The global pandemic has had enormous implications for the nature of work and the role of technology in the workplace. While many have labelled the post-COVID period the “new normal,” Microsoft Chief Security and Compliance Officer Kevin Magee said when it comes to cybersecurity, “normal” never really existed.
“Every time there’s a major advancement, the world pivots and changes,” he said. “The fact that we’ve ignored this for so long is why we now have a lot of technical debt in security to pay off, which is really becoming visible. ‘Normal’ never existed, and many companies are only now catching up to that.”
For Magee, there are five cybersecurity trends all businesses must be watching.
At a time of nonstop change, Magee said the definition of resilience is changing. He illustrates this with the example of St. Bart’s Hospital in London. The institution, founded in 1123, survived Henry VIII stripping it of land and income, came through the Great Fire and Plague intact, and even survived two world wars. “St. Bart’s was able to fulfill its mission through the centuries — until it was hit with a WannaCry ransomware attack in 2017,” said Magee.
Business leaders need to rethink their definition of resilience and what makes an organization resilient. Magee encourages leaders to look to news headlines — imminent threats and worst-case scenarios — and to imagine their implications.
“We must start thinking about resilience differently,” said Magee, “and COVID is a great example of that because we had models of linear growth when it comes to moving to a mobile workforce. Then overnight everything shifted, breaking all our models. We didn’t anticipate that. It was a kinetic event that caused a digital problem.”
Identity and empathy
One of the good things to come out of COVID, said Magee, is that identity barriers have dissolved. “For so long we’ve been trying to turn users into security professionals — human firewalls. They’re not. They’re accountants and warehouse employees. But security is starting to be designed around users. When tools and services are easier to understand and use, the experience is going to be better and people won’t resort to using shadow IT.”
Magee said the goal of cybersecurity is empathy — to understand users’ needs, and how they go through their day. “You log in to your SAP environment via IPSEC, but then have to log off your VPN to print something on your local printer. People have been dealing with this for decades. But we have a chance to rethink security with the user in mind. This will reduce costs, tighten security, and let people do their job without security always in the way.”
The power of community
The current breed of threat actor embraces all kinds of new technology, including AI and machine learning. They’re taking full advantage of everything that’s available.
“In an arms race like this, no one organization can take on threat actors who are using an ecosystem of suppliers,” he said. “If I’m a hacker, I don’t need to write my own software. I can purchase it off the shelf, subscribe to ransomware as a service, or join an affiliate business where I don’t have to pay anything.” In the latter scenario, he said, code is maintained, everything is provided, and profits are shared automatically with the syndicate.
Unfortunately, while attackers costs are very low, the same cannot be said for defenders. Magee said it is critically important to make it more expensive for hackers to mount attacks. Changing their ROI, he said, will change their ability to be successful.
“We see eight trillion threat signals daily on our platform. We share threat intel with partners and competitors through the Microsoft Intelligent Security Association, which makes the community stronger. Defender costs go down while attacker costs rise. Through this all do much better, embracing technology and community rather than going it alone.”
Zero-trust is here
The future is zero-trust, said Magee. Whether they know it yet or not, every company is on a zero-trust journey. It’s important to embrace this, to say you’re rebuilding your security strategy. “It’s important to embrace this, to not just look at a zero-trust model but integrate it into how you deploy technology and how you run your organization.”
Companies that seize the opportunity to reimagine and rebuild themselves will find more success down the road. Magee said he sees this in the data — that businesses that pre-COVID were further along in the maturity of their zero-trust strategy had less trouble when the huge shift to mobile work came earlier this year.
Looking to the future
It took a compelling global crisis to force companies to change. While some organizations are handling expertly the terrain of the so-called new normal, others are not yet clear on where to begin when it comes to their security.
“Identity is a new line in the sand, where attackers are now focused — on harvesting credentials for resale, ransomware attacks, espionage” said Magee.
This is not to say identity is the only key going forward. Culture, said Magee, is also hugely important. An organization can have all the latest toys, and all the right intentions, but it will all be for nothing without the right security culture in place. “It’s not enough for leaders to just send out a security awareness email to all staff once or twice a year. Engagement and active involvement is something that must come from the very top.”
But security culture, said Magee, is not just about leaders. It’s about people, and whether they feel like they’re part of the security solution. “If a user makes a mistake, do they feel they can put up their hand to receive the help they need without being punished or even terminated? This is a sure sign of a healthy security culture — when users at key moments feel that even if the mistake was theirs, that they are nonetheless part of the solution.”
With these cybersecurity trends, gain further insights on how to streamline and strengthen your organization’s security for improved cyber-resiliency.