At the peak of the pandemic, companies were obliged to focus their efforts on ensuring business continuity even if this meant taking a few liberties with cybersecurity. So, how do you remain agile in a storm without jeopardising digital security? How do you avoid the risks of malicious cyber activity for organisations? And above all, how do you predict what comes next? Here we provide some clues to the puzzle.
The pandemic’s repercussions in cyberspace
The pandemic saw millions of staff working from home, with an explosion in requests for remote access and access via VPN. “With the crisis, everyone found themselves working from home virtually overnight with infrastructure which was simply not up to the task in terms of performance”, explains Stormshield’s Customer Service Director Alain Dupont. For his part, Stormshield’s Technical Support Manager Farid Ichalalène estimated that “We experienced activity levels 30% higher over the last 15 days of March, particularly concerning requests from network and systems administrators who had to set up remote access connections virtually overnight”.
But faced with the urgency of the situation, IT managers have also had to accept compromises where security is concerned, even if this meant downgrading it. They have had to grant more access and set up remote desktops, without being able to apply all of the usual IT security procedures and with no preliminary risk analysis being performed. This reduced vigilance and digital uncertainty can only be beneficial to cyber criminals hoping to penetrate networks and steal sensitive data.
Among the organisations most concerned are those which had never or rarely used remote working and who therefore were not fully familiar with the organisational procedures needed to protect IT systems in such a situation. Governments, ministries, town halls, associations, health organisations, local authorities and other sensitive public operators saw their IT systems sorely tested during this pandemic. And their digital fragility laid bare for the whole world to see. There are numerous international examples, and here we will simply mention one from Germany, where the federal state of North Rhine Westphalia suffered a phishing attack with losses running into the tens of millions of euros, and one from the United States, where hackers actively targeted organisations involved in research to combat COVID-19, as confirmed by the FBI and the CISA. In France, it appears to be small and medium-size businesses which have been most affected – generally by ransomware. Everywhere we look, the COVID-19 epidemic has revealed the weaknesses of the IT and operational networks of companies and local authorities, of their dedicated applications and of the devices used by their employees.
We actually had an anti-pandemic plan which had sat in the draw for several years, but nothing could have prepared us for this
“Currently, thanks to the procedures forming part of the Business Recovery plan / Business Continuity Plan, we are able to maintain the availability of the IT systems in the event of natural disasters or of a fire in a datacentre for example. And we actually had an anti-pandemic plan which had sat in the draw for several years, but nothing could have prepared us for this”, explained the CISO of a major industrial group.
The urgent need for good diagnostics
Although we seem to slowly be getting back to a situation resembling normality, this would appear to be the right time to carry out a thorough “digital autopsy”. During the pandemic, we advised everyone to carefully trace all special accesses which had been established in order to review them. It’s now time to take stock, taking all the time required for this. After the acceptance phase, it would appear logical to move on to the inspection and verification phase. CISOs should now perform a forensic examination in several stages, with the detection and removal of pockets of infection and the implementation of remedial measures. In the case of structural defects with the architecture, a redesign of the IT infrastructure will be required (in addition to the OT infrastructure, its counterpart in the operational world). We’re talking about another scale of investment here. The ultimate goal is to durably regain control of the data and access systems. Because although computer hackers have taken advantage of the general haste arising from the coronavirus crisis, they do not appear to have created new forms of cyber threats. They have simply adapted their attacks to the prevailing conditions.
In Farid Ichalalène’s view, there are a number of common-sense responses, such as for example “only allowing necessary access according to the departments concerned”. For example, the R&D and accounts departments don’t have the same requirements. Getting back to basics with perhaps more simplicity. Should we restrict what users can do, for their own good? The question is open for discussion… “I feel that it’s essential to simplify infrastructure, which has become too complex due to the sheer quantity of technologies and solutions proposed. We’re also increasingly seeing that not all infrastructure has the necessary human expertise required for its satisfactory operation. The use of excess security layers is a problem in this respect: we need to get back to a simpler situation to be able to manage things more effectively. Even if this only means setting up a security control station to detect incidents as quickly as possible and to prevent cyber criminals from gaining long-term access”, adds the industrial CISO.
Adopting good digital health measures
The widespread use of teleworking has made the IT manager’s mission more complex: this new situation must take account of the companies’ security policies and IT departments must continue their systems adaptation strategies in line with this. Firstly, the COVID-19 pandemic should not be seen as a “one-off” event: the IT structures must be ready if a new critical period comes around, backed by the right responses and dedicated tools when the time comes. It’s now important to be able to quickly respond to remote access requests under satisfactorily reliable and secure conditions. This period of mass teleworking looks set to continue until the end of the year and become commonplace in future. It brings with it a requirement to support staff with the new requirements and practices associated with working off-site – with videoconferencing systems and the issue of their security being just one example among others.
CISOs must expect new challenges every day and prepare for the future. According to the CISO of the major industrial group, the most complex part lies in the fact that: “Sometimes with no other choice, CISOs find themselves in the position of having to approve infringements of the security or IT systems policies that they themselves have put in place over the years to guarantee minimum security. When employees are able to return to their place of work, it will be necessary to reduce their scope for action and restrict open access to the exterior through necessity. Going back to the way things were will probably be complicated as many people will now consider these special measures as being the rule. With so much lost ground to be caught up, each new access authorisation request must be based on preliminary studies. Question: with what budget? Although some suppliers have offered their services free of charge during the crisis, let’s not forget that during all this urgency and haste, a number of VPN accesses have been purchased without having had the time to negotiate the prices with the different suppliers”.
All added complications, further adding to the ever-present stress under which CISOs have laboured for several years now.
Reviewing your IT budget to stay in good health
For several years now, managers have become increasingly aware of cyber risks, often highlighted during digital transformation projects. And even more so with the health crisis. But at the moment, the economic impact of the pandemic where the IT and cyber security fields are concerned is limited to simple hypotheses.
Astonishingly, 40% of IT decision-makers in Germany, the United States, France and Great Britain state that they would like to reduce their cybersecurity budget to limit the financial impact of the COVID-19 crisis. The CESIN’s members, all of whom are drawn from major French companies and public authorities, have put forward similar figures with almost a third of respondents mentioning a reduction in the cyber budget. But the majority view is more optimistic: almost 48% of respondents stated that the cybersecurity budget should not affected by the crisis. And according to the same study, almost 20% envisage increasing their cybersecurity budget.
It’s one thing to work from home but it’s another thing to guarantee the same security levels as when you’re in the companyAlain Dupont, Stormshield Customer Service Director
“The risk of a new lockdown is real and with it the need to work from home. Decision-makers are now taking account of this in their IT projects and IT security projects”, explains Farid Ichalalène. “Although certain investments may be reviewed to save money, for their part the cyber budgets will be maintained for the simple reason that it’s one thing to work from home but it’s another thing to guarantee the same security levels as when you’re in the company”, adds Alain Dupont. Part of any revised budget must go to providing better training and awareness building for employees. Franck Nielacny, Stormshield’s IT Director, explains that: “Naturally, our staff are very familiar with digital resources, which helps things. This is why we must also place our trust in the teams. They are able to adapt and display good resilience”.
And very often, it’s during such difficult times that people reveal the best of themselves: Franck Nielacny mentions the excellent solidarity present in his own team, with the goal of “working together as a team and displaying a high degree of responsiveness and a sense of service in dealings with our internal clients”. Whatever people may say, company life goes on…