Speakers: Helen Patton (Chief Information Security Officer, The Ohio State University), Emre Koksal (Founder, DAtAnchor, Professor, The Ohio State University), and Dakota Rudesill (Assistant Professor of Law, The Ohio State University, Moritz College of Law).
In response to what seems to be evolving as the new normal, Ohio State’s Risk Institute at the Fisher College of Business, in partnership with representatives from the insurance industry, found an innovative way of discussing some of the pertinent questions surrounding COVID-19’s impact on business with over 300 listeners through a virtual webinar on Zoom, June 10, 2020.
When asked what keeps them up at night, many risk professionals place cybersecurity near the top of their lists. With the changes in how we work amidst the COVID-19 pandemic, this discussion around cyber risk – particularly the protection of data – becomes even more relevant.
Previous to the outbreak, it was not unusual for a portion of the workforce to work from home, at Starbucks, or the airport. For years security teams have had to work across multiple clouds, with multi-national companies, and with workers in differing locations and on a variety of platforms and devices. This in itself is not new, but the degree of which is. The first speaker of the afternoon, Helen Patton, views the current changes as not necessarily an acceleration or drastic change in risk profile, but more a change in the risk flavor.
Every time an employee works remotely, an organization’s security team has to monitor and secure that user’s endpoint. When thousands of employees are at different locations, this becomes a near-impossible task. Furthermore, when working with associates outside an organization, companies have to find ways to verify that vendors are doing what is expected to maintain security and processes are in place to leverage the relationships to protect both parties.
In this new normal of distributed workers, it’s harder to rely on technology to control the work environment. Risk is the human element. It’s now “easier” for employees to make “bad” risk choices, therefore training and processes are more important than ever to guide them to make “good” risk choices.
Accompanying this problem is the fact that data is ever-growing, and it all needs to be stored, replicated, and shared accurately. Each step heightens the risk. There are an average of 25 data breaches every day, varying in scope, frequency, targets, and attackers. According to a report from IBM, in 2019 the average data breach cost $3.92 million, with the healthcare industry experiencing the most expensive and damaging losses, at an average of $6.45 million per breach and an average loss of 25,575 records.
In early-March, during the first weeks of the COVID-19 shutdowns, some sectors saw a doubling of attacks. According to research undertaken by Barracuda Networks and Cloudflare, phishing emails have increased 667% since the end of February, while general cybercrime activities increased by 37%.
To protect themselves and their organization from data breaches or cyberattacks, people working from home are advised to keep their personal online activities separate from work and to ensure their systems remain updated as the first line of defense, as home computers are often non-secured and operating on a home WIFI network. Tools like Virtual Private Networks (VPNs) can help protect data and online connections, but workers may need to adapt in other ways.
This is where the second speaker, Emre Koksal, and his discussion around data security – in particular a security model called “Zero Trust” – comes into play.
Zero Trust Security, a Data-Centric Approach
Koksal began his discussion by pointing out that many network security protocols don’t offer adequate protection against today’s cyber criminals. Currently, most organizations have a network-centric approach, where data is confined to and accessed via a protected network. This data is created and stored outside the network, so organizations rely on 3rd parties for fully distributed generation and storage that permits full access for its remote workers. He reminds us that almost any organization’s data is worth stealing and with a large majority of people working from home, this valuable data is being consumed over shared, potentially vulnerable infrastructures.
Because of these complexities, there’s no way to track openings or vulnerabilities in a network. In this new normal, this network-centric security approach is not enough, the reason being that it’s not sufficient to focus solely on protecting the network. The focus needs to be on protecting the data itself through a data-centric approach. Enter Zero Trust, an information security model that does not implicitly trust anything inside or outside its network perimeter. Instead, it requires authentication or verification before granting access to sensitive data or protected resources.
The philosophy behind it is this: anytime a user is connecting to a website or application they are given
“zero trust” until they can prove they are secure. This is particularly important for remote work, as workers often change locations or internet networks. Each time a user tries to access data, it must be clear they are abiding by rules of organization and that they have permission to access it. This way, from a security standpoint, it doesn’t matter where the data is accessed.
With Zero Trust there is no notion of securing a network boundary (the network-centric approach), rather, data is its own security boundary – so the security travels with the data. Zero Trust also utilizes multi-level encryption, which translates data into another form, or code, so that only people with access to the keys can access it. With this approach, boundaries are built around the data and the keys, not around the network itself.
This security model helps eliminate data loss and maintain control of files even when employees are connected to personal networks, on personal devices. Zero Trust’s data-centric security solution also enables access and data sharing without an organization having to fully give up ownership of the data.
State of the Art in Zero Trust:
- Military-grade encryption made simple (can be applied for all data everywhere)
- Fully transparent to the legitimate user (they won’t even know that there’s something between them and the data)
- Geofencing and location tracking (for employee accountability)
- Real-time audit logs (who accessed what and when)
- Governance rules baked into key manager (leading to dynamic revocation if rules are broken)
Impact on Business:
- Retain control of sensitive data, even outside office walls
- Simplified compliance (HIPAA, GDPR, NIST, CCPA)
- Secure and frictionless data sharing
- Monitoring and real-time audit logs
- Secure workflow for remote workforce
- Low IT overhead
Balancing Liberty and Security in the New Normal
The new normal of increasing numbers of remote workers has prompted changes in regulation. Organizations falling under the scope of data protection regulations and standards like PCI DSS, HIPAA or GLBA, have now been forced to reconsider their stance on remote work and have begun adopting it as a strategy across the board.
Some compliance measures for confidentiality have already been suspended to help sectors such as telemedicine be more accessible and improve their ease of use. Business processes are being altered. Changes are being considered to allow for an easier digital transmission of data and digital signatures.
The Risk Institute’s third speaker, Dakota Rudesill, talked briefly about privacy, or more specifically the balance between liberty and security, as a potential obstacle in this new normal. Most workers – and certainly customers – don’t want to be tracked.
Consider the opposition of some to COVID-19 contact tracing. To let Apple or Google track where you go is a risk choice for yourself but also for the community around you. People are more likely to be comfortable being tracked, driven by a focus on public health, but less likely if the information could be used for marketing or purposes that might be considered an invasion of privacy.
Moving forward, this balance between liberty and security is only going to get tougher, especially as the Internet of Things (IoT) continues to exponentially infiltrate our homes and offices. As of now a clear end to the COVID-19 pandemic is impossible to determine, but when that happens, the question is will these current changes in-the-making become the new standard or will things snap back to the way they were before?
Written by: Jack Delahunty, in partnership with The Risk Institute at The Ohio State University