By Trevor Graham, co founder & CEO, Ampliphae
It's fair to say that the accelerated move to near-universal home working as a result of COVID-19 has been a challenge for many IT teams both large and small.
As they’ve risen to the challenge of just “keeping the lights on”, it's been like assembling the parachute after jumping out of the plane. On one hand, users may have been moved to unfamiliar applications on new laptops and with minimal training, whilst the IT teams supporting them have struggled with overloaded VPNs and the vagaries of domestic broadband.
It's been a herculean effort, and it's a testament to the skills of the IT professionals that we have as many organisations functioning as well as they are.
Now that the immediate emergency has passed and we've settled tentatively into a new normal, maybe it's time to reflect and think through the ramifications of what may have changed.
I suspect many IT teams will have been forced to loosen their grip on governance and approvals in the rush to just keep things running.
Whilst this was undoubtedly the right thing to do, it's important that we understand a new set of risks that are likely to emerge as a result, and what we can do to mitigate these.
Here are five things to think about as you consolidate the remote working model.
- The bad guys are still out there
There's an old saying about “never letting a good crisis go to waste”, and it's certainly the case that the cyber criminals have not been idle in the current situation. We've seen a rash of new malware using COVID-19 as a way to attract the unwary click, and we've seen coronavirus-themed social engineering aimed at home workers through SMS and telephone. The situation is bad enough that the GCHQ in the UK and the Department of Homeland Security in the US last week issued a joint advisory about COVID-19 malicious activities (1)
- Your people are without their support networks
As IT professionals we often underestimate the impact that informal support networks have in helping our organisations to operate smoothly. In most offices and teams, there's often someone in the room who knows how to install a printer driver or figure out why someone's display has rotated by 90 degrees without warning. Although the well-meaning amateur can sometimes cause problems, in the main it's a useful safety net for less tech-savvy users.
This becomes critical when security-related issues come to the fore - questions like "I just got a mail from Microsoft saying my account will be locked out unless I enter my credentials - did you get one too, and should I click on it?" are not being asked and users are muddling through, putting the organisation at risk. Remote users without a team around them are more vulnerable to everything from impersonation scams to phishing mails to that-really-nice-kids-education-app they installed on the company laptop to keep their four-year-old entertained. We need to take that into account with extra training and even more communication about security issues.
- Cloud has saved the day, but needs governance
There's no doubt that the easy availability of Cloud-delivered applications has been a lifeline in the past few weeks. As legacy on-premise systems were left inaccessible behind overloaded VPNs or struggled to cope with Internet latency, Cloud applications absorbed the spikes and kept running. Microsoft report nearly three billion minutes of Teams meetings per day at the end of March, up nearly fivefold in two weeks (2). However, the rush to the Cloud means issues such as data privacy and security configuration compliance may have been de-prioritised. By opening the door to SaaS applications, organisations will find that their users continue to innovate and find new Cloud applications to help them day-to-day, and unless they have robust discovery and governance policies in place, they may find alternative application stacks being built within the organisation, outside of IT governance. Not every piece of SaaS software will be appropriate or even tolerable from a security governance perspective: we only have to look at the number of corporations and governments that have banned use of Zoom to see how even a mainstream service might not be fit for every situation. You need to understand all the applications your people are adopting, no matter where they came from.
- We've not had time to test new working practices
In every workplace there has been a rush to cobble together new business processes in days, using unfamiliar applications and IT teams that are strung out after days of firefighting. We will have made mistakes, and many of them could introduce serious security vulnerabilities. Our people have not had the right training, and we've not had the luxury of incremental adoption of new technology.
It's no-one's fault, it's the environment we're working in, but we must acknowledge that there is a debt of security problems that will be around for years to come, and we must put processes in place to deal with that. We need to go back and validate the decisions we made, make changes where we need to, and train users in the new ways of working. We need to have open conversations in every organisation, and an amnesty around mistakes that were made under the pressure of crisis management.
- The home network is not your network
For many years we relied on the network to provide services beyond connectivity - the industry collectively treated it as a perimeter within which we could take shortcuts with security, and we assumed identity based on network connectivity. This level of trust in the network has been largely discredited as new threats emerged, but many in-house applications still depend on the network perimeter for security.
Now that all our people are on external networks that we can't control, we may have some headaches to endure. Our people are using networks that are far more likely to have resident malware - Bitsight (3) found that home networks are over seven times more likely to have malware than corporate networks, and over a quarter of them had exploitable services exposed to the Internet.
Most IT teams have been depending on legacy VPNs to protect remote corporate machines. Unfortunately, that strategy hasn't scaled too well, so compromises have been made that leave corporate machines operating in hostile network environments without all the protections we might like.
The work put in to keep public and private sector organisations running has been enormous and almost certainly not properly recognised nor rewarded. But now that we are tentatively up and running again, everyone in IT should take a (short) collective breather, and then put in place a plan to find and address the security problems that have been introduced.
(1) Advisory: COVID-19 exploited by malicious cyberactors, National Cyber Security Centre
(2) Microsoft reports new spike in Teams usage as work habits change around the world, GeekWire
(3) Rush to Work From Home Exposes Alarming Security Issues, BitSight Research Shows, BitSight