“We’re not just fighting an epidemic; we’re fighting an infodemic,” said Tedros Adhanom Ghebreyesus, Director-General of the World Health Organization (WHO) during a gathering of foreign policy and security experts in Munich, Germany, in February, referring to fake news and opportunistic cyber attacks that “spreads faster and more easily than this virus,” he said.
COVID-19, and various measures used to control the spread of the virus, has fundamentally changed the cybersecurity landscape. Remote work is suddenly the new normal, with many companies forced to develop the infrastructure to make that possible in the early days and weeks of the outbreak. Remote work already made companies more vulnerable by providing access to sensitive information over unsecured networks but in the rush to create a decentralized infrastructure an extensive and largely unsecured edge has been exposed.
“Traditional cybersecurity controls dictate a centralized approach where data is consolidated from different sources to perform analysis and investigation. With swift digitalization, security controls will shift to data sources, similar to the trend witnessed in IoT,” says Kumar Ritesh, Founder, and CEO at CYFIRMA. “With millions of employees working from home, hackers’ focus has shifted from enterprise to remote working individuals. To handle the menace that exists in cyberspace, decentralized cybersecurity will rise where greater emphasis will be placed on data sources such as actual remote employees themselves.”
Maintaining flexibility in this new remote and decentralized security landscape will require a shift away from a ‘who has the key’ approach to a ‘who are you?’ approach where systems will seek to verify identities to better control access. The post-COVID “minimal personnel environment” will drive biometric technology, either fingerprint via personal devices or contact-free options such as retina/iris scans, facial recognition or voice identification for various building access points.
A rise in biometrics, especially facial recognition, will bring privacy issues to the boil. Before COVID-19, companies were in an environment of GDPR compliance and BYOD risk mitigation, but now it is all about remote working and epidemic control, each with implications for the privacy-security debate. Chinese-style facial-recognition-enabled surveillance has proved to be an effective epidemic control technology, spurring ‘track and trace’ apps in Europe and North America that threaten to change the western stance towards privacy. Remote working, meanwhile, exposes companies and their employees to a range of cybersecurity threats that demand more reliable access control infrastructure.
The remote working shift will push us further into the cloud as more and more companies look for the right mix of security, accessibility and cost. Cloud offers simplicity and reliability against a backdrop of chaos as companies try to find a balance between employee safety, public health policy compliance, and trying to maintain business activity. This will likely lead to increased containerization of IT architectures — the zoning of digital spaces based on the type of information they possess — but these cyber-territories will need to expand into new home-offices and include the now geographically diverse remote workers themselves.
People were always the ultimate target of cybersecurity measures, “I am the network wherever I happen to be, so if you want to secure the network you have to secure me,” the Jericho Forum famously stated. Whether remote working or in the office, people are the edge of the network, entrusted to make decisions that can impact the entire enterprise. If we were all cybersecurity experts then cyber threats would be largely be nullified, therefore the more cybersecurity education and training we can provide, the more secure we will be.
“Instead of seeing people as the weakest link, view them as your frontline defenders. Cybersecurity awareness training for people across the entire supply chain and ecosystem will prevail,” continued Ritesh in a Forbes article. “Hacker groups will rattle the cages of government and businesses as digitalization efforts escalate. Cybersecurity strategies will have to shift downline toward the remote worker, decentralized controls, and enhanced policy measures.”
Cybersecurity is not a new problem, nor is the integration of remote workers into corporate networks, but the world has changed this year. The disruptions caused by the COVID-19 pandemic and various measures used to control the spread of the virus have created that “infodemic” and left us more vulnerable to cyberattacks than ever before. Now, as we plan our recovery from this global disaster, we have an opportunity not just to get back to normal but to take the chance to find a better way — be that greener, cleaner, more productive, or more secure.