COVID-19 not only changed the way we work, it also created what Mimecast co-founder and CEO Peter Bauer describes as the paradox of our rapidly growing reliance on the digital workspace.
The sudden rise of work-from-home employees, combined with the ongoing digital transformation so many organizations underwent in the aftermath of the pandemic, has presented a golden opportunity for bad actors looking to fabricate identities and information sources within organizations, Bauer said.
“Things that we trust — and need to trust — in the digital workplace are entirely up for grabs as we wind forward. And that means that our CIOs and our CISOs are confronted by a very challenging landscape: to be able to provide assurances and continuous confidence in this digital-first workplace going forward,” he said.
“And that’s a multifaceted challenge. It turns out it’s not as simple as it sounds, particularly because the digital workplace now is THE workplace. It's almost redundant to say digital.”
At the same time, said Theresa Lanowitz, head of cybersecurity evangelism at AT&T Cybersecurity, organizations are adopting a more inclusive approach to cybersecurity.
“One of the things I think that we’re seeing — and this is across the industry — is that cybersecurity has definitely moved from being a technical issue to being a business requirement. It’s no longer about those nefarious hackers in a hoodie sitting in the corner. It really is about enabling the business,” she said.
“There’s this shift inside of security organizations — and across the board — to a more mature way of thinking and a way of looking at all of those attacks that are out there, that are prevalent, and understanding how the adversaries may work in conjunction with one another and understanding which of those attacks may be pertinent for a particular vertical market, and so on.”
Living life on the edge
At the same time, Lanowitz said, the move to edge computing and the proliferation of internet of things (IoT) devices are two areas impacting both the the expectations of users and the demands placed on security teams
“With edge computing, you have applications that are completely different. You have new types of networks that are lower latency, higher bandwidth, faster than we’ve ever seen before, more inherent security,” she said.
“There’s more of an expectation from the customer side that you’re going to be safe, you’re going to be secure in what you’re actually consuming.”
As the use of IoT devices explodes, Lanowitz said it brings back memories of the pre-cloud era when there was rapid growth in the use of on-site servers, which brought similar device management challenges for IT departments.
“We’re coming to the point now with these IoT devices where we were several years ago, before the cloud, where every developer had a server under their desk, and people didn’t even know those servers existed,” she said. “The IT community was then caught off guard when they realized all these servers were out there. And I think we’re running into that same sort of thing with these IoT devices that are just proliferating out there, one after another, because we may have experimental programs and forget to decommission them.”
Security awareness training still lags
Despite rising threat vectors and costs around cyber attacks, Roger A. Grimes, data-driven defense evangelist at KnowBe4, said organizations are still not doing nearly enough training with their staff.
“You have a ton of organizations out there that don’t do it at all, and the vast majority of people that do do it, do it as a compliance effort, once a year. And our data — we've looked at a lot of data for over 13 years — shows that doing it once a year has the same utility as just not doing it,” Grimes said.
Ideally, training should be carried out every month, he said, so it remains fresh in employees’ minds. It should also create a “healthy culture of skepticism” among employees about emails and other communications they receive, while eschewing boring or forgettable approaches.
“Change up the training; do humorous stuff, do repetitive stuff,” Grimes said. “You want to train like people market on TV. If you notice, the commercials they either love or hate on TV are always constantly, forever being recycled … but there’s a reason why they’re doing it — it’s because it works well.”
Combining human intuition and AI
In addition to ensuring employees are aware of their role in securing an organization, the proliferation of artificial intelligence will become an increasingly powerful factor, both as a defense mechanism and a tool used by threat actors.
“It’s true that AI can have tremendous benefits, but it affords a productivity gain to those bent on deception, and we have to be able to equip organizations to deal with deceptive artifacts in their environments,” said Bauer.
While developments such as edge computing are driving more of a focus on network-level security and zero-trust frameworks, a similar approach needs to be taken at the “content” level.
“It’s a constant pursuit of authenticity and validation. Now, when you get inside the world of digital workplace content and interactions, it’s the same discipline that you start to apply there. We learned a great deal about doing this inside email because email is probably example number one where it’s quite trivial to fabricate the display name of somebody.”
Anyone can set up a new Gmail account in the name of Bill Gates, for example, and instantly begin phishing a target using well-established social engineering techniques.
“Obviously, now we have a lot of technologies that look at that [type of attack and defending against it requires] a combination of machines and people trying to create that zero-trust effect inside the collaboration environment,” Bauer said.
While technology, including AI, will continue to have an important role in detecting malicious artifacts “sometimes it really does take a suspicious mind or a keen eye of a person to go: ‘I’m not sure either but this worries me.’ Push a button and then it gets dealt with in a different risk category,” he said.
“It’s a fascinating, multifaceted thing, and I would think of it as zero-trust coming all the way down to almost the content artifact or the interaction level. How do you apply healthy skepticism without disrupting productivity in that environment? That’s the challenge.”
Some things never change
While technologies, paradigms and attitudes towards security’s key role within the business may be maturing, some things aspects of the cyber security world remain the same, including the nature of many hacks and other malicious behaviors.
“Over the decades, the same threats are really still the core threats," said Grimes.
“Social engineering, where someone’s being tricked into providing information or installing a trojan horse program, unpatched software. Those two things have been the number one and number two threats since I got into computers and computer security in 1987 — and continue to be,” Grimes said.
He says organizations should be taking advantage of the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Known Exploited Vulnerabilities Catalog to prioritize their threat response.
“Only about 4% of exploits are ever used by bad people to exploit a company in the real world, and CISA has that list. It used to be the conventional wisdom was you’ve got to make sure your Microsoft machines are patched. But it turns out that a lot of [exploited vulnerabilities] are your routers, your firewalls, your load balancers, that a lot of the software patches that we’re seeing aren’t the Microsoft stuff,” he said.
“Definitely pay attention to the [list], because that tells you what you need to patch for sure.”