IT underwent a major change in 2020 as organizations were forced to quickly adopt strategies to handle new cybersecurity threats and increased remote working and collaboration needs, according to Matrix Integration. Cybersecurity remains a top concern for 2021, as attackers continue to threaten organizations, particularly in energy/utilities, government, and manufacturing. “Although every organization is putting more money towards cybersecurity, the ground is always shifting,” said Rob Wildman, VP of professional services at Matrix Integration. “It … More
Corporate security and IT departments and the people who lead them often have complicated relationships. But does it really have to be that way? It’s a critical question as digital business accelerates in every industry and market, its rise only magnified by the COVID-19 pandemic. Never has it been more important for the CIO, CISO and other digital technology leaders to work in lockstep as they shape their organizations’ future. For too long in too … More
The post Four ways to improve the relationship between security and IT appeared first on Help Net Security.
In this article I’ll consider next year’s data security landscape with a focus on the two key issues you need to have on your planning agenda. Of course, how the pandemic plays out will have a huge say on tactical questions ranging from budget to manpower to project priorities – but these long-term strategic trends will impact IT organizations well beyond 2021. The “bring your own” genie will leave the bottle Over the last decade, … More
The post The need for zero trust security a certainty for an uncertain 2021 appeared first on Help Net Security.
The biggest security concerns facing businesses are data leaking through endpoints (27%), loss of visibility of user activity (25%) and maintaining compliance with regulatory requirements (24%), DTEX Systems reveals. These concerns are followed by access from outside the perimeter (23%) and remote access to core business apps (18%) such as email and collaboration. Few companies prepared to secure and support a shift to remote work The report also found that only 30% of companies surveyed … More
The post Only 30% prepared to secure a complete shift to remote work appeared first on Help Net Security.
A Unify Square survey unveils key perspectives of enterprise employees on workplace collaboration and communication in the midst of the global pandemic. Findings highlight gaps in stress levels between workers at different job levels and industries and how increased usage of collaboration and UC applications has impacted the success of internal communication at enterprises. Zoom reigns king of collaboration Since COVID-19 forced a large majority of the enterprise workforce into remote work, 72% of companies … More
The post Researchers expose the stress levels of workers at different job positions appeared first on Help Net Security.
Unit4 surveyed business and IT decision makers and users working in service industries in August and September 2020, to understand how well organizations are embracing innovation and adapting to the challenges of the pandemic.
Growing people-centric innovation
The study shows that 84% of global decision makers are accelerating their digital transformation plans, in response to growing demands from users, who want more flexibility to work remotely in the future.
During COVID-19, global decision makers cited three main impacts on their enterprise applications strategies. They have become more agile in their planning (49%) and acknowledge the pace of innovation (42%) has increased, while 35% say it has sped up their investment in moving to the cloud and 24% are more comfortable failing fast.
They’ve also outlined specific priorities to enable workforces to be more productive, which shows that innovation has become much more focused on the needs of users.
As decision makers look ahead to future strategies, the research identifies the top three priorities for users, which decision makers must respond to:
- Having the freedom to access IT systems so they can work from anywhere
- Better tools for collaboration
- Increased automation to reduce their workloads.
Consequently, decision makers say their future IT plans are very people-centric, listing their main objectives as: wanting to enable the flexibility of remote working, creating environments to encourage greater collaboration and empowering employees to be more productive, as well as meeting the demands of customers. Decision makers believe this is achievable by focusing on three tech-based priorities:
- Building a simple and intuitive user interface and experience – 43%
- Using automation to simplify and speed up workflows – 39%
- Enabling users to communicate with enterprise applications using their preferred tools, such as Slack and WhatsApp – 38%
The adaptable organization
As many organizations transitioned to remote working during 2020, a positive outcome has been that 60% of global users say they have been more productive during lockdown. They are also predominantly satisfied that their IT systems have helped them to get the most out of their roles.
It is perhaps unsurprising that 84% of global decision makers want to encourage colleagues to work remotely more often following the lockdown, which is mirrored by 69% of global users who also want the same flexibility.
Clearly, now that organizations have proven their enterprise IT systems can handle the demands of a remote, distributed workforce there is confidence they can sustain the model.
However, there are challenges ahead, as 34% of global decision makers say they must break down silos of information across their organizations and 31% of users are reluctant to change.
On a more positive note a resounding majority (84%) say that the pandemic is forcing meaningful board discussions about future strategy, which clearly shows C-Suite decision makers are engaged.
Traditional on-premise IT systems not capable of reacting to rapid change
77% of global decision makers also believe traditional on-premise IT systems and enterprise applications are not capable of reacting to rapid change, hence why 86% say the cloud offers more flexibility, with more than two-thirds expecting their enterprise applications to be fully cloud-based in the next two years.
“New ways of working, initially broadly imposed by the global pandemic, are morphing into lasting models for the future,” said Mickey North Rizza, program vice president for IDC‘s Enterprise Applications and Digital Commerce research practice.
“Permanent technology changes, underpinned by improved collaboration, include supporting hybrid work, accelerating cloud use, increasing automation, going contactless, adopting smaller TaskApps, and extending the partnership ecosystem. Enterprise application vendors need to assess their immediate and long-term strategies for delivering collaboration platforms in conjunction with their core software.”
“If we’ve learned anything this year, it’s that the business environment can change almost overnight, and as business leaders we have to be able to reimagine our organizations and seize opportunities to secure sustainable competitive advantage,” said Mike Ettling, CEO, Unit4.
“Our study shows what is possible with continued investment in innovation and a people-first, flexible enterprise applications strategy. As many countries go back into some form of lockdown, this people-centric focus is crucial if businesses are to survive the challenges of the coming months.”
