There’s no precedent for the time we’re experiencing right now. The pandemic is changing our work patterns in profound ways and at lightning speed. For many of us, this has meant a shift from working in a secured office environment to working from home. For years IT and cyber experts have been deploying technologies that allow us to work from anywhere – at least occasionally, those systems are now being stressed in unimagined ways for many companies.
Cybersecurity leaders are always anticipating cyberthreats. Today, as our corporate infrastructure is spread across the home networks of our teams, extra considerations are warranted to make sure that we are protecting this new distributed operating mode.
We sat down with Axio Founder and President, David White, to discuss how the COVID-19 pandemic is changing the way we approach business as usual even when it’s anything but.
Let’s start on an optimistic note. From a cybersecurity standpoint, how are corporations with cybersecurity protocols already prepared for the pandemic?
A chief information security officer’s priority is to preemptively consider how a cyber-attack could happen. Regardless of the scenario. And in that way, this time really isn’t all that different from others. Obviously, the scope of it is much larger than any of us have had to deal with prior, but to an extent, our occupation is focused on being prepared even if 40% of your workforce is working from home, or 100% of it is.
Just to reiterate: you’re speaking of an ideal scenario.
Definitely. I can’t say that every CISO is prepared. We were all caught by surprise in the speed at which the work-from-home transition happened. When we partner with a cybersecurity and risk leaders, we collaborate to identify as many cyber risks as possible and then focus on a prioritized set. Those priorities have changed, at least for now.
Okay, now let’s talk about the cyber risks that are new to the COVID-19 pandemic.
Well, for starters, as I mentioned before, a lot of people are working from home. And when you have your workforce spread out as they are now, there are some new risks to consider. First, you have to set everyone up with equal, or similar, capabilities as if they had been sitting in their designated corporate environment, and that’s a lot of work, especially for job functions that you never imagined might need to perform their role remotely. We’re relying on our employees to be front-line defenders to an extent we never have and in the face of dramatic increases in threat activity.
That sounds overwhelming.
It can be—not enough laptops, inadequate VPN bandwidth, access challenges to certain systems that were not designed for remote access. I heard one CISO say, “laptops are our toilet paper, we just can get what we need right now.” Axio’s software and methodology enables security and risk leaders to quickly understand the new cyber risk reality of this operating mode and build the needed capabilities to control it.
Should we expect a higher frequency of cyber-attacks now during the COVID-19 pandemic?
Yes, and the threat data that we are seeing confirms it. Both nation state and criminal actors are increasing activity. For example, ransomware attacks have increased by 150% and DHS is alerting on continued nation state activity. There’s a lot of new attack surface in use and both defenders and attackers are busy looking for unpatched weaknesses. I’ve been looking at this way; if you want to get into someone’s house, you can use a door, or a window. These days, however, there are many more doors and windows.
Well, we started on an optimistic note. Perhaps we should end on one too?
One of the things we are seeing right now is the importance of viewing cybersecurity in a business context. Job one is to sustain the activities and enable the organization to achieve its mission. That is not new, but many companies are getting a new perspective on the importance of cybersecurity as an enabler for the business. A key part of Axio’s mission is to empower security and risk leaders to frame both cyber risk and cybersecurity controls in a business context. This allows for sound justification for spending and other priorities. Right now, it means focusing on new risk priorities stemming from our current operating mode and making sure we are optimizing our controls to address those risks.
And for those that haven’t considered the importance of cybersecurity for their corporation…?
Some may think that we will never be able to do enough. Even for organizations that are early in their cybersecurity journey, framing the challenge and the priorities in business terms is perhaps now more critical than ever. It’s a big change in how we have viewed the problem and it’s absolutely the right place to start.