It’s estimated that more than 30 million U.S. workers are now working remotely. As the number of people working from home has increased on a massive scale practically overnight, workers have scrambled to set up home offices, balance homeschooling with business presentations, and get the hang of video conferencing. Those aren’t the only challenges they’ve been facing, however.
Cyberattacks are on the rise, as cybercriminals have been exploiting the COVID-19 pandemic to gain access to valuable data and unauthorized access to systems. During the pandemic, two main cybersecurity threats have emerged: first, an influx of misinformation and weaponized websites and documents; and second, a newly remote workforce without the right protections in place to avoid breaches. Since most remote employees are performing their work duties either over an Internet system tied to a work computer or via a cloud-based system, they’re at increased risk of cyberattacks.
The abrupt shift to working from home, according to a report by CISA, FBI, and the broader U.S. government, has led to quick and hastily put together deployment of cloud collaboration services such as Microsoft 365. This has given hackers and cybercriminals new life and countless opportunities to break into company systems, steal confidential and sensitive data—or Zoom-bomb meetings. Employees in the Digital Guardian Trends Report stated that data withdrawal over email, USB, and cloud services has jumped up 80 percent, with more than 50 percent of the data labeled as “classified.” Hostile actors, the report says, are increasingly targeting unpatched VPN vulnerabilities. Companies and government agencies are perhaps more vulnerable to cyberattacks now than ever before, with malicious activity on corporate networks and servers increasing 62 percent since the beginning of the pandemic.
Large-scale cyberattacks and the breakdown of critical information infrastructure and networks are among the top most strongly connected global risks in The World Economic Forum’s “The Global Risks Report 2020,” and 76.1 percent of respondents stated that they believe the short-term risk of cyberattacks related to infrastructure will increase in 2020. Many cyber professionals say that it’s not a matter of if your organization’s systems will be breached; it’s when.
Phishing emails, particularly related to hackers posing as World Health Organization, Centers for Disease Control, or other health-related organizations, have become more prevalent, as have impersonating domains for sites like Zoom and the UN. In April, around 450 email addresses and passwords of WHO employees were leaked, along with thousands of others of people working on the COVID-19 response. Malicious websites posing as official information sources for COVID-19 at one point exceeded 2,000 sites per day, according to research by technology services provider NTT Ltd. And while cybercriminals are still deploying attacks using mostly traditional methods and seeking the same types of information as in the past, it’s the increase in these types of attacks over the last several months that’s most alarming. According to the Department of Health and Human Services, there were 132 breaches in hospitals’ and healthcare providers’ networks between February and May of this year alone. As Steve Inch, a global security manager with HP, says, “This is a unique opportunity to get easy access through an unsecured WiFi connection in your home to the VPN to the broader enterprise that you’re working for.”
Private and public-sector businesses far and wide are feeling the fallout from increased cybercrime events. Honda recently experienced a company-wide network outage, a suspected result of a ransomware attack. One of NASA’s IT contractors was a recent victim of a ransomware attack, and it’s thought that the cybercriminals responsible for the attack infiltrated individual employees’ systems.
The Verizon Business 2020 Data Breach Investigations Report found that for 86 percent of cyberattacks, financial gain is the key driver (up from 71 percent in 2019). Credential theft and social attacks like phishing and business email compromise account for the majority of breaches. ISACA’s State of Cybersecurity Part 2 report found that social engineering was the top attack type reported at 15 percent, followed by advanced persistent threat (10 percent), and ransomware and unpatched systems (9 percent each)—although 62 percent of respondents believe cybercrime goes largely unreported.
The Importance of Cybersecurity and a Pandemic-Specific BCP
A remote workforce, mixed with an increasing incidence of cyberattacks, only makes the need to consider cybersecurity in your business continuity plan more acute. It’s essential that your BCP covers a pandemic-driven remote work policy and the cybersecurity details that this policy entails. Many organizations have impact-driven business continuity plans that address a business’s recovery after a major event like an act of terrorism or extreme weather event. This is, however, very different from a pandemic-specific BCP, which requires a unique and customized response mirroring a disease outbreaks’ tendency to subside and flare up again, lasting longer than most BCPs plan for. These scenario-specific plans can help to successfully guide businesses through an emergency like a pandemic—and there’s no time like the present to create one.
Five key points that make up an effective BCP, says James Tuplin, head of IFL cyber & TMT for AXA XL, include effective lines of communication, so employees know how and to whom to report cybersecurity issues; a cyber policy that can be activated; clean, regular backups of the entire IT estate; an understanding of how to reboot your system; and regular testing of your plan.
An effective BCP should assess how its infrastructure can support employees while protecting the organization. Mark Sangster, VP and industry security strategist, eSentire, says it’s important for businesses to ask themselves, “What mechanisms and protocols do I have in place to maintain consistent security practices during this shortage, and can I take needed action to prevent a threat despite having a smaller-than-usual workforce?”
More remote employees means increased movement of IT resources to cloud-based resources, VPN, and other corporate networks, which requires changes to the BCP so that it synchronizes with business and IT’s remote workflows, says Mary E. Shacklett, president of marketing and technology services firm Transworld Data. She recommends that businesses implement security elements like two-factor authorization and data encryption, and establish backup vendors for Internet and corporate communication network hosting in the event of network failure. Firewall architecture needs to be strategically configured to account for unplanned and sudden increases in employee traffic, and plans around segmentation and robust intrusion-protection systems should also be considered to provide a needed level of security against unauthorized access.
