The Covid-19 pandemic has not only caused global disruption it has also changed the cybersecurity landscape. We are observing changing patterns of behaviour from threat actors and experiencing waves of coronavirus related cyber-attacks and a 6000% increase in phishing scams.
I've spent the last 15 years working at the cold face of Cybersecurity, and in that time I've learned many lessons, but still, one of the most important is that is every breach looks has the same timeline. They all have the characteristics of a (1) pre-breach phase, (2) the breach itself and (3) a post-breach review.
Then there are various breach types involving Ransomware, Insider Threat, Social Engineering and Credential Theft, but the timeline on each is almost identical. By far the most damaging are the breaches that result in data loss.
The COVID-19 crisis has rapidly changed the way we live and work, and many organizations have shifted to remote work or are implementing a hybrid remote work approach as they reopen physical locations. It has become apparent that the major threats to organizations are coming from the inside.
From a detailed analysis of the global breaches in the first half of 2020, we can see a significant percentage resulting from insider threats.
Threats in the form of compromised employees, negligent employees, poor password hygiene, employees using unsecured home devices or even malicious employees. The most high profile example of this is the recent hack on Twitter, where a privileged user was socially engineered and had their credentials stolen. The subsequent havoc from the Twitter compromise has been well documented.
So what does this tell us?
Well, this tells us is that the significant investments which have been made by organizations to bolster the perimeter network security for the pre-breach period don't always fit well with a post COVID workforce. I have never been more sure that to secure an organization adequately, they need to start from the inside and work out, and this begins with the users and the company data. Organizations need to imagine how the new way of working will introduce risk to their operations over the months and years ahead and where the gaps in visibility and control exist.
In my opinion, the following steps form a stable baseline;
Understanding your data – where it resides, what it contains how it flows, who can access it and what controls are in place to protect it, DLP, Encryption etc.
Understanding User Access – What access do your users have across Active Directory, and what do they use daily? What data do they have access to across the estate?
Align Governance Risk and Compliance. Is the information being accessed, shared, collaborated on being done so in line with regulatory mandates? Is IP leaking? Are risk thresholds for the organization being assessed, and does the business understand whether their users operate within the risk threshold?
By implementing these baseline controls, it will allow an organization to start building a robust internal security program, and it quickly highlights risks to the data traversing the corporate network.
This approach doesn't mean you stop protecting the perimeter, and everything that entails. However, the current trajectory of breaches cannot be ignored and points to a lack of visibility in the internal data security controls.