For many companies, the goal for the first half of this year was simple: digitally transform, or risk going out of business. This meant, to continue functioning amid a raging pandemic, they needed to execute “emergency digital transformations” to enable employees to work from home, and to enable formerly manual processes to be conducted digitally.
In fact, a May 2020 survey conducted by MariaDB found that 40% of respondents are fast-tracking their move to the cloud due to COVID-19.
Now that we’re nearing the end of 2020, and most organizations have completed their urgent cloud projects and adjusted to the COVID-19 economy, a new challenge is surfacing: the impending security and compliance reckoning resulting from all of this rapid and forced digital transformation.
Preventing a Security and Compliance Crisis
Though companies may be out of the woods when it comes to the “stay-in-business” crisis they faced earlier this year, they are now in a vulnerable position from a security and compliance perspective.
The reason for this is that, in the hurry to get digital processes and technologies deployed as quickly as possible, cybersecurity teams weren’t given the necessary time to perform their normal security and compliance checks. Rather, security and compliance took a back seat to getting businesses up and running in the new “COVID economy.” In everyday terms, this would be like buying a house in a high-crime neighborhood and having to move in before you could take the necessary time to install locks and add security systems.
As a result of this situation, companies are now facing a potential security and compliance crisis for several reasons:
Cyber-criminals are targeting remote workers with an unprecedented volume and variety of attacks, in the hopes that they’ll provide a new entry point onto corporate networks. Case in point: Recent research by Malwarebytes found that 20% of the 200 respondents surveyed experienced a security breach as a result of a remote worker.
The risk of cloud misconfigurations – already a leading cause of data breaches – is heightened as a result of accelerated digital transformation projects. In its “State of Cloud Security” report, Fugue recently found that 92% of respondents are “worried that their organization is vulnerable to a major cloud misconfiguration-related data breach.”
Following an Executive Order issued in May, most regulatory bodies relaxed compliance enforcement during the early months of the pandemic – but this grace period is expiring. And, with many paper-based processes being transformed into digital ones during the crisis, regulations will evolve in the coming months to keep pace with business practices.
What Can Be Done?
Many companies are now finding themselves in a situation where their workplace has become significantly more digital, and now they must rush to implement the proper controls to avoid data breaches and regulatory fines. So where does this start?
The best way to begin is to take a step back and assess your digital footprint to identify areas where security and compliance gaps might exist. Understanding the cloud shared-responsibility model is helpful here, because, if you do find areas in need of remediation, you will know what you are responsible for taking care of, and what your cloud service provider should handle.
Pay particular attention to the following three areas in the assessment process, as they commonly cause security and compliance challenges within IT environments:
- Excessive Access Privileges - Similar to how companies rushed digital transformation projects out the door without taking the time to consider security protocols, many IT teams hurriedly deployed broad access privileges to remote employees with the goal of getting them up and running from home as quickly as possible. Giving employees access to company data and networks beyond what is required for them to do their jobs escalates the risk of insider threats and compliance violations. Consider refining access by adopting a least-privileged-access strategy, which gives employees only the access they need to fulfill their job responsibilities.
- Misconfigurations - As mentioned previously, cloud misconfigurations remain one of the top causes of data breaches. To see if misconfigurations exist within your environment as a result of rushed digital transformation projects, consider using scanning tools. These solutions can analyze your environment to find problem areas, such as open buckets or unencrypted data, and provide the associated level of criticality – so you can understand the level of risk posed to your business.
- Manual Processes - The dynamic nature of the cloud makes it extremely difficult, if not impossible, to manage security manually. Evaluate your security processes to identify areas where you may be able to implement automation. If possible, automate the full security lifecycle – from programming, to threat detection, to remediation. Doing so will allow you to build security policies and guardrails into cloud systems, processes and technologies from the start, so they will automatically adapt alongside cloud evolutions – strengthening your security and compliance posture, in the process.
Plan Ahead
In addition to conducting a thorough security and compliance assessment and implementing necessary controls to reduce the risks introduced by existing IT environments, it’s important to start planning now for future projects. Talk to key IT and line of business managers to find out their plans for digital transformation projects for the remainder of the year, and start putting the building blocks in place now to ensure a fast, secure and compliant deployment when the time comes.
Following this roadmap will help you shore up security and compliance and keep your company operating efficiently, regardless of what additional chaos COVID-19 may bring to the workplace.