The global outbreak of COVID-19 has led companies to take unprecedented steps towards shifting the entirety of their workforces to a remote model, writes Joe McManus, director of security at open source software firm Canonical.
While some organisations were well-positioned for this change, the majority were only prepared for a small percentage of their staff to work remotely at any time. A Leesman survey of over 700,000 employees worldwide found that 52 per cent have little to no experience of working from home, and even of those who do, 83 per cent typically do so for just one day a week, or less.
In turn, this has brought about a host of implications for IT teams – not least around security, with issues arising around data access control, VPN security, and rapid changes to infrastructure. The challenge comes both in managing existing risks, which are now amplified by a wide-scale shift to remote working, as well as contending with an increased cyber threat from criminals looking to take advantage of the heightened uncertainty caused by this global situation.
It’s essential that organisations address these security challenges now, not only to efficiently navigate the current landscape, but also to future-proof themselves for what will undoubtedly become more permanent changes to the way we work in the longer-term. The lack of preparedness evident amongst the majority of companies may leave them vulnerable in a number of areas; perhaps first and foremost from a device perspective given the newly-created and significantly dispersed end-point network which now requires managing. For example, companies that have not enabled multi-factor authentication will be at a disadvantage when it comes to resisting brute force tactics such as password reuse attacks. More severely though, an outdated mentality which defines security simply as ‘behind the firewall, or not’ will lead to insufficient controls when it comes to managing the mix of BYOD and managed devices prevalent across a remote workforce.
A multi-pronged approach
There are a number of measures organisations can take to mitigate risk, and a multi-pronged approach continues to be the best recourse. IT teams should ensure that users are trained and educated, with effective monitoring also put into place given that home networks are now essentially an extension of the office. They should also reach out to staff to offer continued training and advice around how to secure their home networks, given they are now an extension of the office.
Beyond this, devices of course need to be secured. This can entail both tools in-built into the hardware, as well as ensuring software updates which can be easily implemented and scaled across all end-points. For example, users of Ubuntu Desktop can enable unattended upgrades and Livepatch to protect endpoints from emerging threats, without any need for IT intervention. Using a corporate proxy server or VPN can also help to protect and monitor the newly extended network, while users can also enable low cost DNS filtering services like OpenDNS to limit access to malicious sites.
VPNs – secure but not without risk
VPNs offer secure remote access to resources for the workforce, and are as such also likely to see increased deployment in the current landscape. Beyond standard capabilities such as authenticating users and providing access control, VPNs can be configured to use full tunnelling for even greater enterprise protections. These include the ability to leverage corporate network filtering such as Intrusion Detection and Protection Systems (IDS/IPS), as well as other situational awareness tools such as NetFlow to monitor network traffic. Yet with companies deploying more VPN endpoints and in such a rapid time, there is a greater chance of a mistake occurring in network segmentation, which could expose company resources more widely than planned.
Cloud considerations
A further area of concern comes around the ongoing adoption of cloud platforms and services, which means companies making this transition need to rethink how they secure their own services and data. Many assume that the cloud provider manages this for them, which is not necessarily the case and depends on the service. As such they need to perform the same due diligence when choosing a cloud platform as they would when deploying their own infrastructure. Alternatively organisations can turn to a managed services approach, ensuring the underlying complexities of their cloud infrastructure and applications – in terms of maintenance, security and scalability – are taken care of by a trusted partner, so their IT teams can focus on priorities elsewhere, especially in these difficult times.
Ultimately, it’s likely that a bi-product of COVID-19 will be in how it demonstrates that people and organisations can adapt effectively to remote working, in particular to those who were perhaps reluctant to adopt such a strategy before. This will result in the above practices becoming the new normal – remote working will become much more widespread, and the explosion of cloud resources and VPN services will continue. For IT teams, it is essential to adapt and overcome the associated security risks within these areas now, in order to stand their organisations in good stead in both the immediate and longer-term future.
