Author: Morey J. Haber, Chief Technology Officer, Chief Information Security Officer at BeyondTrust
One of the many interesting implications of the coronavirus pandemic is how it is accelerating digital transformation. Social distancing recommendations and mandates have forced companies to rapidly adapt in ways that have pulled demand forward – perhaps by several years – for technological evolution that was in various stages of planning. It will be interesting to assess the workplace and the IT environment that supports it B.C. (Before Coronavirus) and afterwards.
With the above mindset, let’s explore the results of the 2020 CDW Canada Security Study (conducted by IDC Canada), which analyzes results from CDW’s survey of 524 IT security and risk and compliance professionals across Canada. Before breaking down the report’s key findings, here’s some top-line data and overarching themes. The average number of attacks per organization increased 16.8 percent to 514 from 440, year over year. Over 36 percent of organizations experienced downtime due to a cyberattack. Based on other recent research data published since the onset of the coronavirus pandemic, these numbers are likely to increase significantly within the next year.
The report summarizes the top challenges faced by organizations as vendor access management, complying with data privacy legislation, implementing effective cloud security, deploying proper controls across both bring your own device (BYOD) and corporate devices and returning to a trusted state after a cyberincident. Let’s dive into the report’s 6 key findings.
1. AI-based security, but questionable ROI
According to the CDW report, most Canadian organizations are using AI tools and achieving some measure of security success with them. However, the difficulty of implementing and correctly managing these technologies makes the ROI picture murky.
In the era of coronavirus, it’s conceivable that growth of AI-based solutions could actually stagnate or fail. Why? These solutions apply learning algorithms to spot deviations from normal patterns. The problem is that we are in the midst of a hyper-disruptive period that is still searching for a new normal and a predictable baseline for these tools. Many industry experts are already seeing this result in heightened false positive outputs from AI/ML cyber solutions. These false positives further detract from the solution effectiveness and dilute ROI.
2. Ransomware increasing in frequency & harmfulness
Remember a couple years back when headlines crowed about the demise of ransomware? It was just a very short hibernation. Today, threat actors are actively waging coronavirus phishing and ransomware campaigns. With the attack surface also vastly expanding due to the increase in remote access, BYOD and shadow IT, the trend of more frequent and evolving ransomware is likely to continue.
While, there are many variants of ransomware, the most impactful tactic to reduce your risk is applying least privilege, such as with endpoint privilege management solutions. Without administrative privileges, most ransomware can’t properly execute in the first place. Limiting the privileges given to applications and users, segmenting networks and enforcing separation of duties also reduces the footprint over which ransomware can potentially infect a resource and spread.
3. Third-party partners are a major risk vector & source of security incidents
Nearly 82 percent of the survey’s respondents indicated that they have experienced a security incident due a partner’s poor security hygiene. Most partners (over 61 percent) had access to sensitive or privileged data.
Many organizations mistakenly believe a VPN is a secure vehicle for partner access, but VPNs cannot provide the granular access, session control and compliance auditing that is required for sensitive kinds of access. Ideally, you strive to provide the same best-practice access management controls around third-party access (IT service providers, service desks, HVAC contractors, etc.) as you should around your internal privileged access. If you aren’t able to enforce least privilege around vendor sessions, ensure their credentials are properly managed and have full audit and control over the sessions – consider your vendor access a security weak point that is vulnerable to exploitation.
4. Insufficient integration between cybersecurity & enterprise risk management correlates strongly with successful cyberattacks
This finding encapsulates a decades-old challenge. Just when you’ve integrated one new technology, your IT environment changes, or a need arises for you to integrate with a technology that didn’t even exist a couple years back.
Only 17.6 percent of the survey’s respondents report having fully integrated cybersecurity and enterprise risk management (ERM) strategies. Organizations lacking integration in these areas experienced cyberattack success rates 3x higher than those organizations that were fully integrated. Partially integrated organizations fell in between. Prevailing integration issues have hampered many organizations in agilely adapting – at least without creating massive security exposures – to the remote access needs of the coronavirus era.
When assessing a new technology for your IT and security stack, always take a close look at how it integrates and synergizes with the rest of your technology ecosystem.
5: Cloud adoption is outstripping cloud security
Cloud adoption continues its brisk pace, but security still lags well behind, according to the CDW survey respondents.
Over the past few months, the need to quickly scale support for large remote workforces has accelerated the move to the cloud. Likewise, reliance on SaaS tools has surged during the era of coronavirus and social distancing.
In the haste to support business continuity, many employees have had to self-provision cloud-based business productivity tools (shadow IT). While many of these technologies support remote workforces and have cool features, they likely lack enterprise-grade security, and could open up back doors into the environment, putting the organization at risk. Of all the tools that could be self-provisioned, free and unmanaged remote access tools are probably the most dangerous. Unfortunately, the vastly increasing gap in cloud security is probably one of the most dangerous IT trends over the last several months and, when coupled with insecure remote access tools, could put your organization in jeopardy. We’ve already seen some big, recent breaches related to cloud and remote access. If cloud and remote access security does not catch up soon, many of the advances organizations have made to support business continuity could be undone, or seriously imperiled.
6: Slow cyber remediation & broad impact drive higher breach costs
The average number of workdays spent by staff in recovering from cybersecurity breaches tripled, from 19.4 days in the 2019 CDW study, to 58.6 days in the 2020 study. The study’s authors posited that this massive increase reflects the recognition of substantially more work hours outside of IT as being consumed during this recovery time. That’s an interesting analysis and takeaway. Just as every person across a company has some responsibility for organizational cybersecurity, every individual and business unit can be impacted by a breach.
While cybersecurity has perhaps never been more crucial, the existential threats posed by the coronavirus to modern human society are consuming so much mindshare, it’s easy to see how IT security can be overlooked – but that’s no excuse. Rather, it’s a call to keep our collective personal, physical and cyber guards up, because we cannot afford the costs if we don’t.
Finally, the one thread that’s woven throughout the entire report is the pivotal importance of identity and access management (IAM) – of which privileged access management (PAM) is a core use case – in addressing the broad spectrum of today’s cyberthreats. Survey respondents from mid-sized and larger organizations ranked IAM as their most effective security tactic/control, while smaller organizations had it ranked third (behind web content filtering and security awareness training).
With the continued explosion of endpoints and identities, and the more recent surge in BYOD, shadow IT and telework, centralizing security around an identity – which can apply to both humans and machines – makes more security sense than ever. Within this realm, securing privileged access, privileged identities and controlling every privileged session (whether employee, vendor, remote worker or on-premise) will be the most impactful ways organizations can condense their threat surface, shorten attack windows and improve their enterprise security posture.
About the Author:
Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three Apress books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.