Every CIO and CISO knows that the race for full security has no finish line. Scammers and Hackers are working 24/7/365 to access data and hold corporate and personal data for ransom. This is truly a risk mitigation game that needs to be played and mastered 24/7/365.
There are a lot of lessons to be learned so far through the COVID-19 pandemic. Security protocols and measures at the end of the day are not and will never be 100% foolproof. Cyberthreats are constantly evolving. If an employer wishes to develop a strong security posture, they must continuously work towards identifying current and evolving threats and take effective measures to protect their data, users, and assets.
The surge in remote work due to the pandemic has resulted in an explosion of phishing scams and hacking. And it is not going to get any easier from here.
Working remotely has brought the limited efficiency of VPNs into focus. Most enterprise VPN infrastructures were built to enable only about 20% of a remote workforce to reach certain applications. However, now they are forced to handle the increased load of 80-90% of the workforce and many are unable to keep up with this level of demand.
VPNs, by nature, allow an employee full access to resources once they have been authenticated on the network. This is adequate when they are within the confines of an office environment but may not be the case if employees are working remotely, as this can lead to threats such as unauthorized access to infrastructure and applications.
The inability due to size and/or budget for many employers to provide enough devices for employees forced to work from home has also led to a large BYOD (Bring Your Own Device) environment. Given that these devices may not have the same level of protection as corporate endpoints, new vulnerabilities were opened for the relentless and growing onslaught of hacks and scams.
Our experience tells us that adversaries will use a global tragedy to attack, and that they can access our most critical infrastructures through a single mistake made by any remote working employee. In early March, CovidLock ransomware was spread, which was a cyber-attack masquerading as a Corona virus tracking app. It is diabolical, but it worked.
What is clear is that there is no single framework that can become a magic bullet for an employer to deal with cybersecurity concerns now and in the future. This is truly a risk mitigation game. At the end of the day, employees and the board need to be reassured that there are multiple controls in place and all appropriate steps have been taken to ensure better.
In April, led by an aggressive directive from River Run CEO, Paul Riedl, Jr.; a team of security experts and engineers worked in concert to develop a new security offering that works in four waves with twelve steps that can be tailored to ensure that any employer is doing their true, due diligence while employing the right tools and services matched for their company.
And, Riedl and the River Run team are matching employers directly with a security engineer to do an in-depth yet cost-effective assessment with this proprietary protocol.
Excellent security posture will depend on how well the employer manages the dependencies between people, process, and technology. In a post Covid-19 world, we will see more CIOs and CISOs increasing focus and budgets on security effective risk management to adapt to an ever-changing, new normal.
DMI Finance is a fintech company providing consumer loans, digital lending, and asset management. The financial institution relies on technology and innovation to revolutionize credit transmission in India. Manikant R. Singh, Information security officer at DMI, made sure that they completely reviewed and updated their security from A to Z.
“We did phishing simulation to help recognize threat actors masquerading as customers or recognizing frauds. We did an online quiz for employees to help them understand the gravity of the situation. We received feedback on personal Wi-Fi networks and various new attacks like the zoom bombing. There is a tremendous improvement in the security.”
Singh believes if any organization has learned a lesson from this crisis it will invest more on cybersecurity. “Infrastructure, technology, process improvement and cybersecurity are going to be the next focus. Complete transformation from an on-premise environment to highly cloud dependent technologies will take place. As a consequence, security, data processing methodology will be transformed too.”
I usually give an example in each of these articles of a recent attack for emphasis that this can happen at any time to any of us. It is incredible to think that right here in my hometown of Milwaukee, a home was hacked through an IoT device. The hackers put the volume as high as it could go while talking and turned the thermostat up to 90 degrees. It was not the technological violation that affected me the most when this was reported, but the utter fear in the words of the couple who experienced the loss of privacy and control in their own home.
Please see one of my previous articles on CEOs and Cybersecurity on LinkedIn or at River-Run.com for some more disturbing yet informative data on how executive homes are ripe for breaches like this.
As always, a great IT service provider like River Run will offer to assess your current state and provide expert guidance for a protocol that keeps your vigilance at the recommended levels for your organization.
Share this article