December 8, 2020
When Mishaal Khan talks about the importance of robust cybersecurity, he’s not just pontificating as a widely known expert in the field. Like many of us, he has also been the target of online scams. And though the trained ethical hacker and social engineer never fell prey, he knows that countless others haven’t been and won’t be so lucky. But they can increase their odds of success by being better prepared to ward off intruders. Education and awareness, he says, are key.
Mindsight’s Cybersecurity Practice Lead and vCISO, Khan emphasized both when he hosted a recent virtual event titled Cybersecurity: Lessons Learned in 2020, which focused largely on how COVID-19 has exacerbated what was already a dire situation.
For reasons financial and psychological, lots of companies, local governments, schools, and individuals were poorly protected before the pandemic hit. Now, without the proper upgrades and knowledge, they’re more vulnerable than ever due in large part to the unforeseen impact of so many employees working remotely. Scammers are even using stolen social security numbers and addresses to game antiquated state unemployment systems.
The best solution, Khan says, is be far more proactive than reactive when it comes to security measures. Why? 1) Because law enforcement has a poor track record of catching cybercrooks; and 2) Because preventing a potentially catastrophic attack beats dealing with its ugly aftermath — financially and reputationally. He’s disappointed but not surprised that this mindset isn’t more prevalent.
“Part of it has to do with organizations thinking they won’t become a victim,” Khan says, “so that tends to have a reactionary effect. The other reason is they think a security program is going to be costly, but that’s a misperception. In fact, the lack of security is going to cost them more. They also think it’s going to involve complexity, but what they don’t realize is there are experts, partners like Mindsight that can help them understand that complexity and make it more simple.”
Here are some crucial insights Khan offered during his virtual event:
Security issues tied to remote work: VPN, BYOD, redundancy
There’s an old-school mentality that employees should be monitored, that they should be in front of us in the office, so remote work policies were frowned upon by many companies. The tech giants like Google and Microsoft were way ahead of the curve on this and already having their employees work from home, so it wasn’t a huge change for them. Much of what’s going on in terms of cyberattacks on this dispersed workforce has to do with social engineering — chiefly phishing and vishing.
Most of those who used cloud services pre-pandemic were all on-prem, so their security officers had the capacity to handle all that user traffic. But home connections don’t or didn’t initially have that capability because companies’ IT systems weren’t built for the scalability and mobility that are necessary with a remote workforce. For example, if an employee moves from a coffee shop near his home to a different state or country, there should be no difference in his ability to access a company’s systems. But not every company took that into account. Many had VPNs that required workers to be within certain geographic boundaries or they were denied access.
And not every company had clear BYOD (bring your own device) policies. The main problem of BYOD is if you’re using a personal device, your system can be compromised. And if that happens, now the company’s systems and data are also compromised because your laptop is storing credentials or may be logged into the company VPN. That’s why more endpoint security, encryption and anti-malware protection is needed. And there has to be a way of monitoring those devices so problems can be quickly addressed.
VPN systems need to be bolstered as well. Insufficient VPN capacity is disruptive to the entire workforce. Whereas previously 100 employees were logging in remotely using a VPN, now 2,000 or 20,000 are doing so. Upscaling those systems is fairly easy, but companies were unprepared to invest additional money in better routers, improve redundancy with additional firewalls, and shut down networks in order to upgrade them.
Cloud and SAAS security
Cloud companies protect your data, right? Wrong. That’s your responsibility. Start a security checklist to make sure you’re taking all necessary steps to avoid breaches. And have your systems regularly audited by third parties, whether hired pentesters or bug bounty program hackers, to make sure all security protocols are up to date and maximally effective so vulnerabilities are minimal.
Education security
The largest educational data breach on record hit the edu platform Edmodo in 2017. A hacker made off with 77 million records that contained emails, passwords and phone numbers. As a result, other scammers and hackers leveraged the stolen information to launch their own attacks. But despite the enormity of that breach, and despite the fact that breaches of education systems happen quite frequently, there remains a mentality of “it won’t happen to us.” And until it does, many in the education sector won’t take security seriously.
Unfortunately, the same goes for those in other fields. In a way, we’ve become immune to this sort of information. We keep getting bombarded with news about data breaches and end up thinking, ‘Well, we can’t do anything to protect ourselves.’ But that’s wrong. We can. And we should.
Interested in learning more about how organizations are increasingly leveraging virtual chief information security officers? Read our recent blog that dives into the value that vCISO’s bring – and at a fraction of the cost of a full-time security expert.
About Mindsight
Mindsight is industry recognized for delivering secure IT solutions and thought leadership that address your infrastructure and communications needs. Our engineers are expert level only – and they’re known as the most respected and valued engineering team based in Chicago, serving emerging to enterprise organizations around the globe. That’s why clients trust Mindsight as an extension of their IT team.
Visit us at http://www.gomindsight.com.
About the Expert
Mishaal Khan, Mindsight’s Security Solutions Architect, has been breaking and – thankfully – rebuilding computers for as long as he can remember. As a Certified Ethical Hacker (CEH), CCIE R&S, Security Practitioner, and Certified Social Engineer Pentester, Khan offers insight into the often murky world of cybersecurity. Khan brings a multinational perspective to the business security posture, and he has consulted with SMBs, schools, government institutions, and global enterprises, seeking to spread awareness in security, privacy, and open source intelligence.
