Five cybersecurity lessons from 2020

The amount of change that has occurred in every aspect of our lives and our work over the past six months has been unprecedented.

During our first COVID-19 quarterly earnings report to Wall Street, Microsoft’s CEO, Satya Nadella, made note of this, remarking, “We’ve seen two years’ worth of digital transformation in two months. From remote teamwork and learning, to sales and customer service, to critical cloud infrastructure and security.”

Kevin Magee

While COVID-19 didn’t bring an end to an era of obsolete network and perimeter-based security strategy, it exposed weaknesses and challenges inherent in them that have existed for quite some time now. It has also given us the opportunity to question many of the premises we have left unchallenged for far too long.

Here are five lessons that 2020 has taught me about cybersecurity.

1. What it means to be resilient has changed forever

St. Bartholomew’s Hospital (Barts), founded in 1123 in London, has provided continuous patient care on the same site for longer than any other hospital in England. It survived a financial crisis in 1539 when Henry VIII stripped the hospital of its income, the great plague of 1665, the great fire of London the following year, as well as two world wars. Through all of these catastrophes, St Bartholomew’s persevered and continued to provide patient care until May 12, 2017, when WannaCry Ransomware struck numerous hospitals across the U.K. and saw Barts cancel 2,800 appointments and operations in the interest of patient safety.

The very systems that enabled the hospital’s ability to treat patients and save lives had the unintended consequence of also making the hospital vulnerable to cyberattack and cybercriminals were able to do something that plague, fire and wars could not do over centuries.

While digital transformation may introduce new vulnerabilities, it can also make us much more resilient. Imagine if the current pandemic had struck 20 years ago? We would simply not have been able to shift large portions of the economy to work from home and to online learning for our children without disruptive technologies such as the internet and the cloud. Our challenge therefore as security professionals is to protect our organizations from the vulnerabilities that digital transformation introduces while also leveraging these same technologies as opportunities to make our organizations much more resilient and able to respond with agility to any contingency.

2. Don’t bring a perimeter-based security strategy to a cloud fight

As defenders, we are no longer facing individual, unsophisticated attackers but organized cybercrime and nation state actors who are supported by an entire dark market industry. Attackers can now subscribe to ransomware services where tools are provided and maintained free-of-charge. All of this is lowering the barrier for cybercriminals while simultaneously reducing the cost of their attacks.

Defenders may temporarily operate with legacy security strategies, but this approach is difficult to sustain in this new reality. We are in an arms race against attackers and no single organization has the resources to stand alone. But there is strength in numbers. Defenders can benefit from the vast threat signals that cloud providers like Microsoft turn into operational and strategic threat intelligence. There are also opportunities for automation and orchestration at immense scale, all of which increase security while lowering costs and shifting the economics in favour of the defenders.

3. Everyone is on a Zero Trust journey now, whether they know it or not

In the first 10 days of the pandemic, it became clear that organizations who relied on traditional security methods, like on premise firewalls, were at a disadvantage. Not only did they have trouble meeting the needs of a new remote workforce, but they were also more susceptible to COVID-19 themed threats. Overnight, Zero Trust shifted from a business option to a business imperative. This is because by treating every access attempt as if it were originating from an untrusted network, Zero Trust security is built around the users and business assets, rather than the other way around.

Organizations that were successful in making the rapid transition to most employees working remotely had invested in a Zero Trust architecture, including MFA, device management and conditional access enforcement.

4. Identity is the new line in the sand

Strong authentication methods are key to defending against most cyberattacks. One simple action to prevent 99.9 per cent of attacks is to enable multi-factor authentication (MFA). Multi-factor authentication is a process in which the system prompts a user for an additional form of identification during sign-in, such providing a fingerprint scan. With companies closing office access, we have seen a twofold increase in MFA-enablement requests after the onset of the COVID-19 outbreak.

5. A security culture eats an attacker’s strategy for breakfast

When it comes to creating a successful security culture, tone from the top is what matters most. Leaders need to be fully invested and highly visible, leading table-top-exercises and modeling good security behaviours and cyber hygiene. Ultimately, people will make mistakes but it’s how you empower them when they do that will define the success of your security culture.

Kevin Magee is the chief security and chief compliance officer for Microsoft Canada (www.microsoft.ca). Magee was the keynote speaker at CS Honours on Oct. 1