![The Edge Logo The Edge Logo](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt530eb1f4e672eb44/653a71690e92cc040a3e9d6d/Dark_Reading_Logo_TheEdge_0.png?width=700&auto=webp&quality=80&disable=upscale)
Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
Security Lessons We've Learned (So Far) from COVID-19
Takeaways about fighting new fires, securely enabling remote workforces, and human nature during difficult times.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt2d35ccaf01bc8556/64f0d38897db1802f0d55d32/602x250_risk_safety.jpg?width=700&auto=webp&quality=80&disable=upscale)
As the crisis surrounding the novel coronavirus COVID 19 continues to spread around the globe, businesses everywhere have little choice but to make changes and put business continuity plans into action (assuming they have one). These pivots are stressing out just about everyone, from frontline workers to internal departments. Of course, this stress is acutely felt by security leaders who are being asked to deploy accommodations both quickly and securely.
On their plates? Defending against cybercriminals who we've already seen in the past few weeks taking advantage of the panic to craft new phishing and malware campaigns. Security leaders are also scrambling to both enable larger-scale work at home arrangements and educate users about the new risks of remote work.
That's just scratching the surface of all that must be done in the security department during this trying time.
The Edge asked security leaders what they have so far learned about securing business in a pandemic.
Ivan Fioravanti, CTO of CoreView: "In Milan, we are in the epicenter of the Coronavirus outbreak. Given there weren't even any infected people in Italy three weeks ago, we've really been taken by an unforeseeable storm.
IT has historically been characterized as a cost center, inclusive of 'slow' people blocking projects, unable to keep up with the change, reducing productivity, unable to support company needs, etc. But now, in these unusual times, they have to change. They have to become heroes. Remote working is made possible by cloud and SaaS-based tech stacks together with great connectivity. But the real enabler is the mindset -- people must understand that these technical tools are now the real difference between zero productivity and full productivity, zero human relationships and great human relationships. IT departments now have the responsibility to keep businesses running, and they have to take some risks in doing this. They have to balance productivity and security as much as they can."
Malcolm Harkins, CISO advisory board at Awake Security: "In just the last couple weeks, I've had dozens of dialogues with organizations looking to secure remote workforces at a scale that would have seemed impossible before. One business, for example, wanted to grow their remote workforce by 50% -- thousands of people -- 'by Monday,' less than a week later. Not only is this going to massively expand organizations' attack surfaces as people begin connecting to the network from a wide array of potentially 'polluted' home environments, but it's also coming at a time when purse strings and IT budgets are tightening due to revenue implications also presented by the virus.
"The predicament here is that growing remote workforces while simultaneously cutting security and IT spending is, for most businesses, just addressing one issue by making another one worse. Cutting corners can lead to a critical breach that would actually topple the business, rather than just wounding it."
Aaron Turner, president and CSO of HighSide: "With many organizations using software-as-a-service (SaaS) platforms like Office 365, G-Suite, Zoom, Slack, and others, employees need to understand the vulnerabilities in those systems when they are sharing data while working remotely.
"For example, Slack has been very transparent in their government filings that they cannot assure the security of information flowing through their system. Every bit of information sent to Office365 or G-Suite can also be intercepted, manipulated, and altered with relatively simple attacks by anyone who has access to network infrastructure that lies between the user and those SaaS services."
Mat Newfield, CISO of Unisys: "I believe many organizations are having to face the reality that most of what we do is a human business. How do you protect the people that work for and with you? How do you ensure you are doing all of the right things? These are questions people should have been asking during their preparedness training and not waiting until a real event."
Eyal Sasson, CISO of Gett: "It is very easy to focus only on risks associated with high probability situations, but we should always try to prepare for extreme events and find the right balance between the risks we [attend] to. I can also say that when something of this magnitude happens, you also learn the value of hiring a dedicated team of problem-solvers. Great hiring is the gift that keeps on giving."
Read related story: Beyond Burnout: What Is Cybersecurity Doing to Us?
Andy Ellis, CSO of Akamai: "As COVID-19 propagates, in many ways it's a microcosm of how humans deal with novel risks. One thing that we tend to see is people shifting from, 'Oh, it doesn't matter' to, 'Oh my goodness, it matters right now.' People near one another don't always transition together, and the abrupt disconnect when one does can often be jarring. As security professionals, it's a great opportunity to show compassion for our colleagues, rather than more ... negative emotions. But that's a lesson about the industry in general."
