COVID-19 is not only quickly spreading across the globe, but it is infiltrating businesses, causing them to clear out their buildings and bring workers online. Unfortunately, most of these businesses are not prepared to handle remote work and the risks that come along with it.
While businesses should have disaster recovery and business continuity plans in place for these types of events, none of them could have prepared for something like a pandemic to happen, according to Stan Lowe, global CISO for Zscaler, a cloud security company. Even if they did happen to have a chapter in place for something like a pandemic, there is very little information on how to proceed.
Lowe explained businesses typically plan for a physical event like a building burning down or tornado, where maybe 30% of their workforce will be impacted. They don’t plan to have 100% of their employees working remotely for an unforeseeable future. “That is not something that a lot of them are prepared to handle from an operational perspective, business perspective and technology perspective,” he said. But now that businesses are in this situation, they have no choice but to go forward and find alternative ways to do things.
“While many organizations may have robust remote work policies, procedures, and systems in place, rarely are they designed to scale beyond a subset of the workforce,” said Josh Perkins, field CTO at AHEAD, an application and infrastructure consulting company. Some challenges a remote workforce presents include connectivity, end-user technology availability, collaboration tools, digital preparedness, business process dependencies, geographical dependencies and shifts in actual business process criticality or need, Perkins explained.
First off, Lowe said businesses have to address the fact that they are “on fire” before they can address the fact of why they caught on fire in the first place. They need to break down their business into simple sections, and figure out what are the most important services they have, what are the things that are impacted, and how they can protect and drive revenue.
“The ideal scenario from a work-from-home goal standpoint is to have employees be able to do all the functions, tasks and responsibility at home as they would have at the office,” said Raj Sabhlok, president of IT infrastructure monitoring company ManageEngine. They need access to key technologies, business apps and telephony services.
More needed than VPN
It boils down to the basics: connectivity, collaboration, application access, and security, according to Perkins. Connectivity doesn’t necessarily mean having a virtual private network (VPN) in place, but it means making sure remote workers have internet access and devices to work with systems in the first place.
Then if not all your employees have a business laptop or device to work on, you have to figure out if you are going to let employees use their own devices and what other resources or tools they need to help them work, Perkins explained.
If organizations don’t have a VPN plan in place, they aren’t going to be able to come up with one now because it is a 60- to 90-day process plus deployment and additional bandwidth to set up, according to Lowe.
And even for organizations that do have VPNs, there is a security risk every time someone logs into the network, and that increases a business’ attack surface area. “You now have thousands and thousands of new endpoints that have just punched holes in your firewalls and VPN,” said Lowe. “It just takes one person to click on an email or one person to fall for a phishing scam for their identity to be compromised.”
Endpoint management software enables IT teams to ensure apps and devices are configured correctly and secure. It can effectively segregate personal information and control data leakage, according to ManageEngine’s Sabhlok. In addition, it can maintain control of devices if they are lost, or remotely lock a device and wipe it clean. “Through endpoint management software, we can really lock down what happens and what can be accessed from a device and maybe even more importantly what can be done with the data that is being accessed,” said Sabhlok.
The other critical applications for any business right now is going to be email, messaging, and video conference. This is going to allow the business to be able to communicate, according to Lowe.
“Creating communication paths is critical to the success of any organization operating in a distributed fashion. Organizations must provide reliable, multi-channel virtual environments for collaboration,” said Perkins.
Access control is critical
Once you figure out what data and other critical services you need to protect, you need to start having a conversation on how people can access that. According to Lowe, 100% of the business can’t log in at the same time. Businesses have to start to tier their employees based on criticality. Who are the people that are the most critical to making sure these services run and support the business. And then you provide them access at different times of the day depending on their tier.
This is only a temporary solution and businesses will have to figure out a midterm solution.
“Organizations should consider solutions that consolidate a portfolio of applications and services into a portal experience for users that is tailored to their application needs and provides secure single sign-on access to those applications. Often these solutions can contain internal, partner, and SaaS-based applications,” said Perkins.
The good news, according to ManageEngine’s Sabhlok, is that a lot of businesses are already leveraging modern technologies like cloud applications. These applications are going to be more secure than what the business would be able to provide because they are accessed through a secure protocol like HTTPS.
However, there other other websites business users may need to access that are not as secure. You want to be able to configure browsers and lock them down in accordance with corporate policy. This can be done with a browser security tool, Sabhlok explained.
Another important part to keep in mind is licensing, which people tend to forget. But you need to make sure you have enough licensing to support remote work, according to Lowe.
“Solutions may not be designed or licensed to scale in the event of a rapid workforce shift,” Perkins added.
Reassessing your risk
Having people work from home also changes your risk tolerance and your risk posture based on how many people are working remotely. You have to change your security tools and methodologies to meet that new risk paradigm and risk tolerance, according to Lowe.
Identity access management tools become critical because it allows the businesses to change roles and privileges based on who needs access and where they are, according to Sabhlok.
Other tools Sabhlok says are going to become necessary are remote management technology so IT teams can access devices and help if something goes wrong; and IT ops tools to monitor the network regularly and understand how it is going to react and handle everyone.
“These days when a lot of large companies are regulated through GPDR or CCPA you need to be able to monitor when PII is moving around. Endpoint management software, browser security, and identity access management tools can tell the IT organization when someone is accessing assets that they shouldn’t be, and provide an early warning about that,” he said.
Looking at security, working remotely
The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is asking organizations to adopt a heightened state of cybersecurity during this time of increased remote work. Some considerations the CISA says organizations need to be aware of include:
- The more VPNs used, the more vulnerabilities are found and targeted
- VPNs are less likely to be kept updated with latest security updates and patches
- As more people start working from home, the amount of malicious cyber actors like phishing emails increase
- Organizations without multi-factor authentication in place are more susceptible to phishing attacks
- Critical business operations may suffer if there are only a limited number of VPN connections available
The CISA also provided some recommendations for organizations enforcing remote work:
- Update VPNs, network infrastructure devices and devices being used for remote work with latest software patches and security configurations
- Make sure employees understand there will be an increase in phishing attempts
- Prepare IT security professionals to ramp up remote access cybersecurity tasks with log review, attack detection, and incident response and recovery
- Implement multi-factor authentication on all VPN connections or require stronger use of passwords
- Test VPN limitations to prepare for mass usage
- Contact CIA with any incidents, phishing attacks, malware or cybersecurity concerns.
According to ManageEngine’s Sabhlok and Zscaler’s Lowe, what companies should also be doing during this time is writing down what could have been better, lessons learned for next time, and how your business continuity plans can be improved.
“It is not a matter of if, it is a matter of when. This will happen again. Use this as a learning mechanism to be able to better position yourself in the future,” said Lowe.