The COVID-19 pandemic has provided everyone a fresh lesson that security truly is everyone's job.
As governments began issuing stay-at-home orders and people adapted to working remotely, suddenly, Zoom was on everyone's lips. The platform became a staple of both working from home and keeping in touch with friends and family. Predictably, researchers started discovering security and privacy vulnerabilities, and soon "Zoombombing" entered the conversation. While Zoom worked to secure the product, its users — many neophytes to video calls — had to figure out how to configure their Zoom instances to prevent hackers from hijacking calls.
Traditionally, the concept that "security is everyone's job" has been an essential part of education and awareness campaigns against phishing and other email-related attacks. And rightfully so, as these attacks are often the first step for attackers working their way to their ultimate target. But the Zoom example shows that awareness and diligence are important at every level. Further, in many organizations, collaboration tools such as Slack are replacing email as the preferred method to share content and data. In organizations that impose size limits on email attachments, for example, employees can freely pass around files 10 times that size in Slack sessions.
A former CISO of a prominent intelligence agency once told me, "The most dangerous cybersecurity vulnerability is the carbon-based life-form." Attackers rarely employ a frontal assault on technology to penetrate protected networks. People provide a considerably simpler and often faster path by which to initiate an attack. To attackers, technologies change and organizations adapt to new security vulnerabilities, but humans represent a consistent vulnerability they can exploit.
Thankfully, measures are being taken to safeguard deliverables against human error. Let's take developers as an example. Development teams build the software that powers businesses all over the world. They bridge the gap between man and machine. But what's being done to ensure that issues aren't making their way into the code that drives our power grid, loved ones' pacemakers, or software supporting national elections because it can be hijacked by attackers via known vulnerabilities?
There are plugins available for the developer's integrated development environment that scan for known vulnerabilities as developers code. Once vulnerabilities are identified, developers are notified immediately so that the issue can be resolved before the code is checked in. Another aspect to such solutions is education. Developers are able to identify repeat errors they're making, learning to avoid them in the first place.
Employees must learn that very few hacks occur in a straight line. Hacks often start with small, seemingly inconsequential steps that give attackers a toehold in some organizational system. But that toehold allows the hack to begin in earnest, as the attackers can then pivot within the network to get to their ultimate prize. History has numerous examples of high-profile attacks that originated with what appeared to be trivial breaches. The keys to the second door may be directly behind the door you left unlocked.
Prioritizing security doesn't come easily for someone whose job does not involve sensitive data or systems. But that attitude changes when workers realize they do hold the missing pieces that enable attackers to penetrate key organizational systems. After education, this is the next key step in creating a security-literate workforce: making sure employees understand that any data or credentials they expose, regardless of how inconsequential they seem, can become a toehold for attackers to pivot toward prizes of much greater value.
For this reason, the security strategy of your vendors is also very much your business. Ask questions so you're able to understand where and how security mechanisms are in place. Software supply chain attacks are on the rise, so be certain that any vendors you're bringing into your business have a robust security stance. It could make all the difference.
This awareness must make the transition to the remote workplace. Security awareness has become part of the physical office culture, as many offices have visual reminders and posters to reinforce the messages that employees get in training. The very act of working in an office is a constant reminder of security-related responsibilities. Badging in, sitting in an office chair, and logging in to the organizational network all imbue a sense of responsibility that may not be as prominent when employees are working from the comfortable confines of home in sweatpants.
Working remotely can also lead employees to drop their guard regarding data protection. The discipline required to keep work- and home-related data and devices segregated becomes harder to maintain when people are working from home, with constant, easy access to personal devices. Organizations must remind employees of their responsibilities for security as they work through this phase of the pandemic.
The bottom line is that security is not about tools or technology; it is about establishing a broad, fundamental awareness and sense of responsibility among all employees. Building this awareness creates a workforce that is security literate regardless of circumstances. Education is a cornerstone of creating security awareness, and many organizations have done an admirable job in helping employees learn how to identify security threats such as phishing attacks. But that awareness has to get to a more personal level to be truly effective.
A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19.