As we near 2021, it seems that the changes to our working life that came about in 2020 are set to remain. Businesses are transforming as companies continue to embrace remote working practices to adhere to government guidelines. What does the next year hold for organizations as they continue to adapt in the age of the Everywhere Enterprise?
We will see the rush to the cloud continue
The pandemic saw more companies than ever move to the cloud as they sought collaboration and productivity tools for employee bases working from home. We expect that surge to continue as more companies realize the importance of the cloud in 2021. Businesses are prepared to preserve these new working models in the long term, some perhaps permanently: Google urged employees to continue working from home until at least next July and Twitter stated employees can work from home forever if they prefer.
Workforces around the world need to continue using alternatives to physical face-to-face meetings and remote collaboration tools will help. Cloud-based tools are perfect for that kind of functionality, which is partly why many customers that are not in the cloud, want to be. The customers who already started the cloud migration journey are also moving more resources to public cloud infrastructure.
People will be the new perimeter
While people will eventually return to the office, they won’t do so full-time, and they won’t return in droves. This shift will close the circle on a long trend that has been building since the mid-2000s: the dissolution of the network perimeter. The network and the devices that defined its perimeter will become even less special from a cybersecurity standpoint.
Instead, people will become the new perimeter. Their identity will define what they’re allowed to access, both inside and outside the corporate network. Even when they are logged into the network, they will have minimal access to resources until they and the device they are using have been authenticated and authorized. This approach, known as zero trust networking, will pervade everything, covering not just employees, but customers, contractors, and other business partners.
User experience will be increasingly important in remote working
Happy, productive workers are even more important during a pandemic. Especially as on average, employees are working three hours longer since the pandemic started, disrupting the work-life balance. It’s up to employers to focus on the user experience and make workers’ lives as easy as possible.
When the COVID-19 lockdown began, companies coped by expanding their remote VPN usage. That got them through the immediate crisis, but it was far from ideal. On-premises VPN appliances suffered a capacity crunch as they struggled to scale, creating performance issues, and users found themselves dealing with cumbersome VPN clients and log-ins. It worked for a few months, but as employees settle in to continue working from home in 2021, IT departments must concentrate on building a better remote user experience.
Old-school remote access mechanisms will fade away
This focus on the user experience will change the way that people access computing resources. In the old model, companies used a full VPN to tunnel all traffic via the enterprise network. This introduced latency issues, especially when accessing applications in the cloud because it meant routing all traffic back through the enterprise data center.
It’s time to stop routing cloud sessions through the enterprise network. Instead, companies should allow remote workers to access them directly. That means either sanitizing traffic on the device itself or in the cloud.
User authentication improvements
Part of that new approach to authentication involves better user verification. That will come in two parts. First, it’s time to ditch the password. The cybersecurity community has advocated this for a long time, but the work-from-home trend will accelerate it. Employees accessing from mobile devices are increasingly using biometric authentication, which is more secure and convenient.
The second improvement to user verification will see people logging into applications less often. Sessions will persist for longer, based on deep agent-based device knowledge that will form a big part of the remote access experience.
Changing customer interactions will require better mobile security
It isn’t just employees who will need better mobile security. Businesses will change the way that they interact with customers too. We can expect fewer person-to-person interactions in retail as social distancing rules continue. Instead, contact-free transactions will become more important and businesses will move to self-checkout options. Retailers must focus more on mobile devices for everything from browsing products, to ordering and payment.
The increase in QR codes presents a great threat
Retailers and other companies are already starting and will continue to use QR codes more and more to bridge contact with things like menus and payment systems, as well as comply with social distance rules. Users can scan them from two meters away, making them perfect for payments and product information.
The problem is that they were never designed for these applications or digital authentication and can easily be replaced with malicious codes that manipulate smartphones in unexpected and damaging ways. We can expect to see QR code fraud problems increase as the usage of these codes expands in 2021.
The age of the Everywhere Enterprise
One overarching message came through clearly in our conversations with customers: the enterprise changed for the longer term in 2020, and this will have profound effects in 2021. What began as a rushed reaction during a crisis this year will evolve during the next as the IT department joins HR in rethinking employee relationships in the age of the everywhere enterprise.
If 2020 was the year that businesses fell back on the ropes, 2021 will be the one where they bounce forward, moving from a rushed reaction into a thoughtful, measured response.
Overall investments in digital resiliency have increased steadily throughout the year as businesses prioritize or accelerate adoption of cloud, collaborative, and digital transformation projects, IDC reveals.
Security has also been a major investment area, driven by the shift to more remote work and accelerated cloud adoption in 2020.
“Digital resiliency refers to an organization’s ability to rapidly adapt to business disruptions by leveraging digital capabilities to not only restore business operations, but also capitalize on the changed conditions,” said Stephen Minton, VP in IDC‘s Customer Insights & Analysis group.
“As the COVID-19 crisis has shown, the ability to respond quickly and effectively to unexpected changes in the business environment are critical to an organization’s short-term success. To prepare for future business disruptions, organizations need plans that will enable them to rapidly adapt as opposed to just respond.
“Investments in digital capabilities not only enable an organization to adapt to the current crisis but also to capitalize on the changed conditions.”
The Digital Resiliency Investment Index
The Digital Resiliency Investment Index is comprised of two factors – digital core investments and digital innovation investments.
Digital core investments are comprised of spending on the core components of digital resiliency: cloud, security, collaborative support for remote workers, and digital transformation projects. This score should increase over time as organizations shift budget away from traditional and legacy IT spending and toward these core components of digital resiliency.
Digital innovation investments are measured using a monthly survey of enterprises on their current and anticipated IT investment focus, including how much new or reallocated spending is targeted at digital resiliency and business acceleration versus crisis response measures. This score should also increase over time as organizations shift their spending focus back to building a digital enterprise.
