It’s a hybrid workplace model where people rotate in and out of the office. So, perhaps two days a week in the office and three days a week at home.

So, we did our survey, I think you mentioned it, too, earlier this summer, 72% of the employees said they’d like to work from home at least two days a week, but only 30% said they only want to work from home. So, still, the vast majority of employees want to come back to the office only part-time, not like what we used to do.

So, our hypothesis, educated guess, if you will, is that somewhere around two to three days a week working at home, two to three days a week working in the office is going to be fairly common. So, if you believe that assumption, that means 50% of the employees are going to be working from home at any given time. So, 50% of the employees are going to be connecting to the company network or possessing the company data in their homes at any given time. So, that’s going to introduce a lot of risk. It has already introduced a lot of risk—90%, 95% of them working at home right now. And we’ve managed it, improvised it in many ways, but going forward, we’re going to need to be much more thoughtful about what we do and how we do it.

Berman: And Emily, going back to your incidence response career you know, what are the most common attack vectors that we’re seeing right now?

Stapf: I think we talked a little bit about the many flavors of spear-phishing, phishing attacks from small to very, very targeted, which are what are referred to as those whaling attacks.

But, as people are working from home, there is an inherent expectation that business shall go on, and operations shall, you know, won’t slow down. And so, I think people are a little bit more willing to accept unknown things that may be coming to them in e-mail or through different portals that they may typically access for their job. And so, you know, falling victim to clicking on a link, downloading an attachment, going to a website and trusting that it’s something that you’re supposed to be doing for your job and offering up your credentials, I think are happening more and more, not because people are being lazy. In fact, it’s quite the opposite. I think there is a doubling down of effort, and people that are working from home, saying, “I’m going to be as effective as I ever was before, and therefore, I’m going to really jump into all of the different responsibilities I have.” So, if I’m being asked to go to a new website, it must be part of my job. If I’m being asked to log into this new system—gosh, that must be something that IT has rolled out to make our working remotely easier.

So, I think people really have to be cognizant of that user experience and aware of what they are clicking on. And, you know, if I may offer a suggestion, I think one thing that companies, in my experience the last six months, maybe haven’t asked as many questions about us as consultants is around training. What kind of training and awareness should we be rolling out to people? I think people have rushed to put technology fixes in place, and once it’s fixed, dust my hands, we’re good to go, but you can’t underestimate the value and the importance of that user behavior and offering people training and assistance to do their job remotely, using these new technologies.

Berman: That’s a really interesting insight. I think there may even be this kind of almost misallocation of resources in that. In the cybersecurity community, I’ve heard that enterprises have about 47 different solutions in their security stack. Some have many, many more; about 80% of money is spent on, you know, solutions and yet, I’ve also learned that 80% or more of attacks are caused by simple human error.

Joyce: I think it is, Gary, and I think that’s one of the issues, and to add to what Emily said, as the workforce has gone remote, you’re looking at, right, virtual private networks, you’re looking at collaboration tools, you’re looking at the tools today that we’re on together that companies are using. And as you know, they have vulnerabilities, and it’s almost a race between, right, the adversaries and the companies to have that ability to patch and then you have the typical things that are related to the pandemic that, unfortunately, a lot have taken, you know, really taken avail of.

So, I think there is a lot of that, and as you mentioned, in this industry, there are many, many point solutions and not really what I would consider an orchestrated approach from a technology perspective.

Berman: So, given your experience in the FBI and having such good insight into conditions on the ground, how have CSOs, in aggregate, responded to this rapid change in everything?

Joyce: So, first, I think they have done a phenomenal job. They have really, I think, reacted quickly, and they’ve been proactive in many instances. But I think the first thing is that they’re really looking at two major things—(a) how do I secure the workforce, and then secondly, how do I enable the business? So, that really, that secure and enablement, I think, are key functions. And I really think you’ve seen a point in time where the CSO has moved from a back office—“Hey, who are those people over there?” to a front office where they’re involved in the strategy.

When some of these brick and mortar company had to, right, revamp their digital presence, they were at the table—“How do we protect ourselves? How do we do this securely? How do we enable the business?” I think really, the CSO has truly moved into the C suite and has been a key player.

Berman: And do you think, now, that they command the respect and the influence and the budgets that cyber security warrants?

Joyce: I think they’ve commanded the respect. I think what now, though, is I think they’re part of the overall business. They’re a fabric of the business strategy, right? Enabling those business drivers. How do I make it so that we can do this digital transformation, stay in business, and make that experience for the customer seamless yet secure, protecting our brand, right? Building that trust, right? They’re enabling that, right? They’re really those trust builders, and I think they’ve done a great job.

