The rapid switch to remote working, triggered by the coronavirus pandemic, has enabled many organizations to keep their operations running despite the disruption. But to do so, some conventional IT security measures have had to be compromised. Gartner senior research director Rob Smith reflects on the challenges of the past six months and offers advice to companies looking to re-establish security as a top priority.
The Covid-19 crisis created a rapid shift in working patterns at many organizations, as countless staff transitioned activities from offices to homes. After several months of remote operations — and even with successful vaccine programs suggesting an end to the current pandemic is now in sight — many companies are looking to make their remote-working experiment permanent.
A recent survey of 317 CFOs, by technology industry consultant Gartner, revealed that 74% expected a significant part of their workforce would continue to work from home after the pandemic has ended. But the changes in working practices have raised serious issues for IT security executives as they have rushed to support new ‘remote-first’ policies. With that new norm established, there are now questions about the extent to which security corners were cut during the first months of the pandemic and how new working practices need to be safeguarded.
Rob Smith, senior research director at Gartner, has seen a three-stage process at most organizations. “Phase one came to a conclusion in May. It involved getting everybody [working remotely] online as fast as humanly possible and in any way possible – security be damned.”
|Rob Smith, senior analyst at Gartner|
For many companies, the choice was to either set up employees with office equipment or ask employees to use their own computers for work. “If you had asked me about ‘bring your own PC’ in January, I would have said almost nobody does it. Now, around two-thirds of Gartner’s clients are doing that to some extent,” he says. Perhaps surprisingly, this includes government departments, financial institutions, healthcare companies and even the military, according to Smith.
This switch to using personal devices has been one of necessity for most organizations. The shortage of kit in the early months of the pandemic meant that many organizations faced a stark choice between employees’ own devices or nothing at all, according to Smith. “It was really a question of get online or be out of business.”
Securing your remote workforce
Phase two is when the security implications of that shift to remote working need to be considered — and it’s where many organizations now find themselves. For the most part, that has involved largescale extension of corporate VPNs, ensuring anti-virus software is installed and up-to-date on home devices and segmenting networks and directories to make sure that people are only accessing systems they are authorised to access.
For Smith, one crucial security feature has been multi-factor authentication (MFA). “If there’s one technology that really matters most for any organization to enable in a post-Covid world, it’s MFA,” he says. “If an employee is using a personal device, the only safe assumption to make is that it’s infected. This makes it very dangerous if they connect over a corporate VPN. But if you turn on MFA, that problem gets eliminated.”
Another frequently recurring issue facing clients over this period was what Smith calls “Patch Tuesday” — referencing the fact that many VPNs couldn’t cope with the hundreds of updates being sent over the network as staff logged on at the start of the business day. “The solution is to transition to a cloud-based patch delivery system,” he explains. “So you don’t have to send that update traffic over the VPN.”
‘Don’t think, just deploy’
The third stage is now is about refining the work-from-home setup or, as Smith says, “fixing everything and doing it right.” Determining the right security setup relies on properly defining the user’s profile and the scope of their activity, he says.
The user’s job function, the device they use, the apps and data they need access to and their location should all be taken into consideration when determining which security technologies to apply. For example, Smith says: “If the user is predominantly accessing a Salesforce.com app, you could use a cloud access security broker and contain the data there. Or, if they have their own personal device, you could deliver desktop as a service.”
However, the reality of a remote setup in the current climate is that the need for swift action often trumps traditional prudence. In many cases it has required a “Don’t think, just deploy” mentality.
“Today you can’t go through the traditional IT processes of piloting a new application for six months before buying it. That doesn’t work in the Covid-19 universe; you have to figure out where you want to be very quickly and try to get there.”
Smith references one global insurance company, which went from having 500 remote users to 50,000 in the space of a single day. He explains: “The first problem was their VPN only had licenses for 10,000 users. But even when they bought 40,000 extra licenses, they found they only had bandwidth to support 1,800. And then out of the 50,000, over 20,000 didn’t have their own computer at home.
“It was a classic example of everything that could go wrong, did go wrong. All they could do was immediately re-architecture the complete environment for remote working,” says Smith.
But, he reiterates, “There really was no wrong decision. Companies were simply doing what they could do with the resources they had available at that moment. That’s why stage three is so important. When you talk about redesigning the network and the whole architecture, make sure you know what you really want to achieve.”
Unfortunately, when it comes to stage three, there are no shortcuts. “Frankly — and this is a very tough thing to accept — you have to find money for this,” says Smith. “Security has become the new infrastructure because it determines how you access your work. Enabling, this is the most important thing you can do because all other work is dependent on it.”
Preparing for future security threats
As the current situation evolves, IT organizations need to be increasingly vigilant. If they have allowed employees to use their own computers in a work-from-home setting, this can then bring new challenges when they spend time in the office. “If you have people coming into the office, you can’t allow them to bring in their home laptop into the corporate network and potentially infect it with viruses,” says Smith.
Although the past few months have proven difficult for many IT organizations, most will find themselves in a better situation now than they were in earlier phases. For Smith, the important takeaway is “not to beat yourself up if you picked the wrong solution. You need to react as the situation develops and learn as you go.”
He adds: “The truth is there is no magic bullet. You have to look at a myriad of solutions and work out what is appropriate for your organization.”