COVID-19 has transformed how business is conducted with the acceleration of cloud adoption and remote working. Organizations’ data is no longer kept within the perimeter of the office’s or data center’s boundary. The greatly expanded threat surface makes monitoring and detection of fraud much harder for users and custodians of data, a fact that has been taken advantage of by cybercriminals. At the onset of the pandemic in 2020, organizations including ENISA, Interpol and ISACA noted an increase in cybersecurity risks associated with the new normal and issued warnings highlighting the possible areas of attacks, including ransomware, malicious domains, insider threats, etc.
The way forward for governments, enterprises and individuals
With heightened cybersecurity risk induced by the pandemic, what should society be doing to prevent cyberattacks and minimize the harm? In this blog post, I will attempt to describe what governments, enterprises and individuals can do to further enhance their cybersecurity preparedness in the post-COVID era.
Governments
The rise of ransomware in healthcare, pipelines and the trend of large-scale data breaches is impacting governments’ role to protect lives and citizens’ property and well-being. To counteract the risks from cybersecurity attacks, several governments have laid out a series of measures to improve the security posture in both the public and private sectors. These measures include:
- Enactment of policies and guidelines on cybersecurity and privacy. Examples include:
- “Executive Order on Improving the Nation’s Cybersecurity” by the US in May 2021. This covers IT & OT, zero trust architecture, software supply chain security, and sharing of threat information
- Facilitating enterprises to adopt sound security. Examples include:
- “Technology Voucher Programme” by the Hong Kong SAR Government. This supports enterprises to enhance systems and cybersecurity measures, to strengthen the level of information security.
- “Cyber Security Incentives and Regulation Call for Evidence” by the UK government. The review looks at how the government can help organizations operate securely in the new digital environment.
- Information sharing:
- The US government is in the process of drafting a Cyber Incident Reporting Act that requires critical infrastructure owners and operators to report cybersecurity incidents to authorities.
Enterprises
Companies of any size need to be better prepared for cybersecurity. Based on the NIST Cybersecurity Framework, I have listed here seven areas where enterprises can focus. Achieving these will go a long way toward enhancing organizations’ security posture, while meeting various national and industry regulatory compliances, including the ever-growing number of cybersecurity and privacy acts.
- Identify: Allows organizations and their stakeholders to understand the “what” and “where” of their sensitive data and critical business processes so that appropriate measures can be applied to them.
- Protect with zero trust: “Trust no one and always verify” is fundamental to zero trust. The practice enables businesses to be conducted where humans/machines /APIs will be authenticated based on their identities, purpose, and context of the usage. Under the control of zero trust, essential data will be allowed to be extracted, transferred, stored, analyzed and manipulated so that meaningful outcomes will result from them.
- Protect with encryption and de-identification: The critical mitigating control against data breaches as once the data is encrypted or de-identified, the resulting data string will look like gibberish to an unauthorized person and is of no value even if this is inadvertently disclosed.
- Protect with digital sovereignty: The term incorporates data sovereignty, which means retaining control of their data and cryptographic management, thereby keeping data within customers’ jurisdiction and avoiding subpoena threats. Operation sovereignty, meaning restricting access, thereby avoids unauthorized access by privileged users, CSP admin or ransomware attack. Software sovereignty facilitates multicloud operation, thereby avoiding vendor lock-in.
- Detect with continuous monitoring and assessments: This allows organizations to maintain an ongoing awareness of information security, vulnerabilities and threats to support organizational risk management decisions.
- Respond: Encompasses the steps to prepare, detect, identify, analyze, contain, eradicate, recover and learn from the incident.
- Recover with business continuity and resilience: Ensures there can be business as usual even with unforeseen events, crises or out-of-the-ordinary operating conditions.
Individuals
Cybersecurity is an essential component of all organizations operating in the new normal. In a recent study conducted by ISACA, 61 percent of respondents say cybersecurity teams are understaffed and 55 percent have unfilled cybersecurity positions. Half of those surveyed generally do not believe their applicants are well-qualified. It comes as little surprise that four of the market’s sought-after security-relation certifications (CISA, CISM, CISSP, CRISC) have found their place in the 10 Top-Paying IT Certifications for 2021, according to a recent study by Global Knowledge.
To bridge the skill gap, educational bodies such as ISACA have started various programs to upskill the workforce. In addition to the security-related certifications mentioned above, ISACA joined forces with Cloud Security Alliance to offer a Certificate of Cloud Auditing Knowledge (CCAK). Employers and employees interested in the relevant certifications and training for these new skillsets may contact ISACA chapters in their vicinity or the author for further information.
Callilng for a competent workforce
The pandemic has accelerated digital transformation beyond anyone’s imagination. The adoption of cloud and remote working has a profound impact on the risks posed to businesses and individuals. This blog post has reviewed the strategies and improvements that will continue to be adopted by governments and enterprises. At the core of sound security is a competent workforce, which currently is being challenged by a cybersecurity skillset shortage. Individuals with the required training will in turn be able to defend their organizations better and attain higher employability.