COVID-19 changed the rules of the game virtually overnight.
The news has covered the broader impacts of the pandemic, particularly the hit to our healthcare, the drops in our economy, and the changes in education. But when a massive portion of our workforce was sent home, and companies moved operations online, no one thought about how vulnerable to cyberattacks those companies had now become. The attack surface had changed, giving malicious actors new inroads that no one had previously watched out for.
The thing is, cybersecurity isn't a battle that's ultimately won, but an ongoing game to play every day against attackers who want to take your systems down. We won't find a one-size-fits-all solution for the vulnerabilities that were exposed by the pandemic. Instead, each company needs to charge the field and fend off their opponent based on the rules of play. Today, those rules are that anything connected to the internet is fair game for cybercriminals, and it's on organizations to protect these digital assets.
COVID may have changed the rules, but the game is still on. Despite the security threat, this pandemic may have caused a massive opportunity for companies — if they're willing to take it.
WFH Isn't New. WFH Suddenly, at Scale, Is
The attack surface changed — and so had the rules of the game.
A work-from-home world isn't a new thing. Slow transitions to remote workplaces have become more of a norm, though pushes for all-remote workplaces come in cycles. In the past five to ten years, despite the rise of flexible work options and global teams, work has still happened mainly in an office.
What is new is a massive amount of the workforce shifting to remote work nearly overnight. Before, employees were protected in an office. Suddenly, the internet became a company's network—thousands of employees turned into thousands of individual offices. Secured networks were traded in for home wifi, and gaps and holes in an organization's attack surface were introduced where they didn't exist before.
That shift suddenly exposed vulnerabilities in the system, like older systems that were never updated, internet assets that were forgotten about, and patches that never happened. These weak links are all the invitation a malicious adversary needs.
Rogue threats—web infrastructure created by criminals—changed, too. Phishing schemes suddenly took a new approach in the form of "COVID lures": emails and ads that lead to questionable websites providing cure-alls for the virus, taking advantage of people's increased fear and anxiety.
Attackers realized they had another advantage: employees responsible for diagnosing and fixing these kinds of security issues are now preoccupied with supporting family, supervising their kids' remote education, or working long hours to cover other cuts. In other words, some of our players were benched.
So, combine this easier access to enterprise systems with the increased willingness to hand over information and a drop in vigilance, and you can see how this all became a new kind of game. The good news is that although malicious actors seeking ways into these exposed systems are adapting, a company can adapt as well.
Going on the Offensive
Companies can't afford large-scale cyberattacks at any time, but they especially can't right now. The COVID-19 pandemic has caused consumers who may have lost significant income to be picky with their purchases and investments. Companies need to be focused on retaining customer relationships so that they'll weather the pandemic, and a take-down of the network could undercut customer trust in unrecoverable ways.
But many companies won't take action. They may view their older systems as good enough to ride the wave to the other side of the pandemic, and once there, they'll go back to what they had used before, unprepared for the next attack. They may get through, but nothing will have changed—things will not go back to how they were, and you will no longer be able to rely on systems that protected a pre-COVID world.
Now, there's an opportunity to huddle up, form a new strategy, and go on the offensive. The pandemic can be an opportunity for businesses to take a look at their vulnerabilities, map their attack surface, and take appropriate actions to secure and strengthen their systems. We've seen this after other catastrophic events, such as after 9/11, when companies adopted new resiliency plans for any future recovery events. Companies have the same opportunity now.
Here are some things a company can do to ensure their systems are secure, even if they've been running a remote workforce for a while.
Invest in Security Teams
Companies who understand the value of keeping their systems secure and taking initiatives against potential leaks will want to invest in cybersecurity. Shore up the team, and make new hires if needed. Overall, companies have been supportive of their security teams during this time, but if security isn't a priority, make it one.
Map the Attack Surface
The quick move to remote work probably meant a fast rollout of new initiatives and quickly standing up new equipment — which means mistakes are the leading cause of a breach. Do an audit of your attack surface to uncover hidden failures and where older systems, forgotten assets, or unpatched issues are creating vulnerabilities.
Ask questions about what changed: What programs were canceled or altered? How are resources shifting around? Can new assets be secured before they roll out? Also, do some threat modeling with your team. Ask what a threat actor would do to attack your systems, or where they would gain a foothold. In other words, anticipate the opposing team's next move. Even the best companies miss something, but the more you can anticipate, the better. Then prepare a response plan for investigating attacks quickly, develop a triage system, create a playbook, and run drills so your players know their roles.
Update the Old and Roll Out the New
Now that you're learning the new rules of the game, can visualize the playing field, and anticipate the opposing team's next move, it's time to act. Update older systems or trade them out for new ones. Patch breaches. Shrink the attack surface. Roll out new digital initiatives you might have been sitting on.
Finally, create that mobile app. Move to the cloud. Find new digital ways to engage with your customers, since it may be a while before in-store foot traffic returns. As you do this, you may come to realize that your systems were set up in such a way that you need to start over. In that case, do it. Now's the time.
Support Your Team
Above all, make sure you have the right team in place, and take care of them. Get them the resources and information they need as they audit, patch, and put new protocols in place for the future. Communicate with both them and your leadership team to keep everyone informed, and if you think you're too busy, communicate even more like teammates would on the field. Hedge for burnout. Above all, give your team the time and space they need to find the holes and make the fixes.
Live to Play Another Day
In many ways, this shift to digital has been in progress for a long time. However, because it was never a necessity, the transformation lagged or stalled from a lack of resources and was moved down the priorities list. But today, we see stalled-out initiatives finally being implemented. The plans have been in place, and COVID is now forcing us to get it done.