The rapid emergence of COVID-19 has driven an unprecedented level of remote work for corporate enterprises, their employees, teachers, students and even medical professionals as telehealth has become necessary. Even if some worked from home occasionally, most have never done it full time - and most businesses never considered that this new normal would be standard operating procedure. It has changed cybersecurity fundamentally. Businesses now face more exposure to cybercrime than ever before, and that’s happened practically overnight. As a result, cybersecurity has to become a priority at the board level, because mitigating risk from cybercrime has to be realized as a corporate fiduciary duty, and that risk is systemic.
CSOs previously had control over most, if not all, of the infrastructure, networks, and devices that their businesses run on. While they still retain control over on-premise servers and their SaaS providers, for all intents and purposes they've lost control of the networks that their mission-critical information is transported on, and many of the endpoint devices that their employees use because they are employee-owned devices sitting in their homes rather than in the office.
The networks that are transmitting company confidential information are now, in many cases, your employees’ home networks - which are only as secure as your employees keep them. If some of your employees lease their modems from their cable providers, can you realistically ensure that all of them are set to the highest security settings? If they own their own modems, are those modems some of the millions deployed that still use default admin/password settings that are easily exploited? In either case, have other members of the household opened ports to make video games or other applications perform better? Doing so comes at the tradeoff of introducing security risks. Even in the unlikely event that every employees’ network is completely secure, it’s likely that your company uses one of the 200 providers whose network traffic was hijacked and routed through Russia’s state-owned telecom network last week.
Endpoints - the laptops and phones that your employees are now using to do their jobs on a daily basis - are also at risk if you don’t have mobile device management (MDM) in place. Without MDM, is it realistic to expect that every one of your employees will update their operating systems to patch critical security vulnerabilities? Each of the last updates to Windows, macOS, and iOS included patches for serious security issues. Similarly, the applications on machines not under a CSO’s control each present potential security problems if left unpatched.
Researchers are currently making headlines for exploiting security holes in Zoom, but the black hat community is working on exploits for everything your newly remote employees use, even capabilities like VPNs that are meant to provide security. That's a reality that has to be accepted and plans to mitigate these exposures need to be made and put into action.
Cybersecurity has to become an issue at the board level, not just the C-suite. Mitigating known risks is a fiduciary duty for many executives. If you’re one of them, you need to do everything you can to protect your corporate surface area, which is now exponentially bigger than before, almost all of it beyond corporate firewalls. You need to take a hard look at your cyber insurance policies as well. Not everyone will face cybercrime in the remote work era, but those who do, and aren't protected financially, face dire consequences.