2020 was one of the most unpredictable years in the history of cybersecurity – and also one of the most vulnerable. We saw spikes in cyberattacks against remote workers, online classrooms, and workplaces as networks expanded due to a widespread shift to telework – something that nobody could have fully anticipated or prepared for. CISOs had to rapidly adjust their security strategies to these increased threats and new work realities, with little room for error.
There have been ups and downs, but no tough moment comes without a much-needed lesson learned. With that in mind, here is a recap of some of the most important cybersecurity lessons in 2020 that CISOs can (and should) learn from.
There were two main effects the pandemic had on work environments in 2020 that led to increased phishing and malware attacks. The first was the increase in employees working from home, often on personal devices with minimal security. The second was that human emotional vulnerability, which phishing attacks have long relied on, was amplified by stressors related to the pandemic and the shift in the work environment. The 2020 Remote Workforce Cybersecurity Report showed that nearly two-thirds of respondents saw an increase in breach attempts, with 34% of those surveyed having experienced a breach during the shift to telework.
Unsecured Home Networks: Within the confines of a corporate office, company IT infrastructure can be more easily safeguarded against threats. But more people working from home introduces personal computers, tablets, and phones, as well as various internet of things (IoT) devices on home networks into the larger corporate network. This creates a host of vulnerabilities bad actors can exploit that they did not previously have access to. Because of this, “[CISOs have] suddenly [found] themselves seated at the table and involved in decisions that have become more and more strategic,” explains Fortinet CISO, Alain Sanchez. “They are having to coordinate a culture of security throughout all departments of the company, including advising the CEO and the Board.”
Social Engineering: Phishing has long relied on social engineering tactics geared toward exploiting the weakest link in a network – humans. Appealing to intense emotions makes it much more likely that someone will click on a link that leads to a malware attack. In addition, cyber criminals are now making use of basic artificial intelligence (AI) and machine learning (ML) to refine their traditional “spray and pray” tactics. By measuring which types of attacks, which messages, and which links and attachments targets were more likely to click, cybercriminals have been able to modify and optimize phishing emails to ensure maximum impact.
A recent Global Threat Landscape Report from FortiGuard Labs illustrates many of the trends that have emerged or shifted so far this year. While the pandemic is identified as a driving factor, other new threats have emerged as well. Key takeaways for CISOs include:
Just as COVID-19 shows no sign of going away anytime soon, neither does working from home. In fact, Global Workplace Analytics predicts that telework will remain a trend even after the pandemic subsides due to the flexibility and convenience it provides. Because of this shift, Fortinet CISO Courtney Radke notes that CISOs must work to “understand [their] new traffic patterns, set new baselines, and build new alerting and reporting guidelines” to keep their workforce secure.
As such, lessons learned during the early days of the pandemic can inform solutions for secure telework moving forward. In addition to critical baseline solutions many teams implemented when remote work first became widespread in 2020, CISOs should plan for additional security solutions in their 2021 strategies. These include taking the following measures:
While implementing a robust security strategy may lay the foundation for safe remote work, it is important to note that the human factor has long been the weakest link when it comes to protecting against phishing and malware attacks. This is of particular concern now: Not only has the pandemic led to heightened fears and emotions that are easily preyed upon using these techniques, but with so many new people working from home, especially those also seeing a huge increase in messages from company leadership, it has become increasingly difficult for users to determine whether or not an email is legitimate.
“Phishing is the unfortunate gift that keeps on giving, and it has become even more sophisticated,” says Joe Robertson, one of Fortinet’s Field CISOs. One of the most important tools in combatting phishing is an educated workforce. By prioritizing cyber awareness training, creating partnerships between security teams and other departments, and establishing easy-to-follow best practices, CISOs can help their employees understand their impact on cybersecurity within the enterprise and provide them with the tools and training they need to protect themselves and the organization.
Information security awareness training can help CISOs ensure their employees become more cyber aware. Building a human firewall by sufficiently training remote workers creates a critical line of defense against attacks. “By prioritizing training and collaboration between departments and the security team, CISOs can lay the groundwork for a strong culture of security. Identifying suspicious behaviors, keeping devices up to date, and practicing safe cyber behavior should be built into the fabric of all job roles to ensure that the human firewall continues to stand firm,” says Fortinet Deputy CISO Renee Tarun.
“By prioritizing training and collaboration between departments and the security team, CISOs can lay the groundwork for a strong culture of security. Identifying suspicious behaviors, keeping devices up to date, and practicing safe cyber behavior should be built into the fabric of all job roles to ensure that the human firewall continues to stand firm.” – Fortinet Deputy CISO Renee Tarun
The shift to remote work has created a more complex security landscape that will require significant focus and resources moving forward. According to Robertson, “One of the biggest tasks ahead for CISOs in the coming months and years is going to be to work closely with other parts of the organization to instill a real culture of security.” Adaptability, innovation, and open minds are key.