Your choice regarding cookies on this site
Click on Accept to agree or Preferences to view and choose your cookie settings.
The mass switch to remote working, a hike in opportunistic cyber-attacks and tighter budgets have all contributed to the challenges of today’s IT security chiefs. We asked four top CISOs to share their perspectives on adapting security regimes to the fast-changing world and what future strategies they are prioritizing.
Chief information security officers (CISOs) have faced more disruption than most as a result of the Covid-19 crisis. The global pandemic has accelerated the shift to remote working setups and, while the opportunity to work from home has been welcomed by many, it has presented multiple security challenges. It’s no longer a case of protecting the office network; now every employee’s home offers a new entry route for potential cyber-attacks.
Cyber-criminals have been quick to respond to this transition, with IT security service company Barracuda Networks recording a 600% spike in opportunistic phishing attacks during the first few months of the pandemic. Compounding these problems are continued economic problems at many companies, which have led to reduced budgets and the need to preserve cash.
As a result, the role of the CISO has never been more important. So, how are they operating in these new circumstances, and what strategies should security execs be looking to implement for the future?
AMIT BASU, International Seaways
The Covid-19 pandemic has fundamentally changed the way we work. Like many other organizations in March, our CEO announced that all staff would work from home with immediate effect in March. At that point, IT’s key concern was helping to maintain normal business operations.
Our cloud-first IT strategy, which we first adopted a few years back, certainly helped us in this regard. Our main drivers for moving to the cloud were flexibility, scalability, extendibility and, obviously, cost. We couldn’t have predicted that in 2020 cloud computing would become our savior.
One of the key scenarios in our business continuity plan was for the loss of our New York City headquarters. Preparations for that scenario meant we had already prepared a complete virtual office setup on Amazon Web Services (AWS) and any IT system hosted in the New York office was replicated on AWS. One key benefit of cloud computing is the ability to work from anywhere over the internet and that became a big plus in this pandemic situation.
The shift to home working also raised concerns about security. Professional cyber-criminals saw the global pandemic as an opportunity to further their agendas and many recreational hackers had more time on their hands while at home.
Cyber-attackers started leveraging a few common security risks that became evident as people increasingly worked from home. Most of us didn’t have sophisticated network security tools, such as firewalls, and we were suddenly using office systems and data over shared home internet connections. Some of the security features on these computers were also designed to only work within the office network.
In short, the work environment in users’ homes had lots of vulnerabilities and that increased the risk of possible phishing, social engineering attacks and malware outbreaks. Initially, we were reluctant to make hasty configuration changes or to install new tools on user computers remotely as that might have caused further instability.
We primarily focused on organizing enhanced user-awareness programs, so that our employees working from home could be more knowledgeable and vigilant against cyber-threats, and increased IT monitoring of alerts and logs, so that any unusual behavior could quickly be identified and analyzed.
The next step was to research tools and processes to mitigate the newly emerging threats. After enough testing we moved to deployment to better protect our remote users and systems.
Fortunately, our company has always recognized that cybersecurity and other IT risks are not merely IT problems; they are business imperatives and need to be monitored along with other enterprise risks and managed from the very top of the organization.
We have also acknowledged that cyber-defense is no longer about staying one step ahead of the bad actors, it's about trying to remain no further than a step behind. To this end, it is important to be able to detect a threat early and to have a plan ready to contain it and recover with minimal damage, so you can resume normal business operations quickly.
HENNING CHRISTIANSEN, AXEL SPRINGER SE
HENNING CHRISTIANSEN IS CISO AT AXEL SPRINGER SE. THE BERLIN-HEADQUARTERED Media and technology company IS THE OWNER OF WORLD-RENOWNED Media brands SUCH AS Bild, BUSINESS INSIDER AND Welt.
Since the first half of this year, we have seen a huge increase in cyber-attacks, something like double what we were getting before. These include social engineering efforts, phishing and attempts to place malware in our environment, while some 90% to 95% of those attacks are being made via email.
I am fairly sure we would have experienced this situation even without Covid-19, so I do not see a direct relationship to the fact that a large number of our employees are working remotely. I think it is more to do with cyber-crime becoming a very profitable business.
Despite this increase in attacks, we haven’t changed our strategic priorities for security; it just means we are having to expedite many of the initiatives that we had already started. So, for example, we’re working hard on user-awareness, rolling out our multi-factor authentication program and increasing monitoring so we can swiftly detect anomalies in our systems.
Looking forward, I think many businesses like ours will have to put measures in place to help prevent future lockdowns, such as applications that can support with fever monitoring of employees and contact tracing. That way we will be able to identify individuals who need to self-isolate, rather than having to quarantine entire departments. I’m sure this will come, whatever happens with the current pandemic, as maybe the next virus is not too far away — therefore we need to have responses in place sooner rather than later.
However, because of such measures, there will be a burden on security to ensure the masses of personal health data that we collect is protected. This will involve including ‘privacy by design,’ in order to be compliant with the EU’s GDPR rules, consulting with all our stakeholders and having transparent communications to explain everything and ensure there is trust in what we are doing. After all, it may ultimately help to avoid another lockdown, or at least reduce the economic impact and save people from unemployment.
