Q&A: Cybersecurity Awareness and the Lessons of 2020

Cybersecurity awareness is often undercut by a form of corporate amnesia that keeps organizations from learning from past exploits and leaves them vulnerable to future ones. This leads to a cycle of alarm followed by a false sense of security, says Josephine Wolff, author of You'll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches (2018).

Patching vulnerabilities in the corporate network against interlopers is important, but so is understanding the bigger picture that leads to cyber risk, says Wolff, assistant professor of cybersecurity policy at the Tufts Fletcher School of Law and Diplomacy. The mindset of “patch this and everything is all set” is how organizations fail to anticipate the next attack, she says.

Wolff, who writes for The New York Times, Slate and other publications, is widely considered a leading expert on cybersecurity awareness, governance, regulation and risk. In this interview with Mimecast blogger Mercedes Cardona, she discusses how the COVID pandemic will affect cybersecurity going forward, best practices for businesses as they adapt to the “new normal,” and the prospect that the federal government will set data protection standards in the near future.

Editor’s Note: This is the first in a series of interviews with leading cybersecurity experts from academia, research institutions and the private sector.

Mimecast: Is corporate cybersecurity still primarily about protecting IP and business operations, or owing to new regulations such as  CCPA, have protecting customer data and the company's brand reputation moved to center stage?

Josephine Wolff: The regulatory environment has certainly shifted priorities. There’s more emphasis now — not just on protecting consumer information — but also transparency around the use of that data. I do think, though, that a lot of emphasis is still around business operations, continuity and intellectual property protection.

The biggest shift during the past few years has been towards an expanded understanding of the threat models companies are facing. There’s a growing recognition that there are a lot of different ways that your business can be targeted. Stealing intellectual property is one, but they could also involve snarling up your networks and encrypting your hard drives for extortion.

So there's a much wider set of threats that businesses are confronting today, including state-sponsored attacks, which — because you’re up against a nation-state with a lot of resources and a lot of expertise — have to be taken very seriously.

Mimecast: How has the COVID pandemic changed the conversation about cybersecurity and data privacy? From the vulnerabilities of working from home to news of hackers trying to steal vaccine research, it seems like there are a number of new concerns.

Wolff: Quickly, without a lot of lead time, companies have had to start doing fairly sensitive things from their employees' homes that they probably would not have wanted to do, or would not have permitted, beforehand. That's forcing everyone to grapple with the limitations on securing remote work.

The pandemic has also opened a whole new set of avenues for attack. Some of those are simply by virtue of all the schooling and work and everything that’s happening remotely. There are a lot more opportunities to eavesdrop, to conduct espionage. But others concern the theft of intellectual property, such as vaccine research.

Hospitals, in particular, have known for a while that they have a lot of vulnerabilities that need to be addressed with additional infrastructure. But now here they are, at a moment when they have absolutely no extra bandwidth or other resources to put towards that — and yet it's absolutely essential. They can't push it off. They can't wait for things to settle down, because it's such a critical moment for them.

Mimecast: There's a lot of talk that many of the people working remotely now may never go back to work in an office. Will that shift the focus of cybersecurity to individuals rather than organizations?

Wolff: We really don't have a good handle yet on what the best practices are for handling this amount of sensitive information at employees' homes. I think we'll get better at it, as companies figure out how to put reasonable policies in place that their employees can actually abide by.

It doesn’t work to just make whatever policy you want. I have friends whose companies have made rules like: You have to work in a room with a closed door and there can't be anybody else in the room, and this, that and another thing. But for a lot of people — if you've got kids, if you've got a partner, if there are other people in the home — it's not always easy to say, "I'm going into my office, locking the door and nobody else can be in there while I'm working." 

I think we're still figuring out what the security and privacy protocols should look like, and this will involve some trial and error.

Mimecast: You wrote a New York Times column in the early days of the pandemic about using technology for containment. Can tech help if people won’t share their data for contact tracing?

Wolff: I think there are some very narrow ways in which technology may be able to help with tracing exposure. The Apple-Google platform for notifying you if you've been in close contact with somebody who's tested positive for COVID is an example. I will say, though, the rollout has been pretty underwhelming, at least in the United States. There hasn't been a large wave of people signing up for these apps. Every state is doing it a little bit differently; there's not a lot of unified messaging. So, I'm not overly optimistic about it.

In the United States, the number of infections is just so large that it's hard to imagine — even with the amount of data we can collect using technology — that we'll be able to really get a handle on things. Right now, there are so many people being exposed that it's hard to see how much of an impact that would have. But mostly, I just think we haven't seen the adoption that we would need to really make a difference.

Mimecast: Returning to the subject of government regulation, should we expect the federal government to try to push a national cybersecurity policy through Congress,  something that would supersede state level efforts like CCPA and New York’s SHIELD?

Wolff: I hope so. I think that would be a really good thing to do at the federal level, rather than fragmenting it across the states. Not because the state laws haven't been useful and productive, but because there are certain places where there isn’t any data protection, and it's confusing for companies when there are a bunch of different, somewhat similar, but somewhat different regimes they have to abide by.

The question of whether we can expect it is a harder one, because I think making predictions about what Congress will or won't do these days is a complicated game. I don't think it's impossible. I think it's an idea that has a fair bit of support from both parties.

There’s a recognition that this is an area where the United States has fallen behind. Even companies are beginning to feel like they would rather have some guidance at the federal level than deal with each of the states individually. So I do think it's possible.

Mimecast: Given everything that’s happened this year, will there be changes to how companies manage their cyber risk? Have businesses become more aware that they need to put some guardrails in place and have insurance to protect themselves?

Wolff: I think you're seeing a lot of universities, companies, government agencies, everybody — reevaluating how much they're relying on their online services and how much they need to invest in protecting them.

I mentioned the health centers in particular, but it's true of a lot of places that there's not a lot of extra bandwidth to really ramp up cybersecurity. On the plus side, a lot of companies are thinking deeply about this to a greater extent than before.

Mimecast: Looking ahead to next year, what are some best practices that companies should put in place? Should everyone be doing a year-end review of their practices?

Wolff: The thing that is most important right now is to deeply re-evaluate what your threat model looks like and how that's different from what it might have looked like a year ago. That's both a function of looking at the threat actors who are out there and the ways in which their attacks have changed, but also of looking at your organization and saying: Here are the ways in which we're operating that we weren't before.  What new avenues for attack does that create? And how are we going to address them?

I think that's part of being really open to the idea — which I think is true for almost everybody, that we're operating differently now and that creates different threats and different risks. We need to be acknowledging and responding to that. And that, I think, is the most important best practice.

Then there are the sort of really fundamental things that many organizations are already doing: using VPNs for remote work; using two-factor authentication for a remote log on. Things like that make a big difference for sure.

Mimecast: Once we can put the pandemic in the rearview mirror, should we try to rethink security going forward?

Wolff: I think we should think about what worked well and what didn't. We should think about remote work from many dimensions, but one of them should be: Can we reliably secure our operations and our information when people are working from home? We should think about whether our working models and our business models are flexible enough to allow for online work and online communication.

Part of it depends on how the next few months go and whether there are major breaches. You could very easily imagine companies getting scared if something goes wrong, if some information is stolen, and deciding "You know, actually, this remote work thing is very dangerous. We don't want to go too much further down this path."

Mimecast: What else can we learn from the great COVID shutdown of 2020?

Wolff: From the standpoint of cybersecurity, we need to understand what we can take from this experience that will allow us to do a better job of shoring up the defenses for our critical health infrastructure and preparing for the next public health emergency. Those are lessons we should start thinking about and learning from.