Also by Andy Ellis: Working from Home? These Tips Can Help You Adapt
Chris Wysopal, CISO and CTO of Veracode: "There is a saying that I have heard many CISOs make: 'Don't let a data breach go to waste.' What they mean by this is to take a breach as an opportunity to find gaps in your security program and get funding to fill those gaps given the urgency of the moment. I was speaking with my head of business continuity a few days ago while we were planning for the potential of having the entire company work remotely about running a test to find any gaps in our business continuity planning. I had the thought that this is the perfect time to improve our planning and that we shouldn't let this potential pandemic go to waste. Let's use the urgency to get all business functions to improve their planning to continue business during a pandemic."
Jerry Gamblin, principal security engineer at Kenna Security: "If your company waited until after the outbreak to start thinking about what work from home would look like for your teams, you are way behind. Be flexible and trust your employees. You have to empower your employees to make the best decision for themselves and your company during a crisis. Give them the flexibility to control when they need to work remotely or travel based on their 'personal risk model' that's based on who they interact with on a daily basis."
Read related story: Privacy in a Pandemic: What You Can (and Can't) Ask Employees
Alex Holden, CISO of Hold Security: Phishing emails about the coronavirus are on the rise, fueling the crisis as well as fake news, product shortages, and threats. In addition, the overall threat landscape is getting worse. While in quarantine, more people turn to cybercrime during their idle times at home with nothing else to do. Hence, companies need to anticipate the next steps from the crisis and from the miscreants looking to capitalize on these crises."
Read related story: Malware Campaign Feeds on Coronavirus Fears
Greg Touhill, president of AppGate Federal: "Virtual private network (VPN) technology is showing its age and lack of agility to respond to crises. I'm in conversation with numerous CIOs and CISOs who are grappling with trying to enable massive, enterprisewide secure information access. Most have been using VPNs for a percentage of the workforce to remotely access organizational information. During this crisis, they have found the demand for access well exceeds their current infrastructure and licensing capabilities. Moreover, the timing to implement expensive expansion of VPNs exceeds their resources in time and treasure. We're seeing many organizations now looking at software-defined perimeter (SDP) technology to provide agile and highly elastic capabilities enabling secure remote access while actually reducing their costs."
Read related story: COVID-19 Drives Rush to Remote Work. Is Your Security Team Ready?
Alison Davies, CISO of English Blinds: "We're considering the implications of the physical security of company tech that would not usually be taken off-site in order to enable home working, plus the equivalent threat posed by workers using their own personal devices and/or transferring data between company and personal devices, and the methods that they use to achieve this."
Andrew Werking, executive director, cybersecurity at Agio: "Planning pays big dividends. An up-to-date business continuity plan, call tree, and roles and responsibilities; a well-defined workflow, application, infrastructure, personnel and third-party dependencies; and tested and proven continuity of operations procedures are required to avoid service disruptions and successfully sustain operations. We've all advocated for this for years, but seeing it in practice highlights a stark contrast between firms that invest in continuity planning and those that don't."
Muly Gottlieb, CTO of CloudShare: "This is a reminder that we take certain things in our personal and professional environments for granted, such as learning the latest security technology or certifications at industry conferences. We should keep questioning the basics and things that seem obvious, and try to prepare for all 'known unknowns.' To whatever extent possible, we should also plan for 'unknown unknowns,' which means ensuring business continuity plans cover physical and digital courses of action, especially to manage risk from external forces or environmental factors outside our control."
Image: CloudShare
Related Content:
• Beyond Burnout: What Is Cybersecurity Doing to Us?
• Working from Home? These Tips Can Help You Adapt
• Privacy in a Pandemic: What You Can (and Can't) Ask Employees
• Malware Campaign Feeds on Coronavirus Fears
• COVID-19 Drives Rush to Remote Work. Is Your Security Team Ready?
As the crisis surrounding the novel coronavirus COVID 19 continues to spread around the globe, businesses everywhere have little choice but to make changes and put business continuity plans into action (assuming they have one). These pivots are stressing out just about everyone, from frontline workers to internal departments. Of course, this stress is acutely felt by security leaders who are being asked to deploy accommodations both quickly and securely.
On their plates? Defending against cybercriminals who we've already seen in the past few weeks taking advantage of the panic to craft new phishing and malware campaigns. Security leaders are also scrambling to both enable larger-scale work at home arrangements and educate users about the new risks of remote work.
That's just scratching the surface of all that must be done in the security department during this trying time.
The Edge asked security leaders what they have so far learned about securing business in a pandemic.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024