40% of us click on suspicious links in phishing emails. 30% of us actively bypass security in order to do our jobs. 45% of us buy our own IT equipment, and for two thirds of those that do, security isn’t a big part of the purchase decision.
Plus, when we do click on those dangerous links, 70% of us don’t report it to IT.
We’re too afraid of the consequences.
Or we just don’t want to deal with the hassle.
“As IT continues to grow in complexity, security support is becoming unmanageable,” says Ian Pratt, who leads security for personal computers at HP and just released the results of a massive 8,443 office worker survey on cybersecurity in the world-from-home age. “We need a new security architecture.”
We need a security architecture because we have a new threat envelope. Thanks to our Covid-fueled work-from-home business culture, the cell membranes of our massively distributed enterprises don’t really exist anymore: work happens anywhere, and secure data lives everywhere. To make matters worse, hacking and cracking has changed from an individual activity by a few maladjusted computer hackers to entire teams or even countries. The result is 29,207 confirmed security incidents in Verizon’s 2021 DBIR already.
In fact, hacker collectives have essentially formed companies.
“Ransomware as a service absolutely is a booming business,” HP chief information security officer Joanna Burkey told me in the TechFirst podcast. “10 years ago it took a lot more skill to craft a successful attack and now can easily be purchased.
But she still sleeps at night.
And so does Siemens USA chief information security officer Kurt John.
“Not all hope is lost,” says John. “I think there’s some things that we can do.”
Some of the actions CISOs and IT teams can take is endpoint detection: monitoring printers, laptops, phones, and other tech. Another, Burkey says, is containerization: a way of bundling code with all its dependencies and requirements in an isolatable component which limits infection of other systems if it gets compromised. Plus there’s a new focus on identity, along with multi-factor authorization and zero-trust systems, so that important corporate systems always know who is requesting access and what permissions and privileges they should have. And anomaly detection systems, particularly those using AI, to identify and investigate potential issues.
Another cybersecurity key? Planning to fail.
Or, at least, planning for what to do when systems will get breached.
“What you want to do is fail as quickly as you can so that you can recover as quickly as you can,” says John. “That’s part of being cyber resilient … you hope you don’t and you plan that you don’t, but what you do is you orchestrate your ecosystem so that if you do get impacted, you have the ability to recover as quickly as possible. And once your organization is in that place, I think you’ll be able to sleep a little bit better night.”
That’s fairly amazing when you understand that the average enterprise of over 1,000 employees gets a 4,230 alerts in its security operations center (SOC) every single day, with a quarter getting between 5,000 and 10,000.
The work from home change isn’t going away, so the technology landscape isn’t going to get simpler.
And while that brings challenges, it’s also a good thing, says John.
“We need a cultural change and the organization needs to … acknowledge what the human condition is,” he says. “It’s not just home or office, it’s office after just coming out of college because I’m excited to meet new people and learn new things. It’s home, because I just got a family, I have a newborn and I need to help out at home. It’s the office again, because I just got married and have a newborn and I need adult interaction … if we recognize that the human condition requires us to be in different places at different times, I think ultimately our business strategy, or IT strategy, or cyber strategy would adjust.”
That sounds pretty much like the real world.
And one that cybersecurity tools and professionals need to be able to support, if they’re going to be effective for a distributed workforce.