With many employees now working from home, and numerous organisations looking to implement digital transformation at an unprecedented pace, the Covid-19 pandemic has brought with it many new challenges for chief information security officers (CISOs), often while contending with shrinking budgets.
According to Enterprise Technology Research, corporate technology budgets could drop by up to 4.1% this year as a result of the pandemic. Research by McKinsey also revealed that 70% of CISOs and security buyers believe budgets will shrink by the end of 2020.
This has come at a time when attackers are exploiting the current situation for their own means.
“This pressure will mean we streamline and reduce complexity”
Although the outlook may seem bleak for cybersecurity, the rapid changes CISOs are currently experiencing may in fact be an opportunity to rethink how organisations protect themselves.
Last month, HP hosted a webinar exploring what could be next cybersecurity, featuring experts from across the field, including former CISOs from IBM and JP Morgan.
Now that many organisations are looking beyond the initial stages of the pandemic, the time has come to plan for the future, including the role of cybersecurity.
Kris Lovejoy, EY Global Cybersecurity Leader and former CISO of IBM believes that there is reason to be optimistic, as organisations change their approach to cybersecurity.
“We see CISOs being left out of the decision-making process around transformation and budgets are being cut. So why be optimistic? Because usually organisations just buy more stuff to deal with crises or compliance,” she says.
“They never take anything out. My hope is that this pressure will mean we streamline and reduce complexity. The combination of top down focus, and budget restrictions will fundamentally change our approach to cyber.”
However, Charles Blauner, former global head of information security at Citigroup and Team8 CISO in Residence, notes that for some industries, there has been an increase in CISO’s budgets as organisations think about operational resilience. He describes this as an opportunity for “good CISOs” as “people will be less scared of change”.
“Massively distributed infrastructure is becoming the norm”
HP recently surveyed 1070 IT Managers and IT decision makers and found that 51% of end-users feel they’re not set up adequately for remote work. Furthermore, 81% believe IT is more tied than ever to the success of the business.
In this context, with organisations’ computing endpoints now extending far beyond the corporate network and requiring a new approach to security, CISOs have pivoted to new ways of working at a rapid pace.
Boris Balacheff, chief technologist, security research and innovation at HP, explains that having a robust distributed infrastructure has been key to succeeding at this time.
“From remote work, to IoT infrastructures, to all forms of automation – massively distributed infrastructure is becoming the norm. In a distributed world, endpoint devices are truly on the front line of the cyber security battle ground,” he says.
“No one is going to turn up at your door to help you if something goes wrong. Look back at early destructive attacks like Shamoon – going after 35,000 workstations. It’s simply not possible to have the sort of IT intervention that took to get people back on their feet today. We need to give the technology that underpins our information systems the autonomy and self-healing capability to guarantee resilience, designed and anchored into the hardware itself.”
Ian Pratt, global head of security (personal systems) at HP explains that this has seen an acceleration of several different trends, such as moving to the cloud, as IT work practices have had to change.
“We’re seeing an acceleration of trends that were happening anyway. Even very simple IT work practice has changed. Organisations have had to work out how to get laptops to employees with all the correct compliance, credentials, and certificates without it stopping off at an IT practitioners’ desk,” he says.
“We’re now enabling organisations to order machines not only imaged, but also provisioned with security credentials straight from the factory, so employees can use them securely straight out of the box. We’re at a point where end-points really have to be able to look after themselves at every stage.”
Opportunities for attackers as well as CISOs
However, while this presents opportunities to innovate, it also presents opportunities for attackers. According to Specops Software, 54% of businesses report an increase in cyber-attack threats whilst working from home.
“With most employees operating remotely, disruptive or destructive attacks become even more damaging. As exploit sophistication increases, firmware attacks could become an extremely dangerous and attractive target,” Balacheff says.
“Attacks aiming to ‘brick’ devices could isolate workers and halt operations entirely on a large scale. Devices that can offer autonomous recovery, a self-healing capacity, built into the hardware, beneath the software and operating system, becomes mission critical.”
Although the use of Covid-19 as the focus of phishing attacks and scams has now been well-documented, there has also been a change when it comes to more sophisticated attacks.
“Things that would have been regarded as requiring nation state sophistication are now being perpetrated by criminal organisations,” explains Pratt.
“There exists a criminal supply chain of different organisations contributing specialist skills – finding vulnerabilities, building exploits or payloads, crafting the lure, distribution, etc. In addition, the whole yield management has become much more sophisticated – criminals making sure they extract as much money as possible from a victim, increasingly playing the long game.
“We’re seeing more maturity, more sophistication, but the actual model itself hasn’t changed. Endpoints are targeted. It’s still users being duped to invite the attacker in.”
A reason for optimism?
However, the experts were “cautiously optimistic” that, although it is unlikely that things will go back to normal any time soon, this can be viewed positively. Blauner explains that the crisis could in fact “get us to better off faster”.
“This is an opportunity for good CISOs to change their relations with CEOs and their businesses” said Blauner. “The really good CISOs are now thinking about how to leverage security technology to help transform the business. The good CISOs are taking the opportunity to put good ideas out there. It’s the really bad CISOs who are struggling to catch up to all the changes that no-one ever talked to them about.”