Cybersecurity: Same Threats, New Challenges
The pandemic created opportunities for hackers to exploit old vulnerabilities in new ways.
For business leaders, 2020 was many things. A test. A catalyst. An opportunity.
For chief information security officers (CISOs), it was all of these things at once—with the security of the business hanging in the balance. This was especially true when it came to the rapid shift to remote work.
The vulnerabilities of working from home were known before the shift—insecure personal devices, weak passwords on home devices—but not always prioritized. Other threats were given new life, such as phishing attacks that exploited Covid’s chaos to trick beleaguered employees. And some threats were unique to cloud technology itself.
To gather insight on the changing threat landscape, we interviewed two leading security experts: ServiceNow CISO Ben de Bont and Bruce Scheier, a public-interest technologist who works at the intersection of security, technology and people. We edited their responses for clarity.
From a security point of view, why is remote work so risky?
Bruce Schneier: It’s not just remote working. It’s remote working in the pandemic. We’re doing things differently, which is always fraught with insecurity. For example, we’re more likely to use insecure personal devices for work. Centrally administered work computers tend to be more secure because they’re better maintained. So there’s more risk that sensitive data now will migrate outside the network.
Ben de Bont: Working remote doesn’t necessarily introduce additional risk but it does raise different types of risks. So VPNs, endpoint protection, OS hardening—these are all related to remote security.
In 2020, the risk was not having the capabilities in place to support far larger numbers of remote workers than expected. It was interesting to see issues of “remote worker security” become elevated from a CISO or a CIO issue to that of a CEO as the C-suite and boards doubled down on questioning their resiliency capabilities.
IT was forced to fast-track a lot of ramping-up initiatives in 2020. Is speed the enemy of security?
Schneier: Yeah, that’s right. Doing things hastily, you’re trading off. Suddenly we all got sent home on Tuesday, [and] Wednesday we’ve got meetings. You need documents, and I’ve got to send them somehow. Let’s put it in a [shared file]. We’re meeting on [a video conferencing platform]. Do you know how to configure it? I don’t. Let’s just make it work. The haste made it more likely we did everything insecurely. I’d like to think we’re doing things better now. But we’re still making rookie mistakes.
de Bont: In my opinion, speed does not have to be the enemy of security. I’ve seen organizations execute with precision, agility and velocity while ensuring industry-leading security. I’ve also seen others move at a snail’s pace and finally ship completely insecure code. It depends on the framework and mindset that you have in place.
What exactly is that framework and mindset?
de Bont: Thinking about security ahead of time, as much as possible, given what you’re trying to work on, given what your business is trying to achieve, given what your customers expect. Those who had this framework and mindset in place before Covid were able to adapt, often without sacrificing security. Those who did not struggled.
2020 was less about new threats than seeing existing threats exploited in different ways.
Most of us won’t work remotely forever. A lot of companies will move to hybrid models. What particular threats do you see in hybrid work environments?
Schneier: You’ve got to worry about centralization; you’ve got to worry about decentralization. Which is probably best. You should have always done that because, even in “the before,” people worked from home. Just not as much, but people did.
de Bont: Many companies have been working in hybrid environments for some time. What immediately pops into my head is BYOD [“bring your own device”], which is one of the most prevalent hybrid issues of the last decade. Personal and professional use of the same device introduces real security concerns. That’s why more security-conscious organizations, such as the top fintechs, enforce separate devices for their employees.
Most users hate extra security steps, and IT doesn’t traditionally focus on user experience. Who wins?
de Bont: [Laughs] I’ve lost count of the number of executives who have been emotionally affronted by the idea of putting multi-factor authentication in front of their service. But without it, the risk of exposure or compromise goes flying up. So, how do we protect against risk and still deliver the best user experience possible? Ignoring the risks is just asking for trouble, but ignoring usability may result in a service that doesn’t get the widespread adoption it needs. It’s got to be a balance.
Schneier: Any CEO understands that usability and security are sometimes in opposition. You recognize that these things are all true, and do your best.
How does a platform solution help with this tension between security and usability?
de Bont: There are a lot of legacy infrastructure and systems out there. A business might be built with many different types of architectures, and that’s totally fine. But consistency and automation make it easier to apply security.
At ServiceNow, it’s not just our security products. I have a list of about 50 use cases for our workflows. For example, we use workflows to solve basic things like phishing campaign automation.
The point being: Consistency is what helps our security program. If our customers use ServiceNow for IT operations, they can use these same workflows to help security. We add that level of consistency to their security programs.
That, for me, is one of the most compelling parts about the platform. We really have limitless possibilities for what workflows can solve. I expect that list of 50 use cases to increase rapidly in the near future.
What long-term effect do you expect to see from 2020’s many challenges?
de Bont: In some ways, the pandemic—along with regulatory changes—has increased our focus on security and privacy. Just as attackers quickly adapt to any crisis, CISOs and security teams are also opportunistic. The pandemic accelerated many pending remote security initiatives, [and] many companies actually freed up budget to fund programs designed to boost resiliency.
IT leaders who mercilessly prioritize their risk objectives—and leverage their partner companies and ecosystems with a focus on protecting customers—are well-poised for success in 2021.