To say that the world was unprepared for what happened in March of 2020 would be a gross understatement. Nobody needs a reminder of the seismic changes that the coronavirus pandemic introduced. Large enterprises were caught off guard, to be sure. But many small and medium-sized enterprises (SMEs), which typically operate with lean and sometimes less-experienced security staff, were particularly vulnerable.
Reflecting on the challenges we faced and the lessons we’ve learned because of those challenges might offer insights into how we can make our businesses more resilient and, crucially, secure.
The Issue with Remote Working Scalability
Scaling business operations is a challenge in and of itself, but having to do that on short notice, and in the quickest way possible, presents an even greater number of potential issues. In some instances, organizations that had never had a remote workforce found themselves having to place an order for hundreds of PCs to ensure their employees had a secure device to work from – only to be confronted with extremely delayed production and delivery times due to the worldwide rise in demand.
In other cases, organizations had to bring up systems on hypervisors and/or cloud platform services (CPS) like AWS and Azure when they had never previously done so. A migration such as this would have normally been gradual and preceded by extensive preparation; however, the pandemic circumstances required it to be carried out virtually overnight. This, of course, significantly increased the risk of misconfigurations and zero-day security issues.
VPNs, which most organizations would have used to grant remote access pre-pandemic, also presented scalability issues. All of a sudden, the traffic that needed to be routed through the physical corporate network increased exponentially, slowing down connection times and impacting operations.
The lesson: While nobody could have predicted such a sudden, forced digital transformation, the issue of scalability highlighted many organizations’ lack of preparedness in terms of arranging flexible and remote working. Businesses across all industries have discovered that a solution that makes them resilient to change will ultimately be a winning one, and hopefully security and IT investments will reflect this reckoning.
While many organizations would have already had arrangements for a portion of their workforce to be able to connect securely to the corporate network remotely, the majority were faced with the necessity of extending the business perimeter to their employees’ homes. Security policies had to be updated to account for the variation in systems connecting, as well as the connections themselves. In most cases, these connections didn’t have the speed required for employees to do their jobs efficiently.
The lesson: Perimeter security has changed: rather than creating a layer of protection around the corporate network and the company’s headquarters, security teams will now need to build protection around each user, device and application, wherever they reside.
Offboarding and Shadow IT
Some existing problems were exacerbated by the new way of working, including offboarding and Shadow IT. Offboarding is an area of concern that became more pressing with the migration to remote working. Unmanaged end user devices may have confidential and proprietary information that may lead to breaches in the future, and the new work-from-home paradigm meant that a lot of these devices remained unreturned. The potential consequences of not clearing these devices of proprietary information can be destructive, should one of these devices end up in the wrong hands.
Shadow IT was also a much-discussed source of risk before the pandemic, but as organizations shifted to remote working, it has become something of a nightmare for security teams, which have little to no visibility over the devices that employees use at home. Whether it is a smart speaker connected to the same network used to access company resources, or a family laptop that doubles as a work machine, the sheer number of potentially insecure endpoints has increased exponentially.
The lesson: Once again, the optimum solution to these problems is creating a virtual perimeter around each user, device, application and resource. Rather than tying this perimeter to the single user and device, however, organizations should be looking at ways to create a secure route into the corporate network that can be centrally managed. Think of a VPN, but created with security in mind.
A Positive Development in Remote Working
At first blush, it appears that organizations have survived surprisingly well in the face of this new reality. Specifically, the number of major breaches in the U.S. does not appear to have increased significantly over the last year, which could be attributed in part to an increasingly savvy workforce. However, as fast as employees have become aware of the most common cyberthreats, it is important to acknowledge that phishing emails, credential harvesting and ransomware are continuing to increase in sophistication and remain a potent threat.
A Key Takeaway from a Year of Remote Working
Difficulties give us the chance to grow. Faced with the necessity of reimagining operations for the remote work era, organizations were able to do a good job overall, but there is certainly room for significant improvements. Thankfully, technological advances have been made to allow security teams to tackle the security challenges of the future. One answer lies in a concept that isn’t new in and of itself, but that can be applied to the era of remote working and solve multiple issues at once: zero-trust.
If applied to network access, zero-trust will allow organizations to completely isolate application access from network access, which significantly reduces the attack surface and the potential damage of a security compromise. Zero-trust network access (ZTNA) solutions are meant to grant users access to just the specific applications – and even specific functions within an application – that they need to do their job. Essentially shifting the focus from the network to the end user, ZTNA tools create a new paradigm of security for the remote working era.
Furthermore, if boosted with behavioral analytics, ZTNA can also automatically revoke access permissions if a user’s typical online behavior, location or device, for instance, raises any red flags. This also indirectly addresses the challenge of the shortage of talent in cybersecurity, which is a problem that weighs more on SMEs than on larger organizations. By automating certain tasks, the burden is shifted away from an already resource-strained business function.
While the past year has certainly taught businesses some very important lessons, a ZTNA approach to security is one that will have a lasting and positive effect on the overall cybersecurity of organizations – now and into the future.