During the second half of 2020, organizations made many of their information technology decisions out of necessity. Cybersecurity in work-from-home situations was put to the test as teams rapidly adapted to heavier use of virtual private networks (VPN), the potential of bring-your-own-devices connecting to company networks, and the increases in phishing and email-related cyber threats.
The dust continues to settle on the new reality for how and where we are working, which may call for additional changes to your organization’s information security approach at large. Below are some trends and approaches to consider as your organization charts out its next steps.
Get Additional Protection for VPNs
Frequent and heavy use of VPNs will continue long after the vaccine rollout is complete. As remote desktop protocols increase, your organization’s information security plan should be prepared to protect those increased endpoints. Early surveys indicate at least one-third of the workforce may be working from home for the balance of 2021.
Consider strengthening your multi-factor authentication (MFA) procedures – perhaps increasing the frequency of password changes. Adopting a more aggressive approach for allowing other devices onto the network may also be wise. A “zero trust” model, for example, always requires verification of connections, which could prevent an unauthorized user from having frequent access to your network or moving forward the device he or she compromised. Attacks on Internet of Things (IoT) devices are on the rise, which makes clamping down on permitted access tools a necessity.
Double Check Your Cloud Solution Security
Keep in mind that more functions may be also relying on cloud-based solutions as employees work more regularly from outside of the premises. Tried and true processes that needed employees physically present have had to change over the past year, and while some may snap back to how things were before, many of the investments that were needed to facilitate virtual signs-offs and other tasks may have already been made. Be sure to integrate new technologies into your overall information security protocol so that vulnerabilities in new tools are regularly monitored and updated as appropriate. For example, information technology teams need to understand when security patches are available for new tools because third-party tools where a patch was available but not applied have been a source for some pretty significant data breaches in the past. Also, ensure you are asking for and reviewing SOC 2 reports for any cloud service providers to understand how your data is protected.
Make IT Team Investments
Ransomware, foreign state-sponsored breaches and other more sophisticated threats to information security continue to emerge. As information technology footprints and external hacker risks grow, your IT team may need expanded capabilities well. If you operate in an environment with large volumes of sensitive data and don’t have a Chief Information Security Officer (CISO) in place, you may consider adding one. Boards, CEOs, and external auditors are asking more cybersecurity questions, and a higher profile for cybersecurity may also necessitate a leader who puts the security function into the framework of the overall business strategy. Increasing interest in privacy and security regulations may also elevate the need for a CISO.
Cybersecurity experts are in short supply, so if your organization is looking to increase its bandwidth, it may need to be creative with the solutions it takes.
Elevate Cybersecurity Training
Hackers often target employee-controlled access points, such as email, and as a result training needs to remain front and center in 2021 strategies. COVID-19-related phishing scams continue, so especially in the short term, employees should be well-versed in the tactics and scams that may be coming in through their inboxes. Consistent education about how to recognize scams and what to do with suspicious emails could be a vital way to protect your organization from unwanted intrusion. A 2020 release from CSOOnline, a source for security news found phishing accounted for more than 80% of security incidents.
Also, due to the shortage of skilled IT professionals, your organization may be in a position where it needs to build on its cybersecurity education internally.
For More Information
If you have comments, questions, or concerns about how to apply cybersecurity best practices to your organization, please contact us.
Copyright © 2021, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).