Addressing Cyber Security Challenges in Digital Transformation

By Justin Gibbs – justin.gibbs@ka2.io

 

The onset of the COVID-19 pandemic has compelled organisations of all sizes to rethink how they work. The resulting workplace transformation has ushered in and accelerated digital transformation initiatives at these organisations. This is as true in more obvious verticals – like telehealth, education and remote learning and the events and conferences industry – as it is for small and medium-sized businesses, as well as private and public organisations.

Today, these organisations have identified an urgent need to quickly scale up capabilities to support now-remote workforces and to find new ways to service internal and external customers. As a result, organisations have been required to re-prioritise digital transformation projects to ensure they stay connected and productive amidst (and following) the pandemic. While worldwide IT spending is expected to decline overall by 2.7 percent in 2020, two areas are poised for growth: infrastructure spending and software investments.

Cybersecurity priorities are also changing. Organisations are finally demonstrating a greater focus upon security as part of their normal operations as their digital transformation accelerates and new ways of working emerge. Smart investment in security is now key.

In this post, we highlight some of the cybersecurity challenges you’ll need to address as you make these investments, including shadow IT, access controls, data loss prevention and employee education.

Security Risks in Digital Transformation

First, let’s set the scene. It’s a challenging one.

As organisations transitioned to remote operations, the risks they faced also increased. Consider your previous work environment. There existed a company perimeter around your workers, who were likely using corporate issued hardware and devices; software was configured with up-to-date and robust security protections and employees accessed cloud services through a limited number of secure internet gateways. Likely, your technology team was on-site, or a brief service call away and you had policies and protections in place to monitor your voluminous critical data. Fast forward to today, and this perimeter has gone. Corporate data resides on perhaps multiple devices, resulting in a much wider attack surface with perhaps less resources to monitor also.

This landscape is particularly challenging for companies in regulated industries, such as financial services, as their employees are more vulnerable to phishing scams and “hostile home networks,” in which multiple family members may have access to a computer.

Remote working also increases the risk of a successful ransomware attack, due to weaker controls presented by home IT environments. There is also a higher likelihood of users who will click on malicious links, especially if corporate devices are not provided.

On top of all this, we have seen an increase in the use of collaboration tools like video conferencing. While many technology companies have made strides to better secure their products in light of COVID-19, this shift to new platforms highlights the minimum-security standards of a given product. The lockdown was implemented fairly swiftly and, understandably, business had inadequate time and resources to fully assess product security controls before they became a crucial daily component of staying connected and maintaining business.

If you’ve weathered the transformation thus far, you’re still not quite out of the woods. Securing your remote workforce should be a prime concern for organisations, especially as it’s likely to be more than a trend. We expect many organisations to continue these work-from-anywhere policies for the long term.

Addressing the Challenges

It’s a concerning picture. However, there are measures your technology team can implement to reduce your risks while still ensuring a flexible work environment and continued productivity. We outline four measures here.

Beware of Shadow IT

The answer is not to limit or restrict the technology tools that employees need to do their jobs. If your organisation does not provide adequate solutions for communication, file access and sharing and productivity, intrepid employees will find and download their own digital solutions, often ones that present even greater security risk and that are not approved by your team. This is “shadow IT”. It can also lead to regulation and compliance challenges as well as increased costs associated with divergent technologies and drops in productivity.

Aim to strike the right balance between employee productivity and protecting your operations and business resiliency. In many cases, the DIY approach of shadow IT is well-intentioned. At the same time, it’s incredibly risky. Continue to monitor the cloud and network for unapproved software use.

Ensure that secure configurations are in place for all enterprise licensed software in use at your organisation, across all teams and departments. The most common platforms today are all capable of providing the necessary levels of security when properly implemented and used. In addition to security, proper configurations will also help you manage access, overall functionality and data loss prevention controls.

Access Controls are Crucial

While we’re all figuring out new ways of working, one thing remains unchanged: We’re still really bad at passwords. In fact, 80% of hacking-related breaches are still tied to passwords. At a minimum, educate your team on password best practices, don’t re-use passwords for all the services used, consider implementing a password management solution instead. Ensure multi-factor authentication (MFA) for remote access (VPN) by employees to their enterprise systems and as mandatory for the many cloud services, the burgeoning SaaS estate, to minimise account compromise. 

To help, we’ve created these Smarter Awareness Tips on recommended user access control (UAC) including:

• Implement two-factor authentication (or MFA) to keep attackers out even if they’ve stolen passwords
• Remove users from local administrators’ groups (with Microsoft specifically, this can reduce vulnerability exploits by 80 percent)
• Disable credential caching
• Enable admin approval mode (which will also prevent lateral movement attempts)
• Use the highest UAC enforcement level possible (like “always notify”)
• Exercise least privilege
• Avoid credential overlap across systems
• Apply account lockout policies or progressive delays for logins
• Disable anonymous login
• Avoid staying logged-in on remote systems

Ensure Data Loss Prevention Controls

Data loss prevention (or DLP) will protect your organisation’s intellectual property and customer data. It can also help you uphold legal or data privacy requirements. In many cases, we’re working alongside family members and roommates who, while they are certainly not hackers, they do present potential compliance breaches. A Bloomberg article about data protection in the era of COVID-19 outlines some of the most common compliance challenges and data-loss solutions, including:

• Mandate login security controls (see section above)
• Enhance real-time alerting and monitoring, especially since data loss can occur in new places, like IM chats and mobile devices
• Ensure additional protections for sensitive files, always encrypt data at rest
• Invest in robust threat detection and threat intel

Ensure that mobile device management (MDM) software and endpoint DLP solutions are in place for remote workers and disable or restrict access to insecure home printers, monitors and other devices.

In addition, remember that teams may also be using their own computers and devices while at home,
implement MAM (Mobile Application Management) software to protect corporate data on personal devices.

Educate your Employees

One solace is that we really are all in this together. COVID-19 has (and is) transforming the way we do business, all around the world. One common theme to address the most pressing cybersecurity concerns is all about people. Your employees are your front line of defence against attack – your operations are only as secure as your users, even if intentions are good. For example, a staggering 98 percent of incidents are caused by human error, not theft or cyberattack. The culprit is most often a lack of information, not maliciousness.

With this in mind, invest in resources and training to aid your employees. Help them recognise phishing scams and create a clear channel to report suspicious emails or files in a timely manner. If you don’t provide education yourself, encourage (or require) your staff to complete relevant online learning modules or obtain certifications in some of the digital platforms they use. These accomplishments can also contribute to greater employee experience, continuous self-improvement and marketability.

While tools and policies are critical components of secure and scalable digital transformation, don’t neglect the important cultural shift that is happening at the same time. Companies that were previously reticent to allow flexible remote work are now finding it mandatory or required. This can be a source of stress for employees and leadership alike. Your efforts at employee education can also be a space to bring employees through this journey, together, toward a safe, secure and productive future, regardless of what the new “normal” is.

At KA2, we approach every digital and business transformation project with both a security-first and people-fist mindset. Please get in touch to discuss your unique project and see where and how we can help you today.