You know, one of the statistics we had is that 50% of CSOs have seen an increased interaction with the board, and even more, right, with the business, right, unit leaders. And I think that’s obviously indicative of what we’re talking about today.

Berman: And just to amplify what you’re talking about, would it be okay with you if we share some of the survey results in our show notes?

Joyce: No, that would be great. I think it is, I think it’s insightful and will provide them with some, you know, really—things that are happening currently.

Berman: And Emily, I want to come back to something you said about awareness and training. You know, what should an organization be, you know, thinking and doing with the new conditions on the ground? And in the spirit of full disclosure, we’ve recently signed a joint venture with a great cybersecurity company based out of Israel, and they’re going to be animating the characters in our comics and bringing them to virtual reality, but also enabled to be able to be used on computers and phones and things like that. But what should an organization be doing now?

Stapf: Gary, I think you have to make it personal for people, and there is no better chance than right now, because we are in each other’s living rooms, to bring work into the home and in a way that can be helpful, not just pervasive.

So, what do I mean by that? If training yesterday—and by yesterday, I mean, seven months ago—focused on what does securing data in your office feel like, that would be a very different training curriculum than what does securing data and all of the access that you have to do your job feel like today?

And so, not only do you need to speak to people about basic operational hygiene—so, we’ve talked about phishing and clicking on things many times already, but also, how do you help people secure their own home networks?

So, working from home is one thing when it actually works and the lights are on, and I can—okay, I can do my job because I have Internet. That, the job is not done there, though. The job must go on to securing that access. So, including with people’s training real tips about how to make their home network secure. Things like make sure you’ve reset the default passwords on every connected device in your home.

Berman: Yeah, yeah.

Stapf: Have you thought about enabling firewalls and subnets in your personal network so that your work laptop is using the same WiFi that your kids’ school is using, but they’re completely separated technically?

Berman: Yeah, yeah.

Stapf: There are some very basic things that we can train home users to do to ensure there’s additional security in place. And the last thing I’ll say is, training people to interact with each other and go through simulated cyber events. So, what that means is tabletop exercises.

So, from the comfort of my chair in my office, I can connect with anybody in my executive team around the world to walk through a simulated cybersecurity breach response event, right now in the COVID world. That is an area where we’ve seen an incredible uptick in interest from our clients, because it’s so easy to convene that you don’t have to worry about schedules any more, because it’s so easy to convene dozens of people from any time zone all over the world to walk through a cyber security simulation experience. That’s a form of training, it really is.

Berman: And Deniz, if budget was not an issue and you could do whatever you want, you know, for the office of the future and to keep it secure, you know, what are we looking at?

Caglar: Yeah. I’m gonna ask for help from Emily and Sean on this one, but maybe to get this started, I’m gonna pick it up just a little bit from the people perspective organizationally in terms of, as I look at this from a productivity effectiveness view. Employees are asking for basic tools and basic support to make their experiences at home as effective as possible. And the most common aspects that we’re hearing and we’re seeing from employees is around, help me make my home office as productive as possible. And that’s as simple as a more comfortable chair, but believe it or not, for many, it is about access to reliable, high speed Internet, and companies making sure they can help their employees get better access across their operations in the U.S. or globally.

The second piece goes to collaboration tools, collaboration suites that companies can apply and deploy in their organizations. We’re finding out, when we’re remote, the efficacy of the collaboration tools makes our lives that much more—that much simpler, easier, and makes us and our colleagues so much better. So, employees are asking for better collaboration tools and technology. And this is where I’m gonna turn to Emily and Sean and ask their help input on how to make that as effective and secure for employees as possible—and others, yeah.

Stapf: You know, one other thing that comes to mind right away, Deniz, is investments in identity and access management technologies.

Caglar: Mm-hmm.

Stapf: So, understanding who it is that’s on the other side of that network GET request that’s trying to log into a system and to authenticate that that is the home office user that you are expecting to log into that system. So, Gary, your question was, you know, budgetary concerns aside, what is the wish list? Identity and access management investments would undoubtedly be in the top three.

What that also allows you to do is make the user experience more seamless. So, rather than as a home office worker logging in with six different accounts to six different web portals that I might need to do my job, making that all seamlessly integrated through single sign on or other sorts of identity management technologies would definitely make that experience easier.

And then the other angle is cloud technology in general—moving all those on premise assets, in other words, systems that have to be logged into with a direct connection to a data center in your physical environment, moving that all to the cloud so that you can log into it from anywhere at any time as long as you’re an authenticated user.

Berman: And Sean, was there any data in your survey that talked about budget allocations and that shows that things were leveling off in terms of expenditures? How does that look?

