Cybersecurity Amid The Pandemic: Protect The Crown Jewels | #corporatesecurity |


COVID-19 has turned the world inside out in many ways, among them by emptying office buildings and dispersing the workforce to houses and apartments, borrowed bedrooms and basement dens.

Companies have scrambled to adjust. But few corporate computer systems were designed to manage such a large remote workforce. Consumers and chief security officers alike need to wake up to the increased threat.

“As employees move to working from home, security risks pop up across the board,” said Manav Mital, cofounder of cybersecurity firm, Cyral Inc. “It’s not only how your employees are connecting or the kinds of devices from which they are connecting, it’s all your vendors and contractors — what policies have they implemented?”

The result is a surge in cyberattacks as hackers take advantage of the chaos to probe systems. Earlier this month, the U.S. Department of Homeland Security warned that “the surge in teleworking has increased the use of potentially vulnerable services, such as virtual private networks, amplifying the threat to individuals and organizations.”

Many companies have gone from a couple hundred VPN connections to thousands, even tens of thousands, almost overnight. Meanwhile, a stream of pandemic-related messages to people eager for information has given hackers an opportunity to fool otherwise cautious netizens into downloading malware or giving out login credentials. Vulnerabilities have exploded.

“This is a very unique situation that impacts all locations equally,” said David Richardson, Vice-President of product management at Lookout, a San Francisco, Calif.-based provider of mobile phishing solutions.


Many companies have compromised on security potentially invalidating their cyber-insurance policies


Cybersecurity began as an effort to ring-fence company systems, protecting trade secrets, customer data and other sensitive information from unauthorized people. But many company computer systems have been moved to the ‘cloud,’ massive collections of servers managed by Amazon, Google, Microsoft and others. At the same time, data has become increasingly important – virtually everything we do online uses data, and in turn creates more data. Almost all of those systems and data are now accessed through the Internet.

 Not only do people need access to data; other computer systems do, too. Corporate computer systems are no longer isolated strongholds, they are interconnected hives with information passing back and forth in myriad ways.

The result has been a steady increase in ways that criminals can steal data, and a steady drumbeat of increasingly spectacular breaches, with hackers pilfering everything from social security numbers to nuclear power plant controls. 


Few corporations employ data-layer security


Many companies have compromised on security to adapt, not only exposing themselves to attacks, but potentially invalidating their cyber-insurance policies in the process. If companies have expanded their risk profile without consulting their insurers, they may find themselves exposed to devastating financial damage if attacked.

Some companies suddenly have a variety of equipment connected to their networks, not all of it company-owned. They need to ensure that devices used at home, regardless of who owns it, comply with company security policies, said Jack Kudale, founder and CEO of Cowbell Cyber, a cyber-insurer focused on small and medium-sized businesses. He said that some insurance policies require employees to agree in writing to specific security rules. Not checking these boxes could annul coverage, he warned.

The first step is to immediately patch the multiple vulnerabilities in VPN software that have been identified in the past year. According to the Department of Homeland Security, hackers are actively exploiting publicly known VPN vulnerabilities and other remote working tools.

Companies also need to enforce strong authentication procedures, including multi-factor authentication, which many organizations have yet to require. Meanwhile, computer security experts should review firewall and full disk encryption policies to ensure they are working properly.

Even more important, companies and governments should adopt zero-trust computing, not unlike the zero trust that people have adopted with regard to COVID-19: assume that everyone is a threat. 

There are layers of possible cybersecurity, starting with people and devices up to the data itself. The data are the crown jewels. With zero-trust, rather than worry about the castle gates, so to speak, companies assume that everyone who comes into the castle is a threat and focus on protecting the crown jewels instead.

Yet few corporations employ so-called data-layer security. That’s in part because legacy protections were built further away – at the castle gates – at a time when the world wasn’t as data focused as it is today. It’s in part because previous data-layer protections just bogged things down. But that is changing.

“Introducing technical controls in front of databases used to be expensive and slow, but today there is security technology that not only gives visibility into how data is being accessed but also provides granular level access controls without impacting performance to protect that data,” said Ray Espinoza, Director of Security at Cobalt Labs, which helps companies test their systems for vulnerabilities.

The latest of those technologies is offered by Cyral, which installs a virtual guard at the doors to the castle treasury. That guard watches for behavior that does not fit normal patterns so that, even if bad actors reach the data through vulnerable VPNs or using stolen credentials, they can be stopped before they do any damage.

COVID-19 is making the issue more critical. But corporations are notoriously slow to act. 

“While those who hold critical and private information about consumers are ultimately responsible for its protection, the onus is also on all of us to demand that our banks, credit agencies, and other entities implement data-level security” Espinoza said. “The old standard is clearly not enough.”



Click her for the original source of this story.

Leave a Reply

Your email address will not be published. Required fields are marked *

2 + 6 =