By Rebecca Herold
Last updated: December 15, 2020
2020 was a wakeup call for more than healthcare pandemic preparedness. It also exposed some huge security and privacy vulnerabilities, that many cybercrooks have exploited thousands of times throughout the year, for remote workers; both those work-from-home (WFH) employees, along with those mobile workers who have largely been going under the CISOs’ and information security departments’ radars for the past two to three decades. Will cybersecurity and privacy pros heed the lessons learned from the awakening?
Throughout 2020 I’ve been writing my 20th published book, “Security & Privacy when Working from Home & Travelling,” published by CRC Press. Hopefully I can get the final edits completed by the end of January to allow for a Q1 or Q2 2021 publication date. At a current 600+ pages, which I’m tightening up and making more succinct now, you can imagine that the number key issues that organizations need to address go well over 100. Which they do, and are detailed in the 23 chapters of my book!
However, if organizations addressed at least the following three issues, they would dramatically reduce their cybersecurity threats and vulnerabilities, reduce privacy breaches and information security incidents, improve compliance with their legal responsibilities, reduce successful cybercrime attempts, improve employee awareness (resulting in increased employee satisfaction), and also be viewed as a more trustworthy organization, and an organization where employees want to work and stay working because privacy and cybersecurity for employees are as high of a priority as cybersecurity and privacy compliance is for the organization.
In the past 5-10 years information security training vendors have moved to narrowing focus to largely phishing awareness, and password security. Plus, there must absolutely be ongoing awareness reminders, activities, and other types of communications and actions to keep security and privacy at top of mind for all workers with access to any portion of the organization’s information systems (data, applications, servers, networks, etc.). Phishing and passwords are certainly important and should be covered, but there are so many additional areas where all employees need to be aware. In fact, this trend motivated me to build a new SaaS training and awareness services business with my 23-year-old son, that we have been building throughout the year, and will launch in January, 2021. Too many organizations depend solely on technology for security protection and privacy preservations; too many technology vendors perpetrate the false statement that technology alone can address all security and privacy issues. That has never been true, and with today’s remote working world, there is absolutely no way that security technology alone is even close to being enough. The human component is huge, and one human lapse, due to lack of awareness from lack of training, can bring down a huge organization.
I have long advocated making “Responsible Computing” (including information and cyber security, and privacy) the 4th “R” in our education systems’ curriculum; starting at preschool…as soon as a child can hold or interact with a computing device. We must ensure that our children learn from the earliest ages about how to secure their personal data, and their privacy, and that of others. This cannot be a one-off type of activity that gets done, and then is forgotten, or revisited after a long year has passed. Responsible computing practices must become woven into our education systems in everything that our children learn and do, just as speaking and wRiting well, understanding aRithmetic, and Reading at levels that will help them to truly understand STEM, the arts, history, civics, and every other topic that will help our children to be most successful. So, to put it more succinctly: Make information/cyber security and privacy education curriculum integral parts of all lifelong learning, by default. If this is goal is accomplished, I know the resulting knowledge and associated informed behavior changes would make everyone safer online, and with all forms of information. It will also become an expected part of organizations’ training programs as well.
There is still a checklist mentality in most organizations when it comes to vendor/third-party and supply chain security and privacy management and oversight. 2020 has demonstrated that organizations cannot just tootle long with the same old status quo vendor oversight practices. Think about this: those dozens, hundreds, or even thousands of vendors (to whom organizations have entrusted access to their data, applications, systems and/or networks) were also thrown into a new remote working world in 2020. How are they handling this situation? Do they now have new vulnerabilities, and are facing new threats, as a result of how their workers are doing risky working from their homes, or from some other location? Have they kept your organization updated on changes in their organizations that would impact the security and/or privacy of your organization and/or customers, patients and/or employees?
Every organization must address this important type of insider threat: the threats, along with the vulnerabilities, that third parties throughout the supply chain bring to an organization. If they do not, they face experiencing some significant security incidents and privacy breaches. Consider these survey and research findings:
Mastercard's RiskRecon and the Cyentia Institute 2020 research reports only 14% of those surveyed trust that third parties’ actual security in practice matches responses from their questionnaires long-established types of vendor security questionnaires.
A recent Gartner report determined a data breach is an average of $700,000 more expensive when a third party is involved.
A 2018 Ponemon stud y found that almost 60% of companies experienced a data breach caused by one of their vendors/third parties.
Many organizations are still using the exact same remote and mobile working security and privacy policies today as they were in December 2019. Many more organizations still have not created documented remote and mobile working security and privacy policies and procedures that are customized to fit each of their own organization’s unique business environments. And way too many flawed assumptions are being made about remote workers (employees and contractors). Consider just a few questions:
Think your organization doesn’t have to worry about the security implications of 5G because you’ve not implemented it? If your remote workers are using it, then you now have parts of your business systems environment where it is used.
Think that IoT is not an issue to address in your organization? If you have remote workers, I’d bet a bundle that you have a large number of IoT devices that are within their home wireless networks, and/or in their work area vicinities, that are now incorporated by default into your business systems, where they are bringing threats into your organization and creating vulnerabilities for which you are not aware.
Believe that you have no AI use to worry about? Think again if your remote workers have apps on their computing devices, connecting to clouds that use AI, and/or have IoT devices that incorporate AI within their functions.
And the list could continue on for pages.
If each organization makes these three actions a priority to perform in the coming weeks, they will substantially reduce their security and privacy risks, and as a result their breaches and incidents. The organizations can then identify the additional actions to take to further improve their information security and privacy management program maturity.
CEO & Founder, The Privacy Professor; CEO & Co-Founder, Privacy Security Brainiacs