The world is changing – and not just during a pandemic
Having worked as an Information Security Manager since 2010, I can say with confidence that the world has gone crazy. Employees stay at home, use their personal computers and laptops for work, have remote access to the company's corporate network, hold meetings and discuss business issues using ZOOM instead of corporate messengers and video conference systems – a complete and utter shock.
This is roughly how an ordinary head of information security in most Ukrainian companies should have reacted 10 years ago.
What is more surprising though is that there are still companies that use old-fashioned practices and it seems like they do not notice the changes taking place in the world. Jen Doichman’s mantra ‘change or die’ has already become dogma, but it seems that not all companies are afraid of ‘death’, or rather, not all managers understand that ‘stability’ is capable of harming their companies.
Indeed, the fear of change lives in each of us, so we strive for stability, which is an essential human need, according to Maslow's pyramid. However, the best minds in the world, such as Bill Gates, Richard Branson, Itzhak Adizes and others encourage embracing the changes, as standing still could result in the collapse of a company.
It would seem that the current situation should force everyone without exception to accept the new rules of the game and change. However, after three months of quarantine, there are still organizations in Ukraine that work in the old-fashioned way. Needless to say that each company addresses the risks according to its business objectives, risk appetite, and technical capabilities. But if a company continues to play by the old rules in a constantly evolving environment it will surely lead to the decline in its performance efficiency.
Below are some examples of how technical solutions have changed people's attitudes to the previously established ‘beliefs’ on information security.
Today, one of the basic requirements is not to write down your passwords anywhere. However, 20 years ago it used to be a common ‘tradition’ to write passwords down on a piece of paper and keep it on monitor screens or under the keyboard. Now you can ‘write down your password’ using a special program – password manager, which stores passwords in encrypted form and makes them inaccessible to third parties. Furthermore, password managers allow you to not only save passwords, but also automatically enter them wherever they are needed. This allows creating passwords of any length and complexity, thus increasing account security.
For example, the password 4837skfn&*(alm234(z,ejgfo93057_@*%^#$,snmdgj#@JD)AJ$nfbhsaei458IAdnvj59WJbdicnsyu49%&#)FJdvnskrh574sidjBS%&LSdnvRo40d3jvnvSomW$% contains 128 characters, making it rather difficult to write it down on paper or type on the keyboard without making a mistake. But with the help of password managers, you can do it in one click.
Another example is biometric devices, which have recently appeared on our computers. They allow authentication using biometric data, such as a fingerprint or face. In fact, these devices record and store our data. But in this case, the information is also stored in encrypted form, which helps to increase the level of protection against information security threats for employees and companies.
It is also worth mentioning the use of non-corporate means for exchange of information. Every company is interested in monitoring its processes, but with the growing popularity of messengers that employees can use on their phones, the companies, in fact, have no technical capability to restrict data exchange through these channels. Here the culture of working with corporate information comes to the fore. The organization's confidential information will be protected only if employees will refrain from recklessly sharing such information. Furthermore, many messengers (WhatsApp and Facebook Messenger) use end-to-end encryption of messages by default, whereas this function can be activated when required (Viber, Telegram), thus allowing to protect information at the level of data exchange platform.
There is also a number of new teamwork tools – Slack, MS Teams and Trello, which also have built-in online communication mechanisms. These tools are used not only by geeks, but also by ordinary employees in project or team work.
Many programmers actively use GitLab and GitHub. The company can restrict access to these resources not only on the corporate network, but also on laptops, which will directly affect performance efficiency of the company's developer team. However, this will not work for everyone, as companies are now practicing the engagement of freelance developers who work on personal devices and are unlikely to be happy about having any restrictions on their laptops.
Moreover, there is already a new paradigm of serverless architecture, according to which a company can have IT services that will be based entirely on online tools and, accordingly, will not need own servers. Small companies and startups are already employing this method by using Gmail or Outlook as an e-mail system with own domain, Office365 or Google Docs – as teamwork tools for working with documents, and Google Drive or OneDrive – for storing and sharing data. Now it's the turn of big players.
As the paradigm of confidential information exchange changes, new tools for information and cybersecurity professionals will emerge. Today, antiviruses are already being transformed into endpoint protection tools, which not only search for malicious codes, but can also perform a local firewall function. Furthermore, firewalls are not only transformed into tools for analyzing and blocking network traffic, but they also perform DLP functions helping to detect certain data in information flows through the communication channels.
Security Operations Center is no longer necessarily a server with software located in a server company. The server can be located somewhere in the cloud with any SIEM system, qualified analysts from another country, and incoming incidents in the company's service desk system.
As the world is changing, the companies should not stand still but adapt to the evolving environment. Information security and cybersecurity units can help organizations (or hinder their efforts) to adapt their rules of the game to new realities. When information security units assess risks as having the highest level of criticality in terms of impact on business and with almost 100% probability of risk realization, managers should pay attention to how cyber risks are assessed by their immediate competitors. Company managers can also factor in the experts' insights to better understand what risks it may accept, what risks it should minimize, and what risks require immediate mitigation actions.
Yuriy Hudz, IT Audit Services Manager at Deloitte Ukraine