Joyce: So, I think there is some indication that the budgets are slightly less, but not as much as experienced in some other parts of the company. But, you know, Gary, I think it’s important when you look at kind of, I wanna look at it a little bit from a macro perspective. There’s two big things going on, here. There is acceleration of digital transformation. Everyone is trying to make sure they have that omnichannel digital presence.

The second thing is acceleration to the cloud. When I come down to how that affects us, right, being that, you know, a purpose led, value driven organization, it comes down to data—data trust is what we call it. We have three strategic priorities—data trust. How do you make sure the right people have the right access to the data, right? The second one is resiliency, right? How are we making sure not just a pandemic, but for the next natural disaster, the next cyberattack, how are we making sure we are in agile, right, in a company that can quickly adapt? And Emily mentioned one of it is that cloud transformation.

And the last one is that secure enablement. How am I leveraging technology? But it goes back to what you do as a business. That low tech training and awareness is invaluable. It’s about policy. It’s about process, right? Then coupled and integrated with technology. All of these collaboration tools Deniz is talking about—are we making sure they’re approved? Are we making sure that we have done our homework on—right, that they’re entered into our, they’re configured correctly? That, when the patches come out, right, we’re able to do that? Are we making sure on, you know, home devices? Because not everyone has the luxury of having a company device—have we actually pushed out to them, right, the antivirus software they need and other things?

So, I think it’s a combination of things, and it really is, like—it’s an exciting time.

Berman: As we’re wrapping up here, which kinda makes me sad, because I can listen and learn from you, you know, all day and night, and I’m sure our audience feels the same way—Sean, is there anything else that you’d like to share that would amplify your mission?

Joyce: You know, I think the most important thing is, like, this is really about a partnership with our, you know, all the CSOs out there, all the Chief Technology Officers, Chief Compliance Officers, Chief Privacy Officers, and really in a very difficult time, how are we actually securing, right, that brand of our company, right, and making sure we’re heading in the right direction as we kind of turn the corner on this pandemic? I think that’s the critical thing as we go forward, and it’s about enabling the business and securing the business.

Berman: And thank you for that. And Deniz, is there anything you’d like to add?

Caglar: What I’d like point out is, a version of work from home is here to stay. There are some skeptical executives out there, there are some skeptical companies that do believe they’re much more productive and effective when they’re in the office. But frankly, what I’m seeing in my client engagements is, those are getting fewer and fewer, and just about every client that I’m speaking to these days, they are planning for a future where partial, flexible work from home is going to be with them for the longer haul.

So, that means, we need to plan for a future where a significant portion of our employees are working from home on a daily basis, and that does introduce a whole new set of challenges, especially around data security and cyber risks, and this is the time to start planning for that—it’s coming.

Berman: Emily, you’re gonna have the final word. What else would you like to add for our audience?

Stapf: I just want to say, Gary, that in times like this where we are leaning on technology to get us through what it might mean to work from home and enable the workforce from anywhere, we can’t lose sight of a very simple statement, and that is, people are your greatest asset, period.

So, when, as Sean and others have referenced, as we’ve watched cyber security kind of come into the light and come into its maturity over the years, cybersecurity professionals were an IT function. Today, they’re in the boardroom, as you absolutely pointed out.

The most effective cybersecurity professionals are those who enlist the help of cross-functional business colleagues and recognize that, to get through this, we are going to have to pick up the four corners of the problem together. And that’s not one person shouldering the load of all of this, that’s, how do I recruit all the people around me so that, collectively, we can get this all done?

You asked before whether CSOs are firmly rooted in the boardroom today—I just point back to all of the strategies and all of the roadmaps that have been asked for funding over the years. Those security leaders, who maybe were seen as transformational five, six years ago, today are seen as clairvoyant because the things that they were asking for money and funding for six years ago are now what is accelerating us through this crisis.

Berman: Well, thank you so much, Sean, Deniz, and Emily, for this incredible show. If you would like to be a guest on our show, please send an e-mail to [email protected] Thanks, everyone.

Featured eBook
The State of Cloud Native Security 2020

The State of Cloud Native Security 2020

The first annual State of Cloud Native Security report examines the practices, tools and technologies innovative companies are using to manage cloud environments and drive cloud native development. Based on a survey of 3,000 cloud architecture, InfoSec and DevOps professionals across five countries, the report surfaces insights from a proprietary set of well-analyzed data. This ... Read More
Palo Alto Networks

Gary Berman

I was the CEO of a marketing company that was hacked and "cloned" by insiders. Unable to receive justice due to the difficulty of attribution, I have pivoted from victim to advocate by creating cyberheroescomics.com. I'm also the host of The CyberHero Adventures Show in partnership with MediaOps.com. Let's defend the Digital Universe together!

gary-berman has 4 posts and counting.See all posts by gary-berman