“Early on in the pandemic, many organisations applied a sticky plaster to security to try and get them through what we thought was going to be a few weeks, perhaps a couple of months,” says Maxine Holt, Senior Research Director at Omdia.
“But now we know that was not the case and organisations are beginning to peel back that plaster, they’re recognising that they’re going to need to build secure, long-term remote working environments and develop sustainable cybersecurity practices to complement this.”
As coronavirus lockdowns were implemented globally in March last year, there was a sense that the world would never be the same.
Nearly one year on from the beginning of Britain’s lockdown on 23rd March, businesses and organisations across the country continue to grapple with the impact of the pandemic and safely navigate a perilous global environment.
For individual employees, the situation has remained rather much of the same. Wake up, clock in and begin the day in the same way as every other for the past year.
What has changed, quite rapidly in fact, is the scale and severity of the cybersecurity risks one faces when beginning work each day.
The past year has seen a marked escalation in cybersecurity risks, with attacks on vaccine research, universities and public services frequently hitting headlines.
Pivoting at Pace
Looking back to the beginning of Britain’s lockdown, Holt believes the fast-paced, fluid nature of the pandemic created the perfect storm for cybercriminals, hackers and those who seek to prey on vulnerable organisations and their workers.
As organisations pivoted to new remote working practices, gaps were left in defences and for many firms, security was very much an afterthought as they scrambled to stay afloat amid an unprecedented period.
“Every time you turned on the news, something else had happened, or changed, and it was all escalating very quickly, and organisations were in the same position – they really struggled to keep up with the pace,” she says.
“From a security perspective, lots of organisations were not prepared when it became apparent we had to stay at home.”
Research conducted by Omdia showed that, during the onset of the pandemic, only around 18% of the total workforce could work remotely. Since then, that has increased to around 54%.
“That still sounds fairly low,” Holt explains. “But, we’re talking about the total workforce base. A lot of organisations just didn’t have the capacity or capabilities to implement these changes so quickly.”
The rapidly evolving situation in March of last year forced many organisations to shift their priorities firmly toward remote working to continue providing services. When a ship is taking water, there’s not much time for procrastination, the leak has to be found.
“If we were lucky, security was an afterthought at some organisations. In other cases, it was just not considered at all,” she asserts.
This, Holt notes, is evidenced in security practitioners at some organisations being taken away from their roles to facilitate the roll-out of remote working. And while this is understandable, the long-term implications of this could come back to haunt some companies.
New Challenges, Old Threats
When the dust settled and the initial furore of the pandemic subsided last summer, Holt says many organisations were given room to breathe. With that moment of silence, however, came a sudden realisation.
Threats were growing in sophistication and intensity, and many of their employees were working from home, in environments they could not monitor. Simply put, organisations were flying blind in uncharted territory and at huge risk of attack.
“After the initial stages were over, all of a sudden organisations stopped and thought about the fact people were working from home. There are so many variables here to consider, so many threats. Critically for some, they didn’t know who staff were potentially living or working with,” she explains.
Poor cyber hygiene habits have also put organisations at risk during remote working, a recent survey suggests.
A poll conducted by YouGov on behalf of IT company, Iomart, found that poor password management and allowing children to use work devices are some of the bad habits creating cybersecurity risks.
Remote working en-masse, it seems, presented many organisations with a new safety headaches. Even the innocent act of a child playing with a laptop – a situation which in a physical office environment would be unlikely – could have serious ramifications for organisations, clients and customers.
Ransomware, ransomware, ransomware
Amid a background of uncertainty, the spectre of ransomware also lingered in the minds of CISOs across the country. Ransomware isn’t a new threat, it’s been around for several years now, but 2020 was a year marked by incident upon incident involving this attack method.
In the UK, local authorities such as Hackney Council fell victim to a ransomware attack while the Scottish Environmental Protection Agency (SEPA) was crippled by one toward the end of last year. Nearly four months into the year, SEPA still struggles with the impact caused by this attack.
This method, Holt says, was and continues to remain an area of particular concern. Indeed, the cybercriminals behind many attacks have been feeding on the disruption caused by the pandemic, particularly in terms of organisational planning and employee vigilance.
“Ransomware, as we all know, has gone up significantly across 2020 and is an area of huge concern,” she comments.
“Most organisations should’ve had a ransomware plan before 2020. But with some it’s been a case that they’re not up-to-date enough or they’ve just not prepared for it at all.”
- Leader Insights | Humanising cybersecurity with Lisa Ventura, CEO of UKCSA
- Comment | Working with regulators to build public trust in data
- New graduate scheme launched by National Manufacturing Institute Scotland
This, Holt explains, is once again down to a case of prioritising resources amid a challenging period. A poll conducted on Dark Reading highlighted a concerning lack of awareness and planning for ransomware attacks among respondents.
Only one-quarter said they felt ‘confident’ in their ransomware contingency plans, which Holt points out leaves a concerning three-quarters feeling ‘unconfident’ in some capacity.
“Some don’t even have a plan, some think there are a few holes in their plans and others think there are lot of holes in their plans,” she says. “So this is definitely concerning because ransomware isn’t going away.”
A positive outcome of the pandemic in regard to cybersecurity policy has been a heightened understanding of threats, a concerted shift toward bolstering employee awareness and the further development of sustainable cybersecurity practices.
“Organisations have really been looking to help their employees with security controls for when they’re working remotely,” she asserts. “I do think this is a positive because remote workers are no longer the few, they’re the many.”
“Long-term we’re going to create a more sustainable cybersecurity culture this way and provide the controls that people need to operate safely.”
Cultivating Sustainable Cybersecurity Practices
All too often pre-pandemic, employees were often viewed as the ‘weakest link’ in an organisation’s security – moving away from a negative culture toward an open, honest environment will also improve resilience in the long-term.
“I dislike intensely the idea that people are the weakest link. They are an important component of security controls because we cannot rely on technology alone to protect us,” she says.
“We need people, process and technology to prevent, detect and respond to security incidents and breaches. So moving forward people have a huge part to play.”
Sadly, some organisations have traditionally viewed cyber education as a tick-box exercise; one that can be filed in the HR drawer to say it’s been completed. This is “plain lazy” and a major failing on a company’s part, Holt insists.
It’s a self-fulfilling prophecy. Identify the employee as the weak link, fail to inform and educate and then, when that employee clicks a malicious link, it reinforces the traditional stereotype.
Despite the challenges that businesses and employees have faced, Holt believes the pandemic has presented an opportunity to cultivate a more open and sustainable cybersecurity environment.
Moving out of the pandemic and back to some semblance of normality, Holt warns that cyber threats show no signs of stopping. However, the lessons learned during this period and a focus on bolstering sustainable cybersecurity practices will stand organisations in good stead.
“I don’t think we’re going back to whatever ‘normal’ was before, the hybrid model is here to stay,” she says. “We’re going to be continuing with an expanded threat landscape, and it will continue expanding as organisations evolve and transform their ways of working.
“The more we expand our digital operations and capabilities, the more the threat landscape expands further.”
Join the Debate | Scot-Secure 2021
Maxine Holt will explore how organisations can cultivate sustainable cybersecurity practices at the upcoming Scot-Secure cybersecurity conference on March 24-25th.
Hear from leading experts from across the cybersecurity sector and explore the crucial issues.
Register your free place now at: https://www.scot-secure.com