Overall, investments in cloud, collaboration, and security have managed to grow throughout 2020, despite a decline in overall IT spending.
In recent, months, the focus on resiliency has increased as organizations realize the importance of being prepared for future business disruptions. As a result, digital resiliency spending is expected to accelerate in 2021 as the global economy improves.
Resiliency investments by location
On a geographic basis, resiliency investments grew fastest in Asia/Pacific, in line with the region’s overall response to the pandemic. Investments in the United States improved noticeably in October, which may reflect a combination of short-term and long-term factors.
Meanwhile, Europe’s results declined slightly in October as the region returned to crisis response mode with a surge in coronavirus cases and new socio-economic restrictions.
“The next several months may put increased pressure on some organizations to respond to second waves of COVID infections and economic lockdowns, which will be reflected in our monthly surveys throughout the winter,” said Minton.
“What we have learned already this year is that the organizations which were among the early adopters of cloud, digital, and collaborative technologies were best-positioned for a crisis no one could have predicted.
“Digital resiliency in the coming 6-12 months will to some extent reflect the speed at which others were able to pivot their tech investments in 2020, even as overall budgets were constrained by economic uncertainty.”
SafeGuard Cyber announced the results of a survey of 600 senior enterprise IT and security professionals, conducted to understand how businesses rate their own security and compliance risks in the new digital reality of the workplace brought by the COVID-19 pandemic.
Rate security risks
Respondents were asked to effectively grade their adaptations to date, articulate what gaps still exist, and explain how they’re planning for the future. One-third of respondents reported their entire business process has changed and is still evolving, while 26% said they’ve rushed certain projects that were scheduled for later.
The study revealed the need to harden unconventional attack vectors in cloud, mobile, and social media technologies.
“Everyone in business understands the pandemic has had a seismic impact, but we were still surprised to learn how vulnerable organizations feel about the digital technologies they’ve adopted,” said Jim Zuffoletti, CEO, SafeGuard Cyber.
“Bad actors typically migrate to where the action is, so it makes sense digital communication channels are more likely to be targets. Surprisingly, marketing technologies moved up on the list, and we’re seeing more and more concern for executive leaders.”
- A significant disconnect and tension between the perceived security and compliance needs and the level of organizational planning. Despite perceived digital risk around unsanctioned apps, ransomware attacks, and varying tech stacks, only 18% of respondents reported cybersecurity as being a board-level concern.
- 57% of those surveyed cited internal collaboration platforms – like Microsoft Teams and Slack – as the tech stack representing the most risk, followed closely by marketing technologies at 41%.
- 1 in 4 respondents reported Executives’ personal social media as being an area of risk.
- The biggest security and compliance challenge is the use of unsanctioned apps (52%), followed by trying to monitor business communications in multi-regional environments (43%), suggesting global enterprises are seeing more friction in scaling technologies for the digital workspace.
- When it comes to purchasing new technology, 59% cite budget as the top concern, followed very closely by “impact on business outcomes” like revenue growth and agility (56%).
Davis Hake, Co-Founder of Resilience and Arceo.ai, concurred, “Incidents of business email compromise skyrocketed last year according to the FBI, with losses doubling from 2018 to reach $1.3B, but we know that with a move to remote work during the pandemic, cyber criminals aren’t just targeting email, they are increasingly targeting the digital collaboration platforms that are keeping our economy afloat.”
Enterprises are juggling the twin demands of budget constraints and the need to drive business outcomes.
“Simply saying ‘no’ to channels like WhatsApp or Slack is no longer an option. It’s the way business gets done today. As business leaders look to 2021, they will need security controls that enable rather than block new communication channels in order to sustain growth.”
Federal IT leaders across the country voiced the importance of network visibility in managing and securing their agencies’ increasingly complex and hybrid networks, according to Riverbed.
Of 200 participating federal government IT decision makers and influencers, 90 percent consider their networks to be moderately-to-highly complex, and 32 percent say that increasing network complexity is the greatest challenge an IT professional without visibility faces in their agency when managing the network.
Driving this network complexity are Cloud First and Cloud Smart initiatives that make it an imperative for federal IT to modernize its infrastructure with cloud transformation and “as-a-service” adoption.
More than 25 percent of respondents are still in the planning stages of their priority modernization projects, though 87 percent of survey respondents recognize that network visibility is a strong or moderate enabler of cloud infrastructure.
Network visibility can help expedite the evaluation process to determine what goes onto an agency’s cloud and what data and apps stay on-prem; it also allows clearer, ongoing management across the networks to enable smooth transitions to cloud, multi-cloud and hybrid infrastructures.
Accelerated move to cloud
The COVID-19 has further accelerated modernization and cloud adoption to support the massive shift of the federal workforce to telework – a recent Market Connections study indicates that 90 percent of federal employees are currently teleworking and that 86 percent expect to continue to do so at least part-time after the pandemic ends.
The rapid adoption of cloud-based services and solutions and an explosion of new endpoints accessing agency networks during the pandemic generated an even greater need for visibility into the who, what, when and where of traffic. In fact, 81 percent of survey respondents noted that the increasing use of telework accelerated their agency’s use and deployment of network visibility solutions, with 25 percent responding “greatly.”
“The accelerated move to cloud was necessary because the majority of federal staff were no longer on-prem, creating significant potential for disruption to citizen services and mission delivery,” said Marlin McFate, public sector CTO at Riverbed.
“This basically took IT teams from being able to see, to being blind. All of their users were now outside of their protected environments, and they no longer had control over the internet connections, the networks employees were logging on from or who or what else had access to those networks. To be able to securely maintain networks and manage end-user experience, you have to have greater visibility.”
Visibility drives security
Lack of visibility into agency networks and the proliferation of apps and endpoints designed to improve productivity and collaboration expands the potential attack surface for cyberthreats.
Ninety-three percent of respondents believe that greater network visibility facilitates greater network security and 96 percent believe network visibility is moderately or highly valuable in assuring secure infrastructure.
Further, respondents ranked cybersecurity as their agency’s number one priority that can be improved through better network visibility, and automated threat detection was identified as the most important feature of a network visibility solution (24 percent), followed by advanced reporting features (14 percent), and automated alerting (13 percent).
“Network visibility is the foundation of cybersecurity and federal agencies have to know what’s on their network so they can rapidly detect and remediate malicious actors. And while automation enablement calls for an upfront time investment, it can significantly improve response time not only for cyber threat detection but also network issues that can hit employee productivity,” concluded McFate.
After several months of working from home, with no clear end in sight, financial risk and regulatory compliance professionals are struggling when it comes to collaborating with their teams – particularly as they manage increasingly complex global risk and regulatory reporting requirements.
According to a survey of major financial institutions conducted by AxiomSL, 41% of respondents said collaborating with teams remains a challenge while working remotely.
“Indeed, businesses might never return to the ‘old normal’, and that has made building data- and technology-driven resilience much more pressing than before the crisis. Our clients have been experiencing heightened regulatory pressures,” he continued.
“Throughout the crisis, we enabled them to respond rapidly to changes in reporting criteria, the onset of daily liquidity reporting, and the Federal Reserve’s emerging risk data collection (ERDC) initiative – that required FR Y–14 data on a weekly/monthly basis instead of quarterly.”
These data-intensive, high-frequency regulatory reporting requirements will continue in the ‘new normal.’ “To future-proof, organizations should continue to establish sustainable data architectures and analytics that enable connection and transparency between critical datasets,” Tsigutkin commented.
“And, as a priority, they should transition to our secure RegCloud to handle regulatory intensity efficiently, bolster business continuity, and strengthen their ability to collaborate remotely,” he concluded.
Key research findings
Remote collaboration is a top operational challenge for financial risk and regulatory pros: For all the talk of work-from-anywhere policies becoming the future of financial services, 41% of the risk and compliance professionals surveyed said collaborating with colleagues while working remotely has been their biggest challenge during the COVID-19 crisis.
This was the most frequently cited challenge, followed by accessing data from dispersed systems (18%), reliance on offshore resources (15%), and reliance on locally installed technology (15%).
Liquidity reporting expected to get harder: New capital and liquidity stress testing requirements are expected to present a much heavier burden on financial firms, with 18% of respondents citing increased capital and liquidity risk reporting as a major challenge they will face over the next two years.
Cloud adoption gets its catalyst: After years of resisting cloud adoption, many North American financial institutions are finally gearing up to make the move. When it comes to regulatory technology spending over the next two years, enhanced data analytics is the top area of focus among 29% of survey respondents. But cloud deployment rose to second place (23%) followed by data lakes (22%) and artificial intelligence and machine learning (20%).
Reduction of manual processes is an operational focus for the next two years: The top risk and regulatory compliance challenge firms see on the road ahead is continuing to eliminate manual processes (29%), followed by improving the transparency of data and processes (21%), and fully transitioning to a secure cloud (13%).
RegTech budgets largely intact heading into 2021: A total of 83% indicated their near-term projects as virtually unimpacted or mostly going forward. And similarly, 81% said their budgets for 2021 remain intact (70%) or will increase (11%).
Among those surveyed, the percentage working from home had abruptly jumped from 28 percent prior to the pandemic to 71 percent during the outbreak. The survey included more than 200 IT executives in the U.S. across various industries.
Manage remote work: High productivity, effectiveness and morale
IT professionals identified many challenges in their response to COVID-19, but felt that their productivity, effectiveness and morale remained high. Eighty-four percent of respondents believed that the “survival” of their companies depended on “providing a stable work environment” during and after the pandemic.
Seventy-eight percent said that technical support requests had also increased. Even so, 49 percent indicated that their volume of work “stayed the same” with another 32 percent noting that it was “higher than usual.”
Most IT professionals surveyed believe they were “very effective” (57 percent) or “somewhat effective” (40 percent) at solving urgent problems that arose during the pandemic. Only 3 percent believed their response was “not effective.”
Seventy nine percent said it took up to 3 weeks to establish a stable work environment, but only 41 percent were confident they had sufficient VPN capacity.
Video conferencing as the most effective tool
As part of the initial “work from home” response, video conferencing topped the list as the most effective tool (66 percent), followed by cloud storage (59 percent), device management (49 percent) and collaboration (47 percent), according to respondents.
“Businesses capably managed the rapid transition to remote work in response to the COVID-19 pandemic,” said Gautam Goswami, CMO at TeamViewer. “But it’s critical that IT professionals remain focused on strengthening their infrastructure to guarantee business continuity by putting a range of secure remote connectivity solutions in place.”
“Work from home” concerns
Respondents also identified other concerns as they continue to manage through the pandemic’s extended “work from home” arrangements.
- Planning for a new normal: On average, IT executives expect that it will take more than seven months to return to “business as usual.” As businesses fortify their infrastructure, 85 percent “agree” or “strongly agree” that their organization will be prepared to manage a future coronavirus outbreak.
- Security is a top priority: Security remains a top priority for 57 percent of the IT executives surveyed, particularly in response to employees using their own devices and moving from private company networks to the public internet with more access points and increased vulnerabilities.
- Remote work will continue to trend: Eighty percent of IT leaders say they expect more employees to permanently work remotely, but only 38 percent are sure they have the training needed to handle the rise in remote work.
