As threats evolve with remote working becoming the norm, approaches to access governance and security postures need a rethink.
Remote working has become the norm and organizations across Asia Pacific have rapidly expanded their digital estates with the deployment of new technologies.
The result: enterprises today are more vulnerable to cyberthreats than ever before. In this new disrupted business environment, the tried-and-tested security approaches that enterprises have in place may be woefully inadequate.
As enterprises start looking at the long-term transformation of their businesses, they also have the opportunity to rethink their cybersecurity approaches and strengthen their security postures.
Enterprises need to take the right steps now to protect their core operations and lay the foundation of their long-term strategy to build a secure, resilient organization. And two critical aspects that they need to consider are digital identity and zero trust.
How could organizations leverage these two security building blocks to bolster their current security posture and build a future-proof, holistic cybersecurity strategy for the disrupted business environment of tomorrow?
CybersecAsia sought out some insights from Rajiv Sagar, Growth Markets Cybersecurity Lead and Global Cybersecurity Strategy Lead at Avanade.
What are the key cybersecurity risks Asia Pacific enterprises face?
Rajiv Sagar (RS): Over the last few months, many enterprises have had to implement new, unfamiliar operating models and quickly deploy technologies to respond to COVID-19 and ensure business continuity. A Gartner poll indicated that more than nine out of ten organizations in Asia Pacific had implemented remote working arrangements since the onset of the pandemic.
These changes have resulted in a broader attack surface and introduced new vulnerabilities into their digital environment, resulting in greater exposure to security threats and the emergence of new security challenges.
One of the key challenges that enterprises are looking to address now is on securing the remote workforce. As enterprises make working from home a default, there are increased cyber risks around vulnerable personal devices, weak passwords, poorly secured home Wi-Fi networks and routers, and unpatched remote systems.
Additionally, enterprises’ digital identity and access governance have not kept up with the new ways of working, including managing remote workers, multiple devices and the inability to access key applications. With the deployment of multi-cloud initiatives, ad-hoc security purchases and rapid adoption of remote working and collaboration applications, identity and access measures are becoming increasingly complex to manage for security administrators.
Besides internal cybersecurity challenges, enterprises also contend with external threats as cybercriminals continue to find new ways to exploit the COVID-19 situation. Attackers are capitalizing on fears around COVID-19 and using it as a themed lure to deliver phishing campaigns and malware. According to Microsoft, these threat actors are making 60,000 COVID-19 related phishing attempts every day. Cybercriminals are also targeting employees working from home, and there have been reports on attackers infecting employees’ devices with malware by hijacking their routers and redirecting them to fake COVID-19 websites.
Furthermore, an Accenture report found that 40% of cyberattacks now occur indirectly through the supply chain. As cybercriminals seek to exploit weak links in the business ecosystem, any gaps in the supplier’s system can compromise the security posture of the enterprise. As enterprises continue to reconfigure their supply chains for greater resilience and speed to meet customer and market demands, these supply chains become more complex, integrated and exposed. This can lead to an exponential increase in the risk profile of enterprises.
To make matters worse, the Asia Pacific region currently face an acute shortage of approximately 2.6 million cybersecurity professional, according to (ISC)². The lack of cybersecurity talents will continue to exacerbate these challenges as cyber defenders fight an uphill battle to keep pace with evolving cyber risks and threats.
What are the major challenges and pitfalls they encounter in devising their cybersecurity strategies?
RS: Many enterprises find themselves navigating unfamiliar waters when it comes to devising an effective, long-term cybersecurity strategy for the new way of working and doing business. Cybersecurity approaches that were effective just months ago are now rendered obsolete as business models and operations, work environments and the workforce undergo dramatic changes due to the pandemic.
As enterprises start looking at a longer-term cybersecurity strategy for the future, here are the key challenges they will need to overcome:
- Redefining security perimeters – The new modern workplace will need to account for the proliferation of end-point devices and meet the demand for anytime, anywhere access from employees. Enterprises need to understand that the conventional approach of using firewalls to keep data and devices safely locked behind company lines is no longer effective as a lone strategy. They will need a new approach where the definition of “perimeter” is one that evolves and moves with the users and their devices.
- Inherited risk and complexity – As enterprises migrate to new workplace platforms, they need to be aware that their legacy environments and investments can expose them to more risk, especially if previous migrations were simply a lift and shift to a new platform without much thought into updating the security protocols.
- Treating security as a barrier – In the rush to accelerate cloud adoption and deliver functionality during the onset of COVID-19, many enterprises have started to treat cybersecurity as an obstacle in their digital transformation journey. As a result, they either do not perform adequate cybersecurity risk assessments or put off cybersecurity considerations to a later time. This can lead to unwanted surprises and cyber risks at every step of the digital journey, as opposed to a more comprehensive, integrated approach exemplified in “SecDevOps” or “secure by design” principles.
- Best of breed approach leading to complexity – For some enterprises, investing in the best tools in the market is one of their key cybersecurity approaches. While the intent behind this “best of breed” approach is laudable, this approach can lead to more complexity, costs and inefficiencies compared to a more agile “best of platform” approach. With tightening budgets, limited resources and rising cyberthreats, especially in these tumultuous times, security teams must prioritize simplicity and find comprehensive platforms with security baked in across a set of applications and workloads.
- Securing from inside – An Avanade report found that over half of executives globally (51%) believe that bigger security threats are coming from inside of their organizations. These inside threats include unintentional actions, lack of operational processes, lack of knowledge or training, and malicious activities. Enterprises should ensure that they have properly configured access policies and have tools in place to automatically spot suspicious behaviors from within and prioritize proper training for their employees to identify cybersecurity threats.
