When COVID-19 hit and Australia went into lockdown, the cybersecurity industry had to rapidly respond to challenges and changes in the operating environment of most organisations. I was invited onto a forum organised by the Australian Cyber Security Centre (ACSC) tasked with sharing threat intelligence and developing cybersecurity operational responses.
This experience, along with the work I have been performing at CGI, has granted me a unique perspective on the impact, both initial and continued, off the pandemic.
More than a year into COVID-19, has anything changed within the cybersecurity landscape?
As the pandemic raged across the globe and Australia, the business world had to change their operating environment to adapt to the new norm and challenges, predominantly forcing the workforce to operate from home environments instead of the traditional corporate environments. The changes were swiftly enforced on employees with a view of safeguarding the health and wellbeing of employees, families and society. The rapid change to the business operating model presented an initial challenge to the technology sector demanding digital innovation and scalability to enable employees to perform their duties from the home environment.
For most business operations, the rapid changes to business, technology and the operating environments presented challenges to the existing security controls both digital and physical. From a protective security technology perspective, if a threat had a deep desire to infiltrate, they could hack into the home network to gain access to an organisation’s system. When you arrive at your office, you don’t need to think about network security – you connect to a known corporate Wi-Fi network, trusting that appropriate controls are in place. But instead of working behind the complex, layered security offered in-office, remote workers used whatever systems they had at home, which often featured limited or simplistic controls, such as a Wi-Fi password of 123456.
Additionally, from an employees’ work arrangements and operations perspective, most security detection and response capabilities nowadays are designed and based on behaviours (e.g. operating hours, location, services, information access requirements etc.). As an example, if you're supposed to normal business working hours (e.g. eight to five or nine to six), the normal operating hours would be considered as a baseline and anything different (earlier or late work hours) would generally raise queries seeking clarifications to validate the behaviour. These changes created a significant amount of noise in the system and triggering false alarms, making it more difficult to identify real threats. The security system needs to be configured on a new (and constantly changing) normal, which can be incredibly time-consuming.
Remote work arrangements resulted in a material loss of established security controls, both in physical and digital preventive controls.
The challenges of mitigating cybersecurity risks during COVID-19
In the short term, most organisations never envisaged that there would come a time when they would have to rapidly adapt to remote working arrangements. As such, cybersecurity hygiene, training and awareness was structured based on established corporate/office technologies, business norms and behaviours. Hindsight is 20/20 - looking back at the security posture for most organisations, there was a real sense of complacency.
Many organisations had not implemented or technically provisioned for secure remote working arrangements. Those with limited remote working capabilities could not scale and expand existing technological capabilities fast enough. Additionally, “stay at home” directives imposed across all walks of lives, presented changes at households and additional responsibilities including caring for children at home and homeschooling. These lifestyle changes significantly affected corporates as well as employees, as corporates embraced flexible working arrangements and employees began working at different times of the day, raising the aforementioned security alarms.
As the world adapted to the new norm and anxiously awaiting positive news for any breakthrough for COVID-19 vaccines, bad actors saw an opportunity. They began using COVID-19 themed campaigns to lure employees into clicking malicious emails. They went from "Already secured tickets to the Boxing Day Test? Hurry and grab your FREE tickets to MCG!” to “New COVID-19 vaccine, click here for the latest COVID-19 developments, stats and vaccine news.”
All of these factors presented major – though not insurmountable – challenges for security operations and response teams. They first had to implement technologies (e.g. remote connectivity, video conference etc.) to ensure the workforce could work from home in a secure manner. Importantly, they had to identify the changes in employee behaviour, understand emerging cybersecurity campaigns and threats, and then adjust the security incident response process (how do we respond to incidents? What is our incident containment and mitigations strategies?). Additionally, the security operations team had to pivot and change the security response and recovery operating model for the remote workforce.
Next, they had to ensure that employees had suitable cybersecurity measures in place at home. They had to securely scale, increase capacity and availability of their systems to ensure that an employee could securely connect to the office environment.
Finally and most importantly, they needed to educate the workforce on cybersecurity safeguard protocols for working from home as people are the best defence to the rapidly evolving security threats. They had to create security awareness and communication campaigns to inform and educate the workforce on security hygiene, regular updates on current security threats and access to security services as efficiently as possible.
