Shifting Strategies

by Richard Meeus on May 15, 2020

Formula One is always a sport I wanted to enjoy more than I actually did. I found the strategy always more compelling than the actual racing, which was usually just a procession. Of course, the crashes were always spectacular, not least because it would cause all the team strategies to be completely reset, and a whole host of changes would be made while the pace car was out.

That is also where we are now with many businesses. The pace car is out, and strategy is being shifted. Do we change the tyres? Do we refuel? Do we stay where we are, and hope to get a good start when the pace car comes in?

I had a recent discussion with Gartner about the various stages of business continuity planning, and how organisations were placed. Interestingly, even at the start of the COVID-19 pandemic and associated lockdowns, there were businesses thinking about their exit strategy. How can they use this time to improve processes, reduce risk, or increase effectiveness?

One big strategy change that has happened was ensuring our employees, where possible, can still be effective. Remote access, along with videoconferencing, has seen a huge shift in focus. No longer the preserve of the elite few or sysadmins, this is now required for the entire business. This, unsurprisingly, creates new areas of risk — and not always where you would expect it. Yes, there are the obvious risks of BYOD (bring your own device), but the fact that now your network perimeter is essentially shared with hundreds of IoT thermostats, washing machines, and lightbulbs — not to mention the huge amount of social media on every laptop, tablet, and phone — means your previously secure perimeter now looks like Swiss cheese.

As remote access is now ubiquitous, all employees can enjoy the benefits of working from home and maintain effectiveness. This highlights a previously under-the-radar risk: What happens if the VPN goes down? This is now the single conduit through which all business is travelling, and losing that conduit creates chaos — your employees are not in the office and they cannot communicate.

This new reliance on VPNs has not gone unnoticed by the criminal fraternity, who are always quick to spot an opportunity. They realise this new dependence is something that can be stressed. Consequently, the threat of distributed denial-of-service (DDoS) attacks against VPN endpoints has increased. DDoS has always been around, although it was often used to attack something obvious, such as a website. But now, the attackers realise they can cripple a company by targeting the remote access endpoint. This makes comprehensive DDoS protection essential for these VPN concentrators, and it makes it a requirement to ensure the concentrators are scoped for the full bandwidth expected. Remember, VPN traffic could have increased tenfold since it was last scoped. It goes without saying that they should also be fully patched, especially after the swath of vulnerabilities that were announced last year.

Many strategists may be thinking that DDoS is a relatively small risk, and we’ll soon be back to normal. That may be, but it will likely be a normal that none of us will recognise, and working from home will be seen not as privilege, but as the norm. Security teams need to strategise to ensure that when we move from BCP (business continuity planning) to BAU (business as usual), they’ve optimised their networks to be as effective and resilient as possible for the new normal. So when the pace car comes in, they’re prepared for the next 50 laps — or the next crash.