CISOs undeniably faced a new hosting of challenges across the board this year due to the global pandemic. As we approach the end of the year, not only is it a good time to reflect on the past year but prepare for what the foreseeable future holds for enterprise cybersecurity.
As enterprises continue to adjust transition to the reality of remote work, threat actors are taking advantage of vulnerabilities that inevitably arise. Across the board, there’s a rise in phishing and supply chain attacks, VPNs attacks, as well as malicious or accidental employee data exfiltration.
Organizations reacted fast to the ongoing pandemic to move to remote work but have not yet adopted all tools and methodologies necessary to make this safe. Such a robust transition will be a lengthy process. To decipher the critical issues CISOs should focus on, let’s examine the paradigm-shifts on the horizon, and which tools are worth investing in today.
What it means to be a CISO during a pandemic
On the one hand, operational budgets were freed from certain expenses pertaining to travel, conferences, and office space. At the same time, the lack of an in-person working environment posed new challenges for technology executives. The post-Covid world made it more difficult to identify viable new tech solutions without the centralized convening of conferences and trade shows. The mass distributed workforce has also made it increasingly difficult to test new solutions and run POCs, but even after a decision is made to do so, solutions take longer to implement.
By the same token, the forceable transition to remote work for many organizations translated into accelerated SaaS adoption, increased use of bring-your-own-device (BYOD) practices for work purposes, and the relaxation of security controls to enable remote productivity.
The rapid transition to remote work introduced new risks to the enterprise data and users that CISOs have to contend with. Security teams now have less control of where corporate data sits and how their users behave. At the same time business requirements mandate a growing number of SaaS platforms Given that every connection to a SaaS application represents a growing attack surface, this disadvantage puts many enterprises at risk.
What to expect in 2021
Going in to the new year,we’ll continue to see the business sector demand better solutions for a decentralized, distributed workforce and infrastructure. Nearly half (47%) of all organizations are expected to continue to embrace a fully remote workforce beyond COVID-19. That means that CISOs need a sustainable long-term strategy instead of relying on quick fixes to address the fundamental security risks.
In 2021 CISOs will have three overarching priorities:
- Keep employees working without major disruptions to productivity
- Keep employee data safe and, in turn, enterprise data
- Prevent overwhelming the IT teams with remote-work support and other menial issues that can be remediated with technology so they can focus on security tasks that require human involvement
Now more than ever, organizations need tools that enable employees to work safely from any device or location while also better protecting off-premises employees, and providing centralized identity and authentication management (IAM) solutions for employees and customers.
The best CISOs are involved with digital transformation and are using the current situation to establish new procedures and implement innovative ideas and strategies. That being said, there are ways to address all of the above concerns without additional spending or friction.
Eliminating the weakest link to meet security needs in the year to come
IAM solutions offering centrally-managed SSOs and advanced MFA options remain the standard approach for securing SaaS applications. However, the rapid influx of remote workers and the need for flexible accessibility to workplace resources have rendered current authentication methods ineffective as a security measure.
The problem is that these IAM solutions largely rely on passwords and therefore leave the internal network exposed. Passwords are fundamentally insecure – they require employees to adhere to password policies and maintain stellar cybersecurity hygiene. But even with the best practices, the explosion of applications makes password reuse across accounts rampant and leaves entire organizations in jeopardy.
Large credential dumps regularly appear in the Dark Web forums and Telegram channels, with some exposing tens of thousands of credential databases at a time. The leaked login information is then used to orchestrate account takeover campaigns, using credential stuffing, password spraying, and similar attacks against users who reused passwords across online accounts or used weak credentials.
Moving towards passwordless authentication
Striking the balance between supporting remote productivity and security is impossible to achieve while still relying on passwords to protect enterprise resources.
The truth is that passwords should have been removed from the equation a long time ago. We have – and have had for some time – a much more viable alternative – passwordless authentication.
Passwordless authentication can work through a variety of different authentication protocols such as FIDO2 and WebAuth. But the defining element of all good passwordless solutions is that authentication secrets are never fixed within the system; and there’s simply no password for the user to choose, remember or share. And as a direct consequence, attackers have nothing left to steal or hack.
From a security perspective, the strongest passwordless solutions rely on multi-channel and out-of-band authentication mechanisms. Not only does passwordless authentication provide better security, but it also improves user experience while reducing the TOC and pressure on the IT and support teams.