- Lack of a clear incident response plan – Enterprises today should adopt an “assume breach” mindset, internalizing the idea that a cybersecurity incident is not a matter of “if” but “when”. This means enterprises need to prioritize the development of a clear incident response plan when devising their cybersecurity strategy. Without a clear, codified incident response and remediation approach, enterprises will be caught off guard during a data breach incident. This can lead to enterprises suffering significant damages to cost and reputation as a result of the loss of customer data, trade secrets and intellectual property.
Why do you think digital identity and zero trust are foundational for enterprises in the new normal and beyond?
RS: As enterprises look to build more resilience for the future, it presents them with the perfect opportunity to rethink their cybersecurity approach and strengthen their security posture, with Zero Trust and Digital Identity as its foundation.
Zero trust as the new framework for security
A zero trust concept postulates that an organization should not automatically trust anything inside or outside its perimeter, and everything must be verified before granting access to the systems. Every data access request needs to be fully authenticated, authorized, and encrypted before it is granted. The identity of every individual, admin account, application, bot and process must be validated and managed through a governance process.
This not only allows enterprises to decouple data access from network access, it also enables enterprises to verify the access request based on identity and user context, which are essential attributes in enabling enterprises to provide a secure remote work environment.
With remote working and access becoming entrenched in the modern workplace, and cybercriminals ramping up their attacks on remote workers, the zero trust framework also enables enterprises to adopt an “always assume breach” stance.
Additionally, zero trust allows enterprises to enforce the principle of least privileged access, limiting access to specific apps and resources to authorized users only. This allows them to mitigate the damage should a data breach occur.
Digital identity as the new security perimeter
Digital identity is vital for enterprises looking to adopt a zero trust framework. As an enterprise’s digital environment continues to grow in size and complexity, digital identity can act as the new central control panel for cybersecurity.
Business processes and applications today are imbued with identities as enterprises continue to digitally transform their operations and accelerate digital engagements. Managing these identities through identity and access management (IAM) capabilities is essential when it comes to protecting data and safeguarding customer experience. Customer-obsessed security professionals will prioritize all major IAM capabilities to support customers’ security and privacy demands.
With IAM capabilities, enterprises can shift security from the network to where the users are, with identity acting as the gatekeeper for all data, devices and applications. A robust IAM solution can replace firewalls as “the new perimeter” in the new normal.
At the same time, the digital identity solution must enable these new styles of work, providing a streamlined and seamless user experience to empower employees to work together securely.
What are the critical first steps that enterprises should take when developing a holistic, future-ready cybersecurity strategy? How could they avoid the pitfalls they are facing?
RS: In the next 12-18 months, we expect enterprises to increasingly shift their attention to how they can renew and position themselves for the future. They will be looking to reinvent their business model to address existing and new opportunities with a stronger, more resilient version of the enterprise.
From a cybersecurity perspective, enterprises should look to continually adapt to changing business landscapes and remain compliant – ensuring any changes in models, technology and processes adhere to regulatory and emerging compliance requirements. This would also be an ideal time to implement a new security design, based on a robust roadmap that is consistent with their business requirements and risk posture.
Here are five key steps that they should take to get started:
- Adopt a zero trust mindset and vision – While there are no silver bullets in the cybersecurity world, zero trust can be one of the most effective ways for organizations to protect assets across endpoints. Enterprises should consider tools that address their identity governance and administration requirements.
- Undertake a comprehensive risk assessment – Many enterprises have experienced a rapid change to their digital architecture with the deployment of new collaboration and workforce tools. Now is an opportune time for enterprises to conduct a risk assessment of their entire digital environment, including their legacy infrastructure and investments.
However, it can be challenging to evaluate the risk of all their applications, devices, networks and data. Hence, a good place to start is by identifying the assets of most value and understanding what enterprises want to protect. From there, enterprises will be able to pinpoint the key risks to those assets, identify ways to address them and develop a clear incident response plan.
Enterprises should also partner with a trusted external service provider to provide an objective view of the organization’s security posture and bring in different methodologies and deep expertise to augment enterprises’ in-house capabilities.
- Simplify and enhance security landscape – While a layered approach to security with the right tools is essential, enterprises should look for opportunities to cut unnecessary controls. Excessively heterogenous security architectures are difficult to manage, costly and may increase enterprises’ risk of exposure. Enterprises should look to leverage capabilities that are integrated into their cloud provider’s platform. Not only will this approach help to reduce unnecessary costs, it is especially useful when enterprises need to react quickly to a situation, such as enabling a remote workforce.
- Establish a long-term security vision – Enterprises should implement a holistic approach to security and make it a part of their organization’s digital transformation from the outset. Enterprises also need to understand that security should be a business enabler and priority. This means building security into their IT solutions and applications, balancing security and controls to avoid having an adverse effect on employee productivity and creating a strong security culture through employee training and education.
- Build a strong security culture – Finally, enterprises should look at fostering a strong culture of security and shared responsibility within their organization. The goal is to cultivate an environment where the employees are committed to protecting the company, clients, work, data and assets, and help them embrace the idea that cybersecurity is each employee’s responsibility. Creating this culture would require enterprises to plan and implement comprehensive, consistent training and education programs to address the security risks inherent with employee behavior. This may require a change management approach backed by ongoing education and role-based training for individuals.