According to Forrester, many countries are entering phase 3 (the “management”) phase of the COVID-19 pandemic, which is expected to last from mid-May through the end of 2020 and into 2021. During this phase, pandemic management protocols will have to be constructed to define how we’ll work, travel, and connect in the coming months. A public health emergency like a pandemic impacts people in a myriad of ways, and your BCP must reflect this. Because hybrid work may be a reality for some organizations, businesses must make sure their technology infrastructure can handle both at-work and at-home tech at robust levels.
The need for qualified cybersecurity professionals is immense.(ISC)² research shows that the shortage of skilled security resources is approaching 3 million globally. In addition, 78 percent of respondents in ISACA’s State of Cybersecurity 2020 report say that the demand for technical cybersecurity individual contributor roles will increase in the next year, and 58 percent of respondents anticipate an increase in cybersecurity budgets. Cybersecurity teams are in a unique position to help people remain safe and guide decision-making in the times ahead. Cybersecurity professionals and the businesses employing them have the opportunity to be visible, vocal, authentic advocates for their professional and personal communities during and beyond the pandemic.
As the world deals with the fallout from the COVID-19 pandemic, and as infrastructures continue to become more distributed due to a remote workforce, it’s critical that organizations work to close the cybersecurity skills gap to combat current and future threats. ISACA’sState of Cybersecurity 2020 Survey Part 2 reports that 53 percent of the more than 2,000 information security professionals surveyed believe that they’ll experience a cyberattack in the next 12 months. The data supports this belief as cyberattacks are continuing to increase—yet 62 percent of organizations surveyed say they remain understaffed, and 57 percent say they have unfilled cybersecurity positions on their team.
These talent shortages can have big consequences. According to the survey, 21 percent of “significantly understaffed” organizations say they’re completely or very confident in their ability to respond to threats and attacks, compared to a 50 percent confidence level for those who say their organization is appropriately staffed. ISACA’s report also found that organizations that take longer to fill cybersecurity positions report more cyberattacks: 26 percent of those that said they filled a position in less than two weeks reported more attacks, compared to 38 percent that took six months or more, and 42 percent that said they cannot fill positions.
The CISA and FBI report states that cybersecurity weaknesses such as a lack of system recovery and business contingency plans, along with poor employee education on social engineering attacks, have continued to make organizations susceptible to ransomware attacks in 2020. But whether organizations are up to the challenge of remedying these issues is largely dependent on whether they’re able to get the talent they need. Though the demand for qualified cybersecurity professionals is extremely high, finding talent with the necessary skills to provide needed safeguards continues to be a challenge for many organizations.
How to Close the Cybersecurity Talent Gap
To fight past the skills gap and effectively staff your team with the best people, it’s important to keep these ideas in mind:
Be realistic about what skills are actually needed on the job.
Are all the qualifications you desire in a candidate relevant in today’s environment—or are they driving away qualified talent who possess the soft skills your organization is lacking? A staffing firm partner can work with you to determine whether your candidate profile lines up with the latest research and trends and reflects the realities of today’s climate.
Consider soft skills.
Don’t underestimate soft skills like attention to detail or ability to work effectively under pressure when it comes to cybersecurity candidates. In ISACA’s 2020 State of Cybersecurity report, respondents cited a lack of soft skills as the biggest skills gap. Consider the value of military veterans in your talent pool, who possess qualities like leadership skills, a strong work ethic, and the ability to work under pressure—all essential skills for cybersecurity professionals fighting increasing rates of attack.
Think outside the traditional confines of the typical candidate.
Globally, 70 percent of cyber talent currently comes from an IT background. As the World Economic Forum points out, COVID-19 has all but guaranteed that new cyber risks will create unfilled roles for which there are no existing skill matches. So, rather than hiring based on traditional skills alone, we can look to build a more robust workforce by expanding our pool to include non-traditional talent. These candidates likely possess transferable skills that are advantageous in the short and long term. Hiring candidates from backgrounds as diverse as finance, communications, fine arts, and engineering can put us in a stronger position to share the social responsibility of cybersecurity, strengthen our cybersecurity teams, and bring on more women and minorities, who are currently underrepresented.
Invest in employee training and development.
Only 27 percent of respondents in ISACA’s report found that recent graduates in cybersecurity were well prepared for the workforce. By removing current barriers to entry, reframing expectations, and investing in training and certifications, companies can build the actionable skills needed to effectively fight against cyberattacks. Consider adding a robust training and development program to help fill your skill gaps. It’s a win-win: new and existing employees will gain new skills to work on the front lines of your cybersecurity efforts, and you’ll gain quality employees who will work with you in the fight against cyberattacks for the long term.
Moving Forward, Together
It’s clear from these trends, and our current economic landscape, that cybersecurity is moving more rapidly—and in more directions—than anyone may be able to predict. Titles are evolving, requirements are shifting, and finding the right candidates is a moving target. Sandy Silk, CISSP, director of IT Security Education & Consulting, Harvard University, and ISACA cybersecurity expert, says it best, “It is evident that cybersecurity hiring and retention are not just a challenge for teams—they can have a very real impact on the security of their enterprises. Cybersecurity teams need to think differently about how they search for and keep talent, including seeking candidates from non-traditional backgrounds, and diverse educational levels and experience.”