- Budget increases: Sixty-nine percent of organizations channelled new funds to IT in the wake of the pandemic, and 80 percent expect say they need additional budget during the next year.
TEAMARES launched DeimosC2, addressing the market need for a cross-compatible, open source Command and Control (C2) tool for managing compromised machines that includes mobile support.
Offensive security teams often need access to a cost-effective, easy-to-use tool that can manage compromised machines after an exploitation. However, many of the options currently available in the market can be difficult to use, expensive, or lack the flexibility to expand features.
With this in mind, TEAMARES developed DeimosC2, a cross-platform and collaborative tool designed with a robust functionality that can be extended in any language. Teams can conduct post-exploitation on any major operating system, including Android devices, addressing the lack of defensive capabilities that are available on enterprise devices.
- A UI that offers ease of use and supports multiple users for collaboration.
- Multiple listener and agent communication methods such as TCP, HTTPS, DNS over HTTPS (DoH), and QUIC.
- Pivot capabilities over TCP.
- Extendable functionality that can be written in multiple languages.
- API over WebSockets allowing for scriptable functionality.
- Written in Golang for cross compatibility on all major operating systems.
- Archive and replay functionality post-testing so users can restore listeners, loot, and other critical information to the database.
“Red teams usually have to choose between expensive C2 tools in the market or training for their teams on the current tools,” said Quentin Rhoads-Herrera, Director of Professional Services for TEAMARES and co-author of DeimosC2.
“Deimos is an open source, community-contributed tool that is designed for ease of use and cross OS compatibility without a large spend of budget or time.”
The McAfee report uncovers a correlation between the increased use of cloud services and collaboration tools, such as Cisco WebEx, Zoom, Microsoft Teams and Slack during the COVID-19 pandemic, along with an increase in cyber attacks targeting the cloud.
There are significant and potentially long-lasting trends that include an increase in the use of cloud services, access from unmanaged devices and the rise of cloud-native threats. These trends emphasize the need for new security delivery models in the distributed work-from-home environment of today–and likely the future.
In the time surveyed, overall enterprise adoption of cloud services spiked by 50 percent, including industries such as manufacturing and financial services that typically rely on legacy on-premises applications, networking and security more than others.
Use of cloud collaboration tools increased by up to 600 percent, with the education sector seeing the most growth as more students are required to adopt distance learning practices.
Surging external attacks on cloud accounts
Threat events from external actors increased by 630 percent over the same period. Most of these external attacks targeted collaboration services like Microsoft 365, and were large-scale attempts to access cloud accounts with stolen credentials.
Insider threats remained the same, indicating that working from home has not negatively influenced employee loyalty. Access to the cloud by unmanaged, personal devices doubled, adding another layer of risk for security professionals working to keep their data secure in the cloud.
“While we are seeing a tremendous amount of courage and global goodwill to overcome the pandemic, we also are unfortunately seeing an increase in bad actors looking to exploit the sudden uptick in cloud adoption created by an increase in working from home,” said Rajiv Gupta, Senior VP, Cloud Security, McAfee.
“The risk of threat actors targeting the cloud far outweighs the risk brought on by changes in employee behavior. Mitigating this risk requires cloud-native security solutions that can detect and prevent external attacks and data loss from the cloud and from the use of unmanaged devices.
“Cloud-native security has to be deployed and managed remotely and can’t add any friction to employees whose work from home is essential to the health of their organization.”
How to maintain strong security posture
With cloud-native threats increasing in step with cloud adoption, all industries need to evaluate their security posture to protect against account takeover and data exfiltration. Companies need to safeguard against threat actors attempting to exploit weaknesses in their cloud deployments.
Tips to maintain strong security posture include:
- Think cloud-first: A cloud-centric security mindset can support the increase in cloud use and combat cloud-native threats. Enterprises need to shift their focus to data in the cloud and to cloud-native security services so they can maintain full visibility and control with a remote, distributed workforce.
- Consider your network: Remote work reduces the ability for hub and spoke networking to work effectively with scale. Network controls should be cloud-delivered and should connect remote users directly to the cloud services they need.
- Consolidate and reduce complexity: Cloud-delivered network security and cloud-native data security should smoothly interoperate, ideally be consolidated to reduce complexity and total cost of ownership and increase security effectiveness and responsiveness.
“Should recipients fall victim to this attack, their login credentials to their LogMeIn account would be compromised. Additionally, since LogMeIn has SSO with Lastpass as LogMeIn is the parent company, it is possible the attacker may be attempting to obtain access to this user’s password manager,” Abnormal Security noted.
The fake LogMeIn security update request
The phishing email has been made to look like it’s coming from LogMeIn. Not only does the company logo feature prominently in the email body, but the sender’s identity has been spoofed and the phishing link looks, at first glance, like it might be legitimate:
“The link attack vector was hidden using an anchor text impersonation to make it appear to actually be directing to the LogMeIn domain,” Abnormal Security explained.
“Other collaboration platforms have been under scrutiny for their security as many have become dependent on them to continue their work given the current pandemic. Because of this, frequent updates have become common as many platforms are attempting to remedy the situation. A recipient may be more inclined to update because they have a strong desire to secure their communications.”
Advice for users
This LogMeIn-themed phishing campaign is a small one, but users should know that the company has seen an “incredible uptick” in collaboration software impersonations in the past month.
Be careful when perusing unsolicited email, even if it looks like it’s coming from a legitimate source. If you have to enter login credentials into a web page, make sure you landed on that page by entering the correct URL yourself or by opening a bookmark – and not by following a link in an email.
In this particular case, you can be sure that if LogMeIn asks you to update something, the request/reminder will be shown once you access your account, so you’re not losing anything by ignoring the email and the link in it.