Bringing a more proactive approach to managing cybersecurity risks
It's been an interesting year that has forced digital disruption and forever changed the work landscape. Organisations that never would have operationalized remote workers have proven that they can operate while keeping their businesses up and running.
To stay competitive in this new business and economic environment, organisations have proactively taken the opportunity to change the business strategies, operations, and continuity and disaster recovery practices. They are asking themselves questions about how they would envisage managing and operating in a post-COVID-19 world:
- Can we deliver intended and secure outcomes to our customers remotely?
- Can remote working enable our workforce to deliver desired outcomes for both employees and customers?
- Can remote working empower effective interaction between our internal and external stakeholders?
- Can we utilise the funds invested on real estate, travel, facilities and other expenditure towards employee welfare and reduce product overheads?
- Can we invest on technologies that enable remote technology services (e.g. Virtual Private Networks (VPN), Microsoft Office 365, Google Workspace etc.) and collaboration (e.g. Zoom, Microsoft Teams etc.) to enable future growth?
As the answers to these questions enable the organisation, workforce and customers to operate outside the traditional corporate network, cybersecurity plays a vital role in providing a secure digital environment.
It has been amazing to observe how resilient, adaptive and pragmatic some industries have been in responding to the pandemic and pivoting business operations to digital technology. Let’s take the real estate industry, for example, historically an in-person, face-to-face business model that had real estate agents and buyers walking through homes, sellers signing paper-based documents and agents holding front yard auctions, which every aspect of the property buying experience has found an effective digital synonym (e.g. online auctioning, virtual property walk-throughs, e-signatures, e-documents etc.).
Despite pandemic challenges, digital transformation has enabled the real estate industry to continuously operate and provide services to its prospects, buyers and sellers. However, with every digital transformation there are opportunities and risks that should be managed. Each stakeholder (directly or indirectly) involved as part of digital interaction would require digital assurance.
- How is privacy and security of data managed?
- How can prospects and buyers gain trust through virtual property walk-throughs?
- How can the real estate agents and/or sellers guarantee the authenticity of prospects or buyers?
- How can all stakeholders trust the online auction platform?
- How do you ensure e-signatures on e-documents are watertight?
All of these questions have – to varying degrees – been solved by cybersecurity professionals. And as we slowly come out of the pandemic, there will be many more challenges that the cybersecurity professionals will be tasked to manage.
How CGI is helping organisations mitigate cybersecurity risks
Cybersecurity is simply a subset of the operational business risk. At CGI, we work with our clients and partners to develop their cybersecurity vision, mission and strategy, which we use to drive secure business outcomes. We group security into three main categories:
Evolving, assessing risks and education:
- Threat and risk assessment based on changes to the business operations;
- Security compliance reviews to ensure regulatory, legal and stakeholder obligations;
- Educate and conduct security awareness campaigns; and
- Design and update security policies and procedures.
Protecting the business through secure technology implementation and testing:
- Architecting and engineering security engagements based on changes to the business operations;
- Implementation of security solutions and technology change and configuration management to adapt to the business changes; and
- Perform security offensive testing and assurance services.
Enabling the organisation to perform secure digital transactions and operate with confidence:
- Continuous protective security monitoring services to ensure the technology environment is monitored for security threats;
- Incident management and forensic services to respond to detected security events and incidents; and
- Cyber Threat Intelligence (CTI) and mitigation services to proactively respond to targeted and emerging threats.
As a trusted partner for 45 years, and as societies increasingly depend on technology, CGI’s primary objective through cybersecurity services is to educate, share experiences, implement safeguarding measures and continuously enable organisations to securely operate in a digital environment.
If COVID-19 has shown us anything, it is that dramatic change can occur at a moments’ notice, and that some organisations are better at preparing for the unprecedented than others.
But having (presumably) made it through the worst of it, both organisations, technology and security stakeholders have the opportunity to learn from the experience; to ensure that the next earth-shaking event, whatever it may be, can be handled more effectively and securely.
If you’re interested in the work we do here at CGI and want to find out more about joining the team visit our careers page.