It is becoming clear that Covid-19 has devastated our society and its impact on home and work will be with us for decades to come. Our lives are being turned upside down and “back to normal” has a different meaning every week. 2020 may go down in history the same way as 1914 has, the year after which nothing would ever be the same again.
But amongst the tales of isolation and hospitals strained to breaking point, are also stories of amazing ingenuity and inventiveness. We humans are nothing if not resilient, and that is what will eventually mean our survival, even if normal is unrecognisable.
We are a resourceful species and never more so than when the threat is greatest, and the peril shared. With companies struggling to survive, staff are doing absolutely everything they can to get the job done; even when working from home; even in lockdown; even when they must find the tools themselves. The bad news for the security world is that whilst this very resilience is our vital Covid super-power, it could also be our biggest and most dangerous cyber-weakness.
Old threats have not gone away just because new ones have appeared. Since the pandemic started payments in ransomware have increased by a third and phishing emails by over 600 per cent, as the world changes before our eyes. Remote working and unfamiliar business norms make every company vulnerable to the threat of the person who was just trying to get the job done. They are the non-malicious insider, unintentionally giving away the keys to the firm as they work ever harder.
Rightly, there are big concerns over Zoom, Teams, Skype and the rest, especially where companies are embarking on mass working from home for the first time. We hear of companies that have rolled out Microsoft Teams in days rather than months. Working from home on personal laptops (otherwise called Bring Your Own Device or BYOD) has been so widely used that Amazon can barely ship new machines fast enough. In the absence of policy, colleagues will use Slack, FaceTime and Facebook Messenger to communicate with their colleagues. They are, after all, just getting the job done.
Every security professional has a story of the guy who sent confidential files to their Gmail to finish an assignment; the colleague who used their personal Dropbox to collaborate with their team; the developer who sent code snippets on Slack; and the password sent by Facebook messenger. Mine involved a colleague both entering and approving payments over Christmas to beat the year-end deadline. Every one of these staff ended up on the pavement with a bin bag in their hand saying – what did I do wrong? I was just trying to do my job.
So, what can we do to protect our firms? As cybersecurity experts, we often say – let’s not take the risk, safety first. We ask – am I sure it is secure? And more often than not we say “no” to our colleagues.
Now, it may sound counter-intuitive when we’re talking about staying secure, but how about saying “yes” a bit more often. We need to overcome our initial impression that this may be the most stupidly insecure idea ever, and work out if there’s a legitimate business need we can help with. BYOD started the “why not” debate on security, maybe the stark choices of Covid-19 will end it. We all need to communicate, share material, video chat, or we are out of business.
But firms still need to control the tools, data and channels that staff access in a way that empowers colleagues to make good, informed choices. As lockdown is relaxed, we are still seeing most office staff staying at home for work. Our clients are saying they will probably never go back to regular working in an office. As large centralised functions give way to smaller functional teams, Access Control needs to evolve in a similar way. Security leaders need to define new security norms, use best in class analytic tools, and improved security processes. But as with government advice, you cannot just expect people to take responsibility when they have no meaningful guidance.
The perfect triangle
The good news is that smaller teams that interact more frequently are perfect for this new security world. They share institutional knowledge better, they self-manage more effectively, and they are easier to communicate with. They also have the added benefit of higher levels of engagement, one of the best antidotes to phishing and other cyber-threats. With Security departments working closely with these teams there is an opportunity for staff to really be the first line of defence. If they don’t need access they can take it away for themselves. This approach does not deal with the malicious or criminal insider, but it allows you to see the wood for the trees, and frees up the cyber-security team to work on spotting the real bad guys. Over time, it will also mean that the annual entitlement review, a kind of monolithic, moribund, cyber-stock take, will be consigned to history, replaced by agile manager and self-review carried out when needed.
But we also need to improve the way we discuss cybersecurity. Covid-19 has shown us that with the right incentives and messaging, behaviours can change rapidly. With some exceptions, the population has complied in a way that was inconceivable in January. As a cyber-security leader who has for years been trying to influence the way people respond to the other kind of virus, I have to admit being in awe of the way a whole population can change its behaviour, seemingly without a single hour of mandatory online training.
Obviously there have been flaws in the approach, but the combination of clear and simple instructions with an easily identifiable threat, followed by measurable results has led to enviable outcomes. Maybe we can learn from that. Then with the perfect triangle of decentralisation, more intelligent analytic tools and improved employee engagement possibly the cybersecurity landscape can look a little less bleak.
Mark Rodbert, CEO, Idax Identity Analytics