Zoom is in crisis mode, facing grave and very public concerns regarding the trust in management’s commitment for secure products, the respect for user privacy, the honesty of its marketing, and the design decisions that preserve a positive user experience. Managing the crisis will be a major factor in determining Zoom’s future.
The company has recently skyrocketed to new heights and plummeted to new lows. It is one of the few communications applications that is perfectly suited to a world beset by quarantine actions, yet has fallen from grace because of poor security, privacy, and transparency issues. Governments, major companies, and throngs of users have either publicly criticized or completely abandoned the product.
No company wants to be in this position: faced with dealing with mistakes publicly at a time when they are experiencing unimaginable growth. Zoom is sputtering to stay relevant, fend off competition, and emerge intact.
Knowing how to respond and manage product security incidents is becoming more important for digital companies. Zoom is an excellent test-case to explore the lessons in crisis management. These lessons are valuable to every product and service organization which could face a loss of customer confidence. It would be wise for business leadership in every industry to take an introspective look and understand how they can effectively respond during such a crisis. Preparation provides an advantage and gives insights that may help avoid catastrophe.
Cybersecurity is a discipline in managing the risks to security, privacy, and safety. It does not eliminate them, but rather seeks to find an optimal balance between the risks, costs, and usability. That means there will always be a chance for undesired impacts. If managed properly from the onset, the minimization of those residual risks can also be handled in ways that reduce the negative effects.
Crisis response is a specialty that benefits from forethought, experience, leadership, and skills.
I have lead crisis response teams over the years and been fortunate to be part of strong teams that handled events with speed, efficiency, and professionalism. I have also witnessed complete train-wrecks where the wrong people were attempting to lead, focus was misplaced, valuable time and resources were squandered, legal instruments were applied to hide the truth, communication was confusing, and feeble attempts leveraging marketing to “spin messages” were preferred over actually addressing issues head-on. Poor leadership is caustic, can result in more problems and a prolonged recovery.
Crisis response is a complex dance. It requires a clearly defined objective to pursue and an understanding of the opposition, obstacles, and resources. Executive support is required, but not necessarily welcome in all decisions. Time is a crucial resource as is the morale and commitment of employees. It is normally a thankless job, as the best-case scenario is the situation is resolved and quickly fades from memory.
But enough with the platitudes. Let’s dive into some specifics with an interesting use-case which is currently unfolding.
Zoom crisis: The test-case
Zoom has a number of technical, behavioral, and process issues to address, in order to dig themselves out of the hole in which they currently find themselves. The goal of their response should be to restore the confidence in the Zoom products and its organization. To do this, the company must evolve to better proactively manage the risks of product vulnerabilities, avoid design decisions that weaken privacy and allow for abuse, and foster trust by being accurate and transparent with users, regulators, and stockholders. Every crisis that is comprehensively managed is painful, as it requires accountability, commitment, and disruptive change.
Let’s go down the list of challenges and best-practices.
First and foremost, it takes executive management support for an organization to rally together to address a significant crisis. Time, resources, and even goodwill must be applied from across the company. There are opportunities that must be sacrificed and trade-offs made. Fortunately, Zoom’s CEO has aggressively come forward to recognize the issues, personally took responsibility, and committed to restore trust.
Although falling on one’s sword is not necessary for a CEO, it does eliminate much of the wasted time normally allotted to the blame-game, finding a scapegoat, or being lured by the attractiveness of trying to use marketing tricks to spin or change the narrative. Quickly and openly taking responsibility for shortcomings is a shortcut to align focus toward resolution and shows seriousness in ensuring processes will be in place to protect from future issues.
A strong and capable leader is required to oversee a crisis. It is a specific discipline and not one recommended to be led by the inexperienced. Assigning the wrong person to lead a crisis is the single greatest mistake I have seen in the past.
Marketing and legal people should be part of the team but never lead the crisis response. They look at crisis events through the lens of what they know and the capabilities they can bring into play. They immediately move to conceal, deny, ignore, find blame elsewhere, or focus on spinning the media messages rather than addressing the root problems. This can work to distract for a time and delay some pain, but is not the best path to an expedited, comprehensive, and sustainable solution. In fact, their actions can cause considerable deterioration of the already weakened trust by consumers.
CEOs should initiate, support, define the goals, approve major changes, deliver sweeping announcements, and identify a crisis leader, but not take charge. Again, a specific set of skills are required. Can a CEO get the job done? Potentially, but as most executives are not savvy in this area it would be a major struggle; they need to leave it to professionals. A good crisis leader will work closely with the C-suite every step of the way and make sure the right path is enlightened and understood so management can confidently support progress forward.
Although it may seem counter intuitive, engineering should not lead either. Engineers are an integral part of the resolution for design and coding issues, but they should not be leading. They know the technical aspect of the product or service and will be the mighty tool to fix many of the vulnerabilities. However, what Zoom and most other companies face in situations like this includes a combination of technical, behavioral, and process issues. Looking solely through the goggles of an engineer, one only sees part of the problem set and mistakes it as the entire picture.
An experienced crisis manager that understands risks will develop more comprehensive plans that align with the long-term capabilities to prevent recurrence and support the short-term acts necessary to restore trust. They will engage engineers and developers with a prioritized list for them to resolve the technical issues in concert with other efforts necessary to achieve the overall objectives.
Identifying and addressing the root cause is crucial. Analysis will provide insights to what problems have arisen and also highlight what may be next. If the origins are unknown then the chances for another crisis remains high. Proper crisis response is not just about putting out the immediate fire, but also making sure when things are rebuilt, they aren’t vulnerable to the same issues.
For Zoom the likely root cause was due to the over prioritization for rapid Go-to-Market efforts that fueled a de-prioritization of product security and overzealous marketing which didn’t put enough weight in being clear and truthful when it comes to privacy and security. This means there are probably many other vulnerabilities lurking in the product, possibly some sensitive customer data has been gathered as some point, inaccurate marketing materials may be floating about, and the developers are likely not savvy when it comes to security and privacy as part of the Development and Operations (DevOps) lifecycle. The good news is that all these issues can be addressed and if done correctly will result in the organization and products becoming stronger and more competitive.
Stop the bleeding. Aligning resources and resolving the most relevant immediate issues of the customers is the top priority. The first step is to freeze all work on new features and reallocate those technical folks to understand and address the known vulnerabilities. This requires time and engineering resources across development, testing, and validation domains. As part of this effort, the underlying configuration issues causing severe user-experience friction (e.g., Zoombombing, session hijacking) or regulatory non-compliance (e.g., privacy) must also be resolved.
In parallel, work must be initiated to address what is not publicly known, which may likely erupt and significantly add to the chaos. What other related issues exist that may have been ignored? With a root cause being people choosing to not invest in security, there are likely advocates in the organization who have been trying to raise issues. It is time for their vindication. These insights, reports, and champions can give great insights to other areas requiring immediate attention.
Setting clear and realistic expectations with customers is very important, as these steps can take some time to complete and may need to be done in stages. This is not the time for marketing spin. Honesty and transparency, mixed with a touch of humility, and presented in a professional manner will lay a foundation for trust. Select executives must be prepared to engage with the customers, resellers, suppliers, vendors, etc. in an open, consistent, and well-informed way. It is okay to not have all the answers and instead communicate how the organization will get there.
For Zoom I would recommend the following:
- Scan the corporate, vendor, and partner environments for customer data that falls outside of the policy and move to delete. If required by law, notify users.
- Proactively engage privacy regulators and customers to outline what steps are being taken to respect their privacy, both in the short and long term, and the processes that will be instituted to provide transparent oversight for their benefit.
- Conduct a vulnerability scan of code, dependencies, and libraries. Professional tools and services should be used. Do not rely upon the knowledge base of the developers. Resolve or mitigate the detected issues and be prepared to provide the audit and supporting proof.
- As part of a security assessment, form an internal blue team to identify technical, configuration, and usage issues that could undermine security, privacy, and trust. This should be a cross-discipline team, not just engineers. Pull from marketing, management, sales, etc. to get the widest possible perspectives. This activity can happen quickly and provide important user-facing issues.
- For a deep-dive assessment, a professional external red team is required. Hire a reputable team and make it a priority for in-house product engineering to help the red team begin their work. This takes time but will find a much more in-depth set of vulnerabilities. No product team initially likes this process, but they will come to respect it and become better engineers because of it.
- Adopt an industry-proven end-to-end encryption technology. For Zoom this is foundational to the restoration of trust and continue patronage by security-conscious customers. Encryption is not easy. Seldom does a product organization get it right and even getting part of it wrong undermines the whole structure. Do NOT attempt to build or configure this internally. Trust factors are at play here. There are solutions in the industry that are vetted and solid for comprehensive and sustainable data security across untrusted networks and devices. Implement one and be prepared to announce what is being adopted. Good encryption does not require algorithm or configuration secrecy. There will be questions, many of which will need to go to that vendor, so choose wisely.
- Ensure all code changes go through rigorous tests and validation before being rushed into a patch. A poor update can cause major outages, unanticipated issues, and be the cause of even more problems. Now is not the time to take shortcuts. Move as quickly as possible, but adhere to quality control standards.
Marketing will have the challenge of expressing the proactive changes without overselling the credibility. The Advisor role, DPO, and CISO must be competent, experienced, and willing to work with marketing to engage industry experts and the media in pragmatic ways but not contribute to unnecessary news cycles that prolong negative sentiment.
Zoom should adopt all the leadership recommendations, as they overlap and support each other. Understanding and accountability must originate from the top and established for data privacy, infrastructure security, and processes incorporated into product development.
In addition to a Security DevOps champion, products require intense and varied testing to detect vulnerabilities. Some of this can and should be done internally for known vulnerabilities, but a professional community is required for a deeper scan to detect unpublished weaknesses. The use of bug bounties, penetration testing, and red teams is an industry best practice. Vulnerability management is a continuous process that begins in development but must persist well after product release and throughout the lifecycle as new vulnerabilities are discovered. It must be put in place to adopt this new way of thinking and operating.
Product vulnerability lifecycle
Recommendations for Zoom to better manage their product vulnerability lifecycle:
- Work with an established bug bounty vendor to set up a continuous program, offering in aggregate ~$1 million in bounties. This economic incentive will draw a global community of security researchers and ethical hackers to thoroughly scrutinize your product in ways you cannot. They will provide you with the data before malicious hackers can take advantage. It is an incredibly powerful decentralized resource.
- Incorporate a code vulnerability scanner into the DevOps processes. Commercial tools and services are available that scan code or match to third-party libraries and dependencies to vulnerabilities. This becomes a learning tool for your developers as much as it is a security assurance control. DevOps will get better at security over time, thus being less of a productivity sink while accelerating release times for secure products and features.
- Red teams and penetration testing services are expensive, but return a methodical set of results that provide very strong assurance. Incorporate such capabilities for major releases and to prove that critical security holes are actually patched.
- Blue teams are less expensive but still provide value that other controls may overlook. They will find many of the misconfiguration, misuse, and oddball feature settings which can cause user stress by undermining security and privacy. Incorporate a lightweight blue team review for every update that touches the user interface (UI) or any administration function.
- Establish a process for researchers to confidentially engage the product security team to disclose new vulnerabilities. Respect, recognize, and reward those who do.
- Make sure that, by design, the product can be effectively patched. It seems basic, but the details can be tricky. There should also be a way of verifying the patch was successfully installed. Metrics for compliance are important, especially during crisis events, as it will be one of the determining factors for when the crisis can be closed.
Incorporating these process enhancements will effectively establish an aggressive and proactive capability to find new vulnerabilities and maintain product security. Over time the organizations’ capability to produce and sustain secure products will continuously improve. It can be a significant competitive advantage on several fronts.
Privacy and the protection of data are also important. It is a responsibility shared among data owners, the DPO, and the CISO. Process improvement and accountability are expected when crisis situations highlight a lack of confidence in the current system and controls. When trust has been undermined, an independent third-party must conduct regular audits. These audits confirm compliance with the policies. They are valuable as a tool to strengthen customer confidence and for discussions with regulators. Zoom should establish a SAS 70 Type 2 type of recurring audit for data acquisition, security, and sharing. For the greatest level of trust, craft the audits so the results can be made public every year.
Establishing a DPO, updating data policies, instituting proper governance and oversight, and acting with transparency with regards to the checks and balances will set the organization on an admirable path that will build credibility as an asset. Privacy and data security continue to grow as important aspects of business. Zoom has an opportunity to showcase respect and responsibility if they maneuver correctly to embrace industry best practices.
I have covered some of the fundamentals for product security crisis response and done a walkthrough of what I would do, beginning Day 1 of leading a crisis response for a Zoom-type incident.
This is just a taste and not a comprehensive compendium. Cybersecurity crisis management is very complex and difficult. Being in the jaws of hourly crisis meetings and making tough decisions about ambiguous situations is grueling work that I don’t wish upon anyone. But if done correctly it can move rapidly and deliver results that benefit users and strengthen the organization.
Responding well to a crisis can highlight the professional, ethical, and adaptive qualities of an organization’s leadership. Optimally, it will enhance customers’ trust in management’s commitment for secure products, respect for user privacy, honesty of its marketing, and designs that preserve a positive user experience. If done poorly, it becomes a protracted blight on an organization, its products, and leadership. Often careers and businesses don’t survive for long.
Zoom has numerous challenges to face. It has already done many things right, you can read the details in their blog and watch a video of CEO Eric Yuan openly discuss the issues and efforts, but has a long way to go before it restores trust and makes its products secure. Every organization should take a moment to understand what Zoom is going through as a learning opportunity and introspectively explore how they want to avoid or address the risks. Confidence in products and an organization is at stake.
Though some claim that this forced “work from home” situation has shown that many of the discussions that previously required office meetings can actually be expedited simply by exchanging a few emails, there’s no doubt that, for some tasks, face-to-face meetings – even if over the internet – are a must.
Which video conferencing solution should teams (organizations) use, and which consumers?
Zoom Video Communications, the creators of the Zoom remote conferencing service, have benefited the most from this sudden surge of demand for video conferencing solutions. The number of Zoom users has exploded and the name became a synonym of face-to-face online chatting seemingly overnight.
Though the sudden popularity shone a harsh light on solution’s many privacy and security issues, the company recently pledged to do better and outlined their plan. The most recent developments of that plan include the official formation of a CISO Council and Advisory Board and welcoming former Facbook CSO Alex Stamos as an outside advisor.
Nevertheless, the jury is still out on whether or not the service is secure enough for enterprise use (i.e., use where confidentiality is paramount). In fact, many say it’s not, particularly after Citizen Lab researchers revealed that “Zoom uses non-industry-standard encryption for securing meetings, and that there are discrepancies between security claims in Zoom documentation and how the platform actually works.”
For all of those reasons, Google has banned Zoom from corporate computers, though they can continue use it through a web browser or via mobile.
The feature was introduced late last year, but is now being touted as the perfect videoconferencing solution for consumers, who don’t have to have a Skype account or download an application to use it. They can simply create a link and send it to friends and family as an invitation to participate in the video call. The participants open the link in Microsoft Edge or Google Chrome, and they are “in” the call.
Microsoft Teams, the company’s unified communication and collaboration platform aimed at enterprise users, offers video conferencing inside the client software.
“Google Meet’s security controls are turned on by default, so that in most cases, organizations and users won’t have to do a thing to ensure the right protections are in place,” the company noted.
The solution employs anti-hijacking measures for both web meetings and dial-ins and makes it difficult to brute force meeting IDs (a problem Zoom has).
“We limit the ability of external participants to join a meeting more than 15 minutes in advance, reducing the window in which a brute force attack can even be attempted. External participants cannot join meetings unless they’re on the calendar invite or have been invited by in-domain participants. Otherwise, they must request to join the meeting, and their request must be accepted by a member of the host organization,” the company added.
Several new features make it impossible for participants to remove or mute meeting creators or allow external (not officially invited) participants to join via video.
Additional security advantages of using Google Meet include:
- It works with Google accounts (which can be secured with 2FA)
- All data is encrypted in transit by default. “For every person and for every meeting, Meet generates a unique encryption key, which only lives as long as the meeting, is never stored to disk, and is transmitted in an encrypted and secured RPC (remote procedure call) during the meeting setup,” Google says.
- A secure-by-design infrastructure
- Compliance controls, and more
There are other options
The solutions outlined here the only options for one-on-one video conferencing or video conferencing for teams, just those most widely used at the moment. There’s also GoToMeeting, Adobe Connect, Jitsi Meet (an open source solution), Samepage, TeamViewer, join.me, and many others.
We are, by no means, advising for the use of one solution instead of another. It’s on users and enterprises to evaluate which solution is the right for them based on their requirements and risk model/appetite.