Last year changed things across the board, to say the least. What changes did your business have to make? For many organizations, a key player in these changes was the CISO, or Chief Information Security Officer. The CISO works to protect your business environment by monitoring and updating company policies and procedures, and providing high-level consulting on security concerns.
I had a chat with SOCBOX’s vCISO, Stormy Seliquini, about what we learned from 2020 and how that will affect planning for 2021.
How did 2020 change the role of a CISO?
During (and directly because of) 2020, the role of a CISO went from a nice-to-have to a must-have position. Even smaller organizations that can’t afford a full-time, in-house CISO realized the need for high-level strategic consulting—not just from the IT director, but from a dedicated expert. A vCISO, or virtual CISO, fills that role, providing expertise and direction without the overhead.
Plus, the role started to expand to encompass risk management, not just cybersecurity. Disaster recovery became huge—a necessity for the CISO role. Organizations needed someone to take a high-level look at their Business Continuity & Disaster Recovery (BC/DR) plans and suggest changes, rather than just someone who could evaluate and refine their cybersecurity strategy.
What are the biggest security threats businesses face right now?
Social engineering, hands down. Even before the pandemic, this was a growing concern because it’s a human vulnerability. You can have cutting-edge technology in place, but if your team isn’t trained to identify and repel phishing attacks, your business is vulnerable. Over the past year, though, COVID-related phishing attacks have skyrocketed. Google flagged 46,000 phishing domains each week in 2020, and already over December and January we’ve seen a 300% increase in suspicious domain names using “vaccine”. So bad actors are using every opportunity to exploit the situation we’re all facing.
The other side of the COVID threat is that it forced many businesses to cram what would normally be a months-long process of arranging for remote work into a few days. Companies had to make a rapid transition to Cloud or SaaS solutions to support work-from-home (WFH) arrangements for their entire workforce, and in the process, many best practices were missed or compromised. Between insecure Cloud solutions, insecure configurations and social engineering, the situation is primed for attack by bad actors.
What lessons for planning in 2021 did we learn from 2020?
- Your BC/DR plan has to be legitimately robust. Backups don’t cut it anymore. Just because you have data backed up somewhere doesn’t mean you have an actual plan for how your business is going to recover. Do you have designated roles and responsibilities? Does everybody know what they need to do? How will your business change to work through the disaster? These are questions your plan needs to answer, in detail, and it needs to be tested and verified regularly. There’s a difference between being told what to do and actually doing the work. Picture trying to change a tire, but there are 70 kinds of tire to pick from—and the car is on fire. That’s what it’s like trying to execute a BC/DR plan during a disaster if your team hasn’t been drilled on exactly what they need to do. We’re hosting a webinar next week about how to develop a Disaster Recovery plan, precisely because it is so critical to a business’ survival.
- The structure of a business’ overall security posture has changed irrevocably. Many businesses are planning to rely more heavily on Cloud, and never go back to a fully on-premise infrastructure. When everything was at your office, it could more easily be protected behind a firewall. But how do you adjust your security posture to account for data that is now scattered among the homes of your workers? A security model known as Zero Trust has gained popularity in recent years and is quickly becoming a necessity. Zero Trust is based on the philosophy of assuming everything is an attacker until proven otherwise. Instead of relying on a firewall to repel attacks and automatically trusting everyone within the network, this strategy cuts off access to everything until the network can confirm who you are, even if you’re already inside the environment. Some of the worst data breaches have happened because after a hacker gets inside the firewall, there’s very little to impede his progress through internal systems. Zero Trust involves establishing privileged access control and level-based permissions. In a nutshell, you need 100% auditing all the way through your tech stack.
- People are less prepared than they think. Cloud has been a buzzword for 15 years, and business continuity/disaster recovery for 5 years, but when the pandemic hit, everybody was still scrambling to assemble a response. Even the organizations that did have a BC/DR plan or Cloud service didn’t have the tools to implement them securely. Security measures that were considered best practices are now necessities, like RMM (remote monitoring & management). Organizations need to make sure they have a detailed, technically sound plan in place, and regularly review it to make any needed adjustments.
As we enter 2021, the cybersecurity landscape has changed dramatically, in both expected and unexpected ways. Now, more than ever, cybersecurity strategy and implementation are absolutely critical to the survival of your business.