When businesses left the office in 2020, they left security strategies — long relied upon — behind.
IT departments lost control of the connectivity path of employees, which made the cybersecurity controls and tools that were centralized on internal networks less effective — or even useless.
To keep business operations running, organizations became more reliant on public cloud and SaaS applications, with some rushing into digital transformation before the proper security mechanisms were in place.
Security teams now had to deal with a new infrastructure without perimeters.
In tandem with these new security challenges came a spike in cyberattacks. The FBI reported a dramatic increase in cybercrime complaints during the first year of the pandemic, thanks largely to more sophisticated ransomware attacks.
As organizations tweak their workplace models, cybersecurity will continue to shift. As long as there are workers returning to the office, companies can expect the return-to-work model to stress a corporate infrastructure that has languished in recent years.
This shift will create security challenges in the same way that work from home created secure remote access challenges during the start of the pandemic, according to Rajiv Pimplaskar, president and CEO of Dispersive Holdings.
"The return to office or hybrid work paradigm should balance secure remote access needs with core infrastructure and resiliency to ensure great user experience, and security everywhere," said Pimplaskar.
The hybrid worker
With few exceptions, businesses will likely never return to the days when everyone worked in a single office or a central location. Many workers are fighting to stay remote full time, while many companies are offering employees the chance to split their work schedules between remote and onsite.
Hybrid workforces will also require a shift in cybersecurity culture. It's going to mean meeting people where they are and understanding the limits of any cybersecurity approach.
"A holistic, cultural approach is needed to ensure that organizations are devoting the talent and resources necessary to protect themselves and their customers from falling victim to compromise both today and in the future," said Chris Clements, VP of solutions architecture at Cerberus Sentinel.
For example, it's unfair to expect non-security professionals to spot sophisticated phishing attacks, yet that's what was asked of employees while they worked remotely. Security awareness training is effective, up to a point.
This became apparent during the lockdown period when employees didn't have the normal security support system available and phishing attacks weaponized COVID-19 fears and no one was readily available to ask for help.
The new threats
Threat actors have long relied on phishing as a popular attack vector, and the pandemic didn't change that.
"Phishing has always been a reliable way for threat actors to gain initial access to their victims, but during the pandemic it's absolutely exploded in volume," said Clements.
One report by security firm F5 found phishing rose by 220% during the pandemic when compared to previous yearly averages, and it is expected that phishing will continue to increase around 15% annually once COVID-19 levels out and things return closer to normal.
Another shift in threats since the pandemic has been the targeting of remote access systems and cloud services with credential stuffing attacks. While multifactor authentication has always been the most effective control against credential attacks, there are threat actors now using MFA as an attack vector.
"I've actually responded to a breach since the pandemic began in which a user approved an attacker's sign in through an MFA prompt," said Clements.
Attackers can spam multiple login attempts, which in turn send so many approval prompts that even the most security-knowledgeable user may inadvertently approve the request with an inadvertent tap.
What's next for enterprise security
If there's a lesson for cyber executives emerging from the pandemic, it's to be fluid with security.
Recent history has proven that threat actors will get past an initial line of defense — if not on the first try, but the second, third or tenth. They will find the organization's weakest link and exploit it.
In the past, organizations tended to react after the incident and look for the weaknesses as part of the mitigation process.
Moving forward, workers can expect to see zero trust take a more prominent role in security systems and processes. Zero trust on devices and network access will be the one constant for remote, onsite and hybrid workers.
Organizations also need to focus on the fundamentals of security, according to Snehal Antani, CEO and co-founder of Horizon3.ai. That includes good identity and access hygiene, continuous assessment, and the adoption of a purple culture – using offensive actions to inform defensive actions and focus their efforts on the issues most likely to impact their business first.
"Organizations need to build a multi-year security roadmap to help ensure they're not only focused on how to protect themselves from incidents today, but also for the future of cyberthreats," said Antani.