Home Interviews “Locking down access is not the answer, but controlling and understanding data...

“Locking down access is not the answer, but controlling and understanding data is”

Laurence Pitt Juniper interview

Enterprise security challenges witnessed a sudden uptick due to the spike in work from home. A recent study commissioned by Juniper and conducted by Vanson Bourne explored the attitudes, perspectives, and concerns of senior IT networking and security professionals from various industry sectors across the globe. The sudden changes in priorities, poor network visibility, and lack of time were cited as key issues for security professionals struggling to cope with new norms.

To dive deeper into the study and to understand the impact COVID-19 and work from home formats has had to the realm of cybersecurity, Augustin Kurian, Senior Feature Writer from CISO MAG, engaged in an interaction with Laurence Pitt, Global Security Strategy Director at Juniper Networks. Laurence is a passionate cybersecurity professional with a career spanning over 20 years. He understands the security concerns businesses face today and brings insight into the challenges they will face tomorrow. Laurence joined Juniper Networks in 2016 and is the senior security specialist in EMEA.

Excerpts from the interview:

How do you think the insider threat landscape has changed post the COVID-19 outbreak and employees switching to work from home mode? What are the alarming trends that you have witnessed in the last few months after the lockdowns began? Has there been a shift in the method of cyberattacks? What did the internet in India look like in the past?

The most significant change to the landscape with COVID-19 has been in respect of visibility for the security and network team. Put simply, threats that would be visible on a corporate network have now become invisible as they are on a home network. The definition of ‘insider threat’ has shifted. Previously the insider would typically be a disgruntled, coerced, or inadequately trained user, either sharing data, exporting data, or providing access by responding to a phishing attack. With people working from home, the user’s network now has the potential to act as an insider on the corporate network, perhaps because someone in the household has downloaded ransomware or the home-worker uses a corporate device to access personal email and gets ‘phished.’ In a recent survey we commissioned among CISOs and other senior IT professionals across nine countries, it was highlighted that 73% of organizations are struggling with the demands of the pandemic on their network and security. Therefore, we expect to see a growth in attackers taking full advantage of what they see as an opportunity.

An earlier EC-Council’s survey pointed out that 1 in 3 employees don’t use VPN to connect to the company network while working from home, escalating vulnerabilities emerging from insider threats to sharp levels. Why do you think there is such a trend even after increased knowledge about cybersecurity globally?

There is one reason that people avoid using a VPN on their device: performance. Whether it is slow to connect or slows down the network connection once running, either is frustrating. However, the reason employees use a VPN is to access resources that would not be available outside of the corporate network. In other words, they use a VPN because they must. For any resource where VPN is not required, users at home will tend to disconnect. With the growth in SaaS services such as Office 365, Salesforce, SSO applications, and CASBE, the need for a VPN to access resources has reduced overall.

COVID-19 saw mass layoffs across several companies across the world. Several of these may have been employees with privileged access. It is also true that often disgruntled employees are the biggest reasons for insider attacks. In such a situation, can you explain how HR can be leveraged in preventing insider attacks? What role can a CISO perform here?

Losing employees with privileged access is not a problem if there are processes in place to understand who is accessing what, when, and from where. When someone leaves, it is simple to de-provision their access immediately and have a record that this has occurred. It is the role of the CISO to make sure that these policies and processes are in place, rigorously enforced, regularly reviewed, and updated as new systems are deployed across the corporate network.

HR also carries responsibility for system access when an employee leaves and this is often underrated. When a new employee starts, systems will put their user ID into relevant groups for them to have zero-day access to applications and devices which they need for their role. Over time, this list will grow as the user role changes. The same HR systems should be capable of auditing these changes per user and reporting on privileges when required. If correctly implemented, this process would mean that when a user leaves, it is simple to activate a zero-day stop on their account, immediately de-provisioning access to systems on the day their role is terminated.

How do you think MSMEs are handling cybersecurity post-COVID-19? There have been several malware distributions campaigns with COVID-19 as bait or targeting their supply chain. How badly are MSMEs affected by the pandemic?

MSMEs are doing the best they can but having to account for a suddenly expanded network to manage employees who will be using a mix of home and corporate devices for their role. They must rely more upon the security awareness of users to prevent the spread of malware, but this is a challenge. In the survey we conducted recently with security specialists globally, almost 40% of them saw an increased challenge from threats due to the security of home networks. Add this to the 31% of remote workers who also use their own devices to access corporate information and we are in a time of high-risk. Employees are only trying to do their best to maintain productivity and do what’s right. Unfortunately, many organizations simply did not have the right level of a plan in place to deal with the pandemic and global lockdown.

Many a time, recruiters are unable to recruit knowledgeable or skilled personnel to deploy their security automation tools. This is a major hindrance to a good cybersecurity posture. Do you think there is enough stress on the need for security automation programs?

No, there is not yet enough stress on the need for security automation. It is an essential technology since modern threats now come in so many different forms – and the bad guys are already using this technology to develop, test, and launch their attacks. In our recent global survey of CISOs and IT professionals, we asked about the importance of centralized automation in keeping ahead of the bad guys and 97% agreed and felt that centralized automation would greatly simplify the process of securing their environment. Nonetheless, there are two barriers to adoption:

  • For an automation project to be successful, it needs sponsorship across the entire business. From HR to Finance, from Security to Networking. Unless the whole company is represented in the project, it is more likely to fail.
  • Getting the right skills to deploy automation and then retaining them is the second barrier. Finding someone who understands the tools and has experience is the easy part, but these are specialists who are in demand. They will move onto another project if they do not see the right level of sponsorship for success or if the drive for automation becomes stale and they do not feel that their skills are developing.

For security automation or any system’s automation, to succeed, the combination of these two barriers must be overcome, not just for the duration of the project but as an ongoing strategic investment for the business.

As soon as the pandemic occurred, every industry had a void and became a hunting ground for cybercriminals. And there are a lot of cases when it comes to application security and data security, where many times industries do not know what their critical data is. So, how do you think we can combat this?

Many organizations do not realize how critical their data is as a business asset. Historically, data has not been tracked or managed. It is complicated to understand why a seemingly irrelevant dataset becomes both sensitive and important (and, therefore, potentially valuable and vulnerable) when combined with a second dataset. Often following a breach, or the risk of a breach, the first action is to lockdown access to data by applying multiple layers of security. While this is valid, it is not the solution and is like ‘bolting the stable door after the horse has gone.’

Data is the most critical thing that any business handles; it is the heartbeat of the business. Without it, transactions cannot occur, products cannot be developed and interactions with customers cannot take place.

Locking down access is not the answer. But controlling and understanding data is. Look at DLP (data loss prevention) solutions to help, take time to document what information is being stored and where, and put in place controls to understand what is sensitive, what needs protecting, and how it should be protected.

Many countries now have data governance regulations in place (for example, the EU-GDPR) and these include guideline recommendations for best practices in securing data. They are an excellent place to start.

How will the world be after this COVID-19 phase? What do you expect to be different in a post-lockdown world, regarding cybersecurity and hiring? 

After COVID-19, one of the most significant changes we will likely see about cybersecurity and hiring is that location will become less important for new employees. Our recent survey suggested that on average, respondents expect 37% of their workforce to continue working from home, either full or part-time. Lockdown has clearly demonstrated that it is possible to be productive and successful in a home-working or remote environment and investments are being made for this to continue. Flexibility in employment will become a new way of hiring and working.

Augustin Kurian is part of the editorial team at CISO MAG and writes interviews and features.