The best way to protect your organisation during adversity is to focus on the areas that matter most, whether those include remote access, monitoring for new threats, or preventing data loss.
Companies that are managing change successfully are doubling-down on key security initiatives and pushing out the rest.
With the spread of Covid-19, businesses have faced new challenges. Needless to say, many enterprises are rethinking how they’ve been doing work and what that work will look like. In fact, according to Fugue’s recent State of Cloud security survey, 83 per cent of companies surveyed are transitioning to 100 per cent distributed teams. And yet, with this move, 84 per cent are concerned about cloud security during the transition, with 92 per cent specifically concerned about being vulnerable to a major cloud data breach.
Historically, any major event—from the Olympics to a natural disaster—comes with an influx of bad actors perpetrating scams and other opportunistic attacks, and we’ve seen this with Covid-19. Whether the event is exciting or terrifying, the distraction offers bad actors an opportunity to bypass security defenses. But how should organisations think through an appropriate strategy to deal with such new challenges?
Change is difficult but necessary
While it may be tempting to institute a major security overhaul to deal with these increased threats, for most businesses, radical changes should not be the immediate response. Simply put, it’s impossible to implement sweeping change to systems and processes during unpredictable times.
Disruptive change opens up new vulnerabilities that malicious actors can exploit, especially when the changes are implemented with such haste that the implications of the disruptions are not clearly understood or identified.
Instead, companies that are managing change successfully are doubling-down on key security initiatives and pushing out the rest. Determine what’s changed in the world, how it affects your operations, and then prioritise controls and capabilities that help deal with that change.
The lesson here is to look for more resilient methods for keeping your people working when they can’t get to the office.
If your people can’t work, your business won’t run
One of the most fundamental and painful changes for many organisations has been the sudden shift from a 5 to 10 per cent remote workforce to a 100 per cent remote team. The systems needed to handle it often aren’t in place.
For example, entire call centres might be staffed with contractors who used to work full-time from a company facility, and used fixed workstations to access an internal app on the corporate network. Those same call centres may also have outsourced software testers that accessed a client’s code only from their employers’ dedicated machines and networks. Now those contractors can’t do anything, so the call centre can’t serve customers and new code can’t be tested. