Interview: Deborah Golden, US Cyber Risk Services Leader, Deloitte

We may think that we are aware of the current working challenges that have emerged because of the COVID-19 pandemic, but according to Deloitte, there are as many as 10 new hurdles to overcome.

Infosecurity spoke to Deloitte’s US Cyber Risk Services leader, Deborah Golden, who said that there are challenges, but also priorities and opportunities for businesses in the rapidly evolving threat landscape as companies go through each phase to better prepare for future threats.

Golden explained that there had been a quick shift in the way we work, and it was “not digital transformation” that drove the new agile workforce, and this has meant that businesses have had to introduce new dynamics in “a quick and capable fashion, and how do we handle all of that?”

Golden said that beyond the chaos that may have been caused, businesses have to think about which changes are being introduced and making those solutions functional, and this has created a complex landscape and a larger adversarial surface “and this has grown exponentially and it is outside an organization’s control.”

Golden admitted that although many of these security challenges existed prior to the pandemic, she viewed the top 10 security challenges heightened by COVID-19 as the following:

Shadow IT, including the increased use of collaboration tools which are often unapproved and unmanaged. Golden said that how we share information has changed and with that comes the issue of data protection.

Early opportunistic attacks become sustained campaigns as network visibility is more difficult to maintain. Golden explained that we have seen that with an expanded network of up to 100 extra endpoints, phishing and social engineering will be more widespread, and users should be warned to be more careful about clicking on anything related to the pandemic.

Large numbers of new devices (personal and corporate devices) connecting to the corporate network. Many organizations were still only offering desktop computers for most employees, so Golden said that a challenge has been in provisioning new items, as well as relying on what users have on their home network.

Limited and inconsistent security of home networks that store, process and transmit sensitive business data. Golden said that there may be issues for people working from home, where a computer is used for work but also shared among family members. “How do you make sure your policy is up-to-date and adheres to a consistent policy on where you store data?” she asked, highlighting that downloading sensitive items is a concern as well.

Rapidly implemented technologies that lack sufficient hardening and security controls. Ultimately, new implementations have been done amid a state of “chaos,” Golden said, and businesses will need to get up to speed without sufficient time and energy to include security controls.

Already stretched cybersecurity resources manage an increased attack surface. Golden said that professionals are already “stretched thin” and with remote workers on provisioned devices, “organizations need to look at how to do a scenario plan” to deal with incident response.

Malicious and inadvertent insider threats caused by disgruntled or displaced employees and contractors. “This is one threat we have to think about,” Golden said, especially as people work in different and difficult conditions and the longer that period is, there is a potential for that to rise.

Greater difficulty in maintaining compliance with data privacy regulations in more distributed IT environments. Golden pointed out that there are so many changes in roles and responsibilities, how access is provisioned needs to be considered and companies must make sure they are “giving and taking away as there is an increased ability to keep up with roles and responsibilities.”

Evolving compliance circumstances for regulated industries. Golden said that some industries focus heavily on compliance, and others less so, so you need to do a risk assessment on where you stand on how to keep up with compliance, and think about the impact of compliance on the business considering the vast footprint being made by a distributed workforce.

Complex requirements for identity and access management as roles and responsibilities change. On the same theme, consider how users are being managed when it comes to access, and the provisioning of authentication to remote workers.

"Here is an opportunity for cyber to shine"

Asked if the main issue here was of an unfamiliar way of working, Golden told Infosecurity she agreed, and this was a case of “chaos added to complexity” as we have been thrown into a situation of chaos where we do different jobs and try to focus on the “basics” and cyber hygiene, where we are all moving at different paces.

“If you think about what we need to do protect ourselves, we need to do so every single moment and every chance,” she said. “Adversaries can try 1K times, they only have to be right once. We have to be right 1K times.” She said that with so many things going on, it is hard to know what to focus on and recommended taking a broader, risk based approach. “There are different types of data and people, so focus on assets and what you’re most adept in, and prioritize cyber areas to strengthen your cyber hygiene.”

So where can companies ultimately do things right? She said there “is an opportunity for cyber to shine” in this scenario, by taking a risk-based approach to priorities. She also recommended “bringing back journaling” and keeping a record of what you did and what actions you took, as in the future you can look back and what worked “when a crisis was in place.”

This can involve understanding how to prioritize and execute methodically, as “the increment of time is not an effective view to get back up and running” and if we slow down and reflect now, we will learn more in the long term.

For an initial start, she recommended enhancing threat monitoring due to the increase in the adversarial threat, and re-baseline threat patterns that an adversary may have looked at as a way to get in “and plant something today to execute in six to 12 months from now.” She also recommended addressing both third party and supply chain risks to address new threats.

What’s Hot on Infosecurity Magazine?