The corporate security situation right now is like trying to quickly assemble a shelter during a rainstorm, experts say: Even if you get something set up, you’re still likely to have some water leaking through.
Everyone working from home, plus a reported increase in attempted cyberattacks means security systems straining under these unique conditions are especially vulnerable to massive hacks and data breaches — which could be underway right now and may not be reported about for another six months.
“I’m terrified about it” said Ben Goodman, senior vice president of global business and corporate development at ForgeRock. “A lot of users are being thrust into a work from home environment, and they’re not at all used to this.”
It takes a lot to make sure users are properly implementing security best practices, he told Digital Trends — practices that most companies didn’t train for before employees were forced to work remotely.
“I think we’re going to have an unprecedented number of breaches being announced following the pandemic,” said Kayne McGladrey, member of the Institute of Electrical and Electronics Engineers.
“The amount of risk is at an all-time high,” agreed Chris Hertz, chief revenue officer for the cybersecurity company DivvyCloud. “If I were a cybersecurity professional, I would not be sleeping right now. It’s a staggering problem.”
An annual survey from DivvyCloud reported that 49% of respondents who use the public cloud in their jobs said “their developers and engineers at times ignore or circumvent cloud security and compliance policies.”
In addition, cyberattacks are on the rise, a trend that was already happening before the pandemic, and now has dramatically increased, said Hertz. 2018 and 2019 saw a record number of ransomware attacks that totaled $5 trillion in damages.
“Right now is one of the most critical periods for IT security professionals that we’ve had in last decades,” Hertz told Digital Trends. “As one of my colleagues says, we’ve planned for hurricanes, earthquakes, tornadoes, but not for a pandemic that would send literally everyone home for six to 12 months. That was never the framework we’re thinking of.”
No corporate continuity plans
The difference between a company suffering a breach and coming through the pandemic unscathed could come down how much of their workforce was online before the coronavirus pandemic hit. Employees who weren’t already working online may cause trouble.
James Carder, chief security officer at LogRhythm, a security intelligence company, said he was concerned about the number of security concessions that corporations would have to make in order to quickly for their workforces online.
“Those that already had effective work from home infrastructures in place will fare better than those that had minimal work from home,” Carder said. “Those businesses that had a big emphasis on going to one place to do something, whatever that was, they’re probably struggling.”
Goodman estimated that whatever ad hoc systems corporations had cobbled together to get their employees online would not pass muster when put under pressure. “I have a feeling that for years to come we’ll potentially see that there were data breaches and hacks because of these systems being built too rapidly,” Goodman said.
“In a matter of weeks, we’ve gone from working at desks and on computers connected to systems controlled by employer, to using own machine on our own networks connecting through SaS applications,” Goodman said. “The likelihood all this has been done insecure manner is low.”
The chances that a business had a continuity plan for something like COVID-19 is unlikely. “No disaster recovery plan considered a pandemic at this scale,” said Carder. “I’m fairly sure no one had that binder on their shelves.”
“The breaches are already occurring and will grow over time,” said Alan Snyder, CEO of mobile cybersecurity company NowSecure. “For decades enterprises have built out layers of perimeter security assuming people mostly worked inside those 4 walls. The company network perimeter has completely blown up and fragmented.”
Zoom is ‘a cautionary tale’
The effects of a scramble to move an entire workforce online have already been seen with video-conferencing service Zoom and its security issues, experts said.
“Zoom is a classic example of people sacrificing security for expediency,” Hertz said.
It didn’t take long for everyone’s favorite video conferencing software to get thrown under the privacy bus. The company’s massive spike in popularity exposed some privacy and security holes that experts say are actually pretty common in a lot of apps. Zoom was forced to answer those concerns under the spotlight.
“Zoom had these issues even before the pandemic,” Goodman said. “They prioritized user experience over everything else, and the truth is, it works. I’ve worked with a lot of these tools and Zoom is the most user-friendly. But I think it’s a cautionary tale.”
Zoom likely isn’t the only app that has done this, it’s just the poster child.
“In general, these video chatting apps are probably pretty popular, and you’ll probably have the same challenges,” said Heather Federman, vice president of privacy and policy for BigID, a data privacy firm.
Designing with privacy in mind was a challenge even before the pandemic, Federman said. The financial incentives are just not there for developers to prioritize it.
“The problem is highlighted right now, but I don’t see that changing,” she said.
Both Goodman and Hertz were also skeptical that privacy would come to the forefront anytime soon. “Apps still get rewarded for user experience,” Goodman said. “Sadly it’s up to enterprise security people and savvy users to be careful.”