As the Covid-19 pandemic continues to keep enormous segments of the global workforce working remotely, many organizations are taking stock of the IT impact that disparate teams and empty office buildings bring. A side effect of the increased scaling to home networks is the fact that personal and corporate devices are becoming intermingled, and this can have a huge effect have on cybersecurity.
Second to the pandemic’s immediate human health and safety risks is complete uncertainty for the future of many of these businesses. When it comes to structure, logistics and workflow, for example, many will be questioning: when will facilities re-open, and social distancing lift? How are remote teams’ needs met? What types of metrics need to be watched over more closely to gauge how IT assets are holding up in their mission to keep business running smoothly?
A few weeks into Covid-19 disruptions, a mix of factors are playing out. Below are a few first-hand observations from the field that apply to organizations globally. Like most issues where cyber risk is concerned, scenarios that are planned for, generally, are introducing more specific challenges and questions.
VPN awareness is fantastic, but misunderstanding their purpose is a problem
Firstly, virtual private networks (VPNs) are being put into the spotlight. Previously, the average employee (outside of IT) probably would not have been asking employers for VPNs as they headed for home, or spent time researching the best one to use online. Fortunately, there is much greater awareness of the VPN software’s role in creating secure, encrypted tunnels back to office systems. However, it is a mistake to conflate VPNs’ popularity with blanketed “security” everywhere.
VPNs are often only configured to provide encrypted tunnels, not functions like anti-malware or compliance checks. As such, devices forced to operate on generally less-secure home networks tend to be exposed to malware or missed patches. The result of this is that users are simply using a VPN to give a potentially infected machine its own encrypted fast lane into the heart of corporate networks.
Once VPN licenses and instructions are widely disseminated across employees - security teams should reassess whether they are getting as much as they can from their VPN provider to close these gaps.
Contingency plans mean continuity becomes more pertinent to control
Security teams often envision wide-scale remote work as a finite contingency plan for a specific period. In contingencies like these, the emphasis tends to be on maintaining access to critical business systems first and foremost – not necessarily policing users’ access rights and behaviors.
Yet there is no known end for COVID-19 isolation, meaning many are operating on their base continuity playbooks indefinitely. Heavy VPN use often blinds them to spotting anomalous access patterns, such as the risk of an employee suddenly accessing crown jewel data outside of that individual’s job description.
Many organizations need to rethink contingency plans after COVID-19 and increase zero-trust principles in networks as default to account for the flexibility crisis plans might require.
Even in a crisis, you can extract useful data
Security professionals often race to see what data indicates in relation to risk and threats. At the same time, studying data reflections of the indefinite “new normal” remote workforce helps to inform and accelerate strategic IT projects that tend to be continually deferred due to an incomplete picture.
With network segmentation, for example, many IT teams accept they have an outdated inventory of shifting device ownership and location inside their offices. Yet, it is often difficult to effectively discover and classify devices into groups when networks are congested with so many users. As a result, the state of networks in most offices is probably a rare look at what true, mission-critical traffic looks like.
Systems essential for corporate revenue, like those handling transactions or serving content, are surrounded with far fewer people using check-in kiosks or guest Wi-Fi. This lifts the fog of noise and shows which remaining devices should be classified and logically segmented according to policies and defense-in-depth principles. Properly segmented networks are more resilient to attacks and disruption, no matter where staff might have to work.
These are unprecedented times placing increased strain of public and private services with cyber risk consequences. There are long hours and crucial contributions everywhere, including IT and security professionals continually keeping business applications and networks running.
Days into the wider world’s crash-course into working remotely, it is the IT teams’ job to assess how plans are faring and further mitigate risk. Much of cybersecurity effectiveness boils down to change management, and there has never been this much to manage on-the-fly in recent memory.
Ultimately, long-term remote work requires wider investments in enterprise-wide controls to ensure business continuity in these unprecedented and unpredictable times.