How to survive the transition from two office locations to 25,000 and still remain secure.
The COVID-19 pandemic has critically changed the traditional concept of work for a major part of the workforce, possibly forever, as office staff work from home and traveling salesmen work opportunities by video conference with customers. But what are the implications of this change for corporate cybersecurity and how can CIOs and CISOs adapt their technology infrastructure and cybersecurity controls to this new reality? These are just some of the questions that were addressed my recent virtual cybersecurity conference, The Challenges of Working Through an Epidemic. Photo: Alex Kotliarskyi
How the 'Stay at Home' Orders Have Affected Companies
With ‘Stay at Home’ orders in effect across most of the world, many customer-facing businesses are suffering. It’s certainly not a good time to be in the airline, hotel, or restaurant business as nearly everyone stays at home. Similarly, companies that have not completed their migration to the cloud and cloud-based services may be experiencing additional difficulties necessitating that remote staff VPN into the corporate network in order to access legacy client-server systems and applications.
Furthermore, the COVID-19 Pandemic, since its humble beginnings in Wuhan China and subsequent spread around the globe, has reaped massive emotional and economic distress, as well as the deaths of thousands and the making of millions more sick. Whether the recent relaxation of lockdowns in China and elsewhere is a permanent condition or results in a second wave of infections remains to be seen, but the global pandemic will have lasting effects on globalization and supply chains for critical medical and other supplies. It may also permanently change the way many of us work.
How Beneficial is this 'New Norm'?
With an increasing amount of companies being pushed to transition to working from home, it brings to question, is it really necessary for businesses to continue to rent expensive downtown city office space? Or better yet, is it really necessary for employees to sit in their cars for two hours commuting to their tiny cubical through noxious traffic and pollution, or be confined to a cramped subway or train car with potentially lots of disease-carrying passengers? It took Spanish Flu 18 months to work itself out of the population, so any notion of a full return to what was ‘normal’ in a few weeks time, is unlikely even for the greatest optimists. The bigger question is do we really want to return to the way things were just for the sake of it? I would suggest not.
Now that the cat is out of the bag, and bosses have seen that their staff work just as well from home, if not more productively than from their office cubes, the argument to keep things the way they are today, suddenly has a lot more weight.
Transitioning to a Secure 'At-Home Workforce'
Whether companies like it or not, the at-home workforce is a current necessity. So, how should you go about securing tens of thousands of staff now working from their patios, dining room tables, or home offices, connecting to your applications and infrastructure via an over-taxed VPN back to the nearest corporate office? How do you make this secure?
Here's the Questions You Should Ask:
- Do you provide your staff with laptops and Integrated Services Routers (ISRs) to connect back to corporate and for VOIP calling via a secured point to point connection?
- If not are your staff connecting to your assets directly from their home internet connection?
- Have you put in place policies for remote access such that staff are expected to update firmware on their $50 home cable modem or DSL router and are they required to change the default username and password on these devices from admin: admin?
- Are your staff required to run WPA2 encryption at home? Are staff allowed to connect from the open WiFi at Starbucks? And if not, how can you ensure that your staff’s home wireless internet connection is not being snooped upon if they are not encapsulating and sending everything over a VPN?
- Do you even know if split tunneling is enabled in your corporate VPN and if not, what happens when that employee needs to print something to their home printer and has to disconnect from the VPN? Conversely, without split tunneling your corporate internet connection may be struggling.
- Do you provide staff with a laptop running a locked-down application stack with your security tools installed? Taking home the office workstation may not be an option and trying to purchase laptops in times of mass demand is now almost impossible.
- Do you allow your staff to use their own (BYOD) computers to access your applications and data, and if so, what do you require in the way of AV, patching and acceptable use on these machines?
Listen to the Experts
These and other questions were put to my team of security subject matter experts who joined me on virtual stage for a special CTG Intelligence conference on remote business working during Covid-19. Check out The Challenges of Working Through an Epidemic to hear their answers and insights that will help you prepare for the new 'normal' for as long as it lasts.
- Richard Staynings, Chief Security Strategist at Cylera, out of Boulder, CO, USA
- Page Jeffrey, Cyber Security Consultant at Trace3, out of Colorado Springs, CO, USA.
- Luke McOmie, CxO Advisor Offensive Security at Coalfire out of Westminster, CO, USA.
- Steve Harrington, Managing Director at Masergy out of London, UK.
- Tanya Walters, Independent Cyber Operations Advisor out of Phoenix, AZ, USA.
- Anthony Dezilva, Dir. CxO Services out of Scottsdale, AZ, USA.