The COVID-19 pandemic—and accompanying economic recession—have taken their toll on business units throughout the enterprise. IT and information security departments have been faced with budget freezes and cuts, forcing them to do more—much more—with tools that aren’t necessarily the best fit for the new challenges they’re facing.
After years of accelerating, IT spending decreased nearly 10% in 2020. While analysts initially expected IT security spending to taper off or remain steady in FY2021, more recent predictions say it is likely to grow rapidly to accommodate security departments that need more funding than ever. Gartner analysts said the strong growth rate reflects continuing demand for remote worker technologies and cloud security. Most organizations have now fully embraced remote work, with recent data indicating that remote workers will represent 32% of all employees worldwide by the end of 2021, even after the pandemic has ended. This is up from 17% of employees in 2019.
Widespread remote work presents a tremendous challenge for IT security, especially if IT security budgets are reduced. Key pain points include:
- Antiquated and vulnerable VPN systems straining under increased workloads
- An ongoing deluge of new pandemic-themed phishing attempts
- Intensified attempts to find and attack vulnerabilities in remote work platforms
- A strong resurgence in ransomware attacks
Even if information security professionals overcome these obstacles, the resources invested may come at the expense of other pressing issues. Effectively, overtaxed IT security teams may end up having to deemphasize other vital activities that keep the organization safe. How can CISOs keep their priorities intact while pivoting to face new threats?
Pivoting to Remote Work Means Diverting Resources from Other Priorities
What was your security department working on before COVID-19? Now that conditions have stabilized, will you be able to work on those projects again?
If your answer is no, you’re in good company. Many organizations had to defer upgrades to new security tools, postpone security tests and vulnerability scans, and even freeze hiring for new security professionals. It’s still unclear whether or when these activities will be resumed as planned.
Here are a few of the alternate projects in which infosec professionals have had to invest over the past fifteen months instead:
Emergency VPN Upgrades
You probably had a VPN in place to support remote workers already, but it wasn’t necessarily designed to support your entire organization working remotely at the same time. Many companies have needed to roll out one or more additional VPN licenses. Meanwhile, attackers are busy trying to exploit vulnerabilities in VPNs, requiring the organization to allocate time and budget toward hardening those systems.
Collaboration Tool Patches
We all remember the early security problems with Zoom, but other collaboration tools weren’t immune to difficulties. Any company that suddenly saw an increased use of collaboration and messaging tools (read, most of them) also needed to vet these tools for security to ensure that sensitive data would not be exposed. Meanwhile, industry-specific regulations in fields such as healthcare and fintech made this task even more difficult.
Phishing scammers aren’t just thinking of new COVID-related tactics to get employees to click on links—they’re also thinking of new ways to get around email filters. One new technique involves creating an email where suspicious-looking text is entered backwards in the HTML code and then using CSS to ensure the text is rendered correctly by the email client. The email filter only scans the backwards text, and since it doesn’t recognize any flagged terms, the email goes through to the user. Administrators have had to spend a lot of time updating their email filters in order to avoid this and other ingeniously injurious techniques.
No one is saying that you shouldn’t have made the pivot to address these issues, of course. Of course, there’s nothing wrong with implementing a tactical fix when changing circumstances disrupt our strategic plans. Now that a certain amount of equilibrium has been restored, however, the fixes above should be recognized as what they are: temporary solutions.
It’s Time for a Strategic Realignment towards Zero Trust Security
To cope with the new normal of a post-pandemic reality—which may include static or reduced security budgets—companies need to realign their strategic priorities.
Let’s say that you made the time over the past year to implement the three tactics above: reinforcing your VPN, hardening your communications tools, and rewriting your email filters. Because of this, you’ve had to divert resources from several other important projects.
Meanwhile, attackers haven’t been standing idly by. They may have already begun performing reconnaissance on your network and located the vectors you’ve had to leave unaddressed, and are ready to strike as soon as they can locate an exploitable vulnerability. Unfortunately, no matter where you shift your resources, you’re still spread thin over an increasing number of attack surfaces.
Instead of playing whack-a-mole with attackers, your job now is to identify a strategic approach that will allow you to cover the entire enterprise adequately without overburdening your existing resources. One of the best ways to achieve this is with Zero Trust Security.
A Zero Trust Security approach treats all users and web traffic as potentially hostile. The response to this is to make the network hostile to hostile users. Users who have penetrated your network, legitimately or otherwise, should be unable to see any of your applications or security infrastructure unless they’ve been authenticated and granted explicit access. This approach makes it difficult if not outright impossible for an unknown or untrusted user to conduct reconnaissance, detect vulnerabilities, and ultimately exploit them.
Zero Trust Security makes sense in a perimeter-less world where most users do their work from outside a centralized environment. The collection of technological concepts underneath Zero Trust can help put an end to phishing attacks, drive-by downloads, credential theft, and other avenues that were commonly exploited even before the pandemic. What’s more, you can adopt the elements of Zero Trust without greatly straining your budget—helping you resist the worst of attacks even during the worst of times.
Written by Gerry Grealish, Chief Marketing Officer at Ericom Software