The past 16 months have been a wakeup call for businesses as the COVID-19 pandemic deconstructed the once-traditional office environment overnight and replaced it with legions of remote workers.
Local digital security experts point to many learnings realized along the way for employers and employees alike, yet specifically to the need for company owners and their management teams to further strengthen their respective digital infrastructures and revisit cyber security best practices.
“A lot has been brought up over the past nine months about business continuity and how business continuity plans need to be kind of activated,” says Shawn Edwards, director of security operations at Ignite Collaboration Services Group, a Calgary-headquartered video collaboration and audio/visual integration company.
“In the small-to-medium enterprise, the situation we’ve run into very frequently is that the business continuity plan was an ‘in-development conversation’ where there was no business continuity plan to really help describe what happened in the pandemic world.”
With those quick hallway conversations now paused and traditional meeting rooms dark, digital communications tools saw unprecedented growth in 2020. Collaboration platforms such as Microsoft Teams, for example, saw a 160 per cent increased in users from March to October alone. Research and advisory company Gartner anticipates the worldwide market for social software and collaboration in the workplace will nearly double to $4.8 billion within the next two years.
Video conferencing has similarly exploded. Zoom has logged more than 300 million daily participants per during some months of pandemic thus far. Meanwhile, In April 2020 alone, Cisco’s video conferencing business Webex reported upward of 25 billion meeting minutes per month on its platform – 10 billion more the total meeting minutes reported just one month earlier.
The challenge, say experts, is the information being shared during on these digital channels is no longer being done strictly within the business – meaning often highly confidential business information is coming out of workers’ homes and thereby opening a potential Pandora’s Box of security problems.
“In the COVID world, where we are finding a lot of issues is people are moving away from their work, which has the necessary firewalls, and are now working from home on computers that might not offer that same level of security,” says 403Tech president Scott Gallupe, whose Calgary-based IT support and services company caters to small and medium businesses.
“They could be working on their personal computers that could be on older operating systems or do not have proper anti-virus software. And in these scenarios, they are much more exposed to online threats, which can be tricky for companies to deal with given the footprint they have to protect is much vaster than it once was.”
Edwards adds that in the rush of creating business continuity plans when COVID-19 first hit, that oversight from internal business units to ensure systems were protecting company information adequately was often an afterthought – thereby creating a double-edged sword.
“When we talk about the systems that were traditionally protected around a traditional security barrier … having those extended out beyond in the post pandemic world put a lot of concern around risk to the organization,” he says.
“The ability for collaboration solutions to harness collaboration, to share information, has been both a positive and a very risky negative when it comes to information.”
The consequences of which have been made headlines. Cybersecurity Ventures estimates the costs of cybercrime topped $6 trillion U.S. worldwide in 2020, up from $3 trillion in 2015. In one case, an estimated 500,000 Zoom passwords were found being sold on the dark web in April 2020.
“The goal isn’t necessarily to hack into your call to gain information through that platform. It’s to piggyback onto another platform that you might use,” says Gallupe. “Maybe you’re sharing similar credentials with your server account or your email? Once they’re in, that’s the scary part.”
Gallupe notes the consequences of a data breach through a video collaboration or conferencing platform sometimes can not be immediate.
“Typically, people don’t know they’re exposed right away. Hackers will come into the system and lie dormant for weeks or months before taking some sort of action,” he says.
Gallupe has seen success in mitigating these types of threats through the use of two-factor authentication – a security process in which users provide two different authentication factors to verify themselves, with the second often being accessed through an app on their smartphones.
“Zoombombing” has also become an unfortunate reality for many. This involves an uninvited guest joining a video-conference call, often hijacking the screen, chat box or manipulating the audio. Last year, Zoombombers made their way into a virtual town hall held by YWCA Canada, shouting racial epithets and harassing many of the 250 participants through the chat function.
While Edwards notes Zoombombing has revealed security flaws with the application, it has also highlighted additional problems.
“Some of (the flaws) were because the user was just not using the technology securely – not knowing how to use this technology securely,” he says. “There are secure collaboration solutions. There are unsecure collaboration solutions. And there are ways that you can make secure collaboration solutions, very insecure.”
The first step to creating a secure digital environment is to think beyond the traditional piecemeal approach common within many organization’s digital infrastructure, says Ignite president and CEO Steven Taylor.
“One of the bigger challenges that we see is a lot of times organizations will choose just singular independent point product – this is for the firewall and this is for email security and this is for that next component,” he says. “A lot of times, there’s not that overarching piece where somebody says, ‘OK, we’ve got five different solutions that sort of cover five different pieces. Does it actually create security in the space?’
“I would suggest (working with) an organization that will sit down with you and work with you through the strategy of where you are today, where you need to get to … what are the critical business component information pieces that we have to deal with? Out of that comes kind of the next step of what you need to look for.”
Taylor says the second step is for organizations to approach cyber security as not just an IT function, but as a corporate responsibility.
“That’s one of the things we work with heavily in our adoption education side – that the messaging has to come from the very top of the organization,” he says. “The very top of the organization has to not just talk about security in its traditional platitude-type of way, but has to talk about security as being a fundamental responsibility of everybody in the business and help people understand why it’s so important not just the fact that has been decreed as important.”