In fact, trust in everything we do is extremely important, not least because we are a media company that must retain credibility among our audiences. It therefore remains an utmost priority to avoid third-party compromises of our systems. Whenever you speak to top management about sponsoring security initiatives, this always comes up, and it is sometimes hard to put an ROI on everything we need to do. But how do you quantify loss of reputation? What would it mean for the business? Is it really a major threat with a long-lasting impact, or something you can easily overcome?
Against this backdrop, and after many discussions with my peers, I have learned that CISOs are often thought of as ‘Dr No.’ But always saying ‘no’ to things definitely doesn’t work — especially in a crisis environment, like now — as you need to take on a certain amount of risk if you still want to be involved in decision-making and asked for an opinion before something is implemented by the business. Just sitting back and saying no helps no one, including yourself; eventually you’ll find you are no longer invited to the right meetings or discussions.
HOLGER PFEIFFER, FUJITSU
The Covid-19 pandemic is presenting us with security challenges we hadn’t previously faced. We’ve moved from well-protected offices to a situation where people might be able to work from their home office, balcony, garden or wherever they prefer.
The challenge here is to protect the device being used, but in a way in which the user experience is not compromised. It needs to be as easy to use as a mobile phone payment and secure in equal measure. It’s the only way that employees will accept the additional security procedures which are now needed.
We shouldn’t expect all our employees to be as technologically minded as we are. If the standard user doesn’t find these security systems simple to use, they will either get frustrated or find a way around them, which is insecure. One of the big risks is that people find ways to bypass security.
At Fujitsu, we had the big benefit of having the procedures, guidelines and technologies already in place for remote working [ahead of the global pandemic]. However, working from home is not commonplace for many companies. Those companies needed to change quickly to ramp up the necessary technical components, implement new processes and issue guidelines so the whole office could work remotely in a secure way.
If remote working becomes the new normal, the digital infrastructure needs to improve to enable the whole country to work in this manner. Virtual conferencing is a key area where people commonly suffer bandwidth issues, especially if they don’t live in a major city. High-speed internet needs to be available in all places, in the home and for mobile.
When doing our analysis over the past six months, we haven’t seen an increase in incidents or attacks as a result of the pandemic situation. A company the size of Fujitsu is constantly under attack, but we have no indication that the types of attack vector have changed to an extent that we can say this is happening as a result of Covid-19.
With phishing attacks, for example, the message may have changed to say something Covid-related, but nevertheless these are still phishing emails. We are seeing the same amount of such attempts as before; their content has just been changed to fit the current context.
That said, I am sure that in the next few years we will witness scenarios that we can’t foresee happening today. It’s on us as CISOs to monitor this and be prepared. Being a good networker and speaking to people outside of your industry is key to staying ahead of these changes. It is wrong to only focus on your own company or sector because it’s not the way potential attackers operate.
I try to keep in touch with CISOs from other companies and industry sectors, ranging from automotive to financial. It’s good to ask them what challenges they face and what solutions they are trying to implement. I can then apply many of these situations to ones faced by Fujitsu and see whether their solutions are useful for protecting our business.
You can’t have one solution in place and hope it will solve all your problems. Try to question yourself on a daily basis and ask yourself what you can do better.
• For more on Reimagining security for a post-Covid-19 world, watch a video interview with Fujitsu’s Holger Pfeiffer.
DAVIDE DEL VECCHIO
BASED IN TURIN, DAVIDE DEL VECCHIO IS CISO AT A MAJOR SPORTS AND ENTERTAINMENT TECHNOLOGY PROVIDER AND the FORMER GROUP HEAD OF INFORMATION SECURITY AT ONLINE FASHION RETAILER YOOX NET-A-PORTER.
During this period, we have had to make sure our brand and our customers are protected even more than usual — this is a time when every customer and every penny count. As security leaders, we need to ensure all the risks are taken into consideration and we are continuously aligned with the rest of the company to achieve the correct balance between investments and the possible consequences of a security breach.
As a result of the pandemic, we have noticed an increase in some types of attacks over the past few months. With more people working from home or from other locations there is a greater need for remote desktop management tools like VNC and RDP. Employees are trying to exploit every tool they have to be productive but often they don’t know how to configure them in a secure way. The result is that a lot of companies’ networks are full of remote management tools that are not managed by IT and so are open to attack from cyber-criminals.
From the security point of view, having endpoints in different locations with a different type of protection — or, in some instances, no protection at all — means we are increasingly relying on the security of the endpoint itself. We cannot count on network protections anymore. Intrusion detection systems, intrusion prevention systems and next generation firewalls, for example, are becoming less and less effective at securing our companies.
Cloud environments are evolving every day with new features that can be enabled. Given the decreasing value of the office as a protected space, I can imagine more solutions will be moved into the cloud.
This ‘new normal’ is characterized by uncertainty. A second wave of Covid-19 could result in significant budget cuts. This is why we should try to have very flexible strategies in terms of investments that will enable us to adjust spending in very short periods of time.
We also need to make our response to security incidents faster, to isolate the incident as soon as possible, and therefore limit the consequences of it. In order to achieve this goal, a high degree of automation across our on-premise and cloud environments is required.
Click on Accept to agree or Preferences to view and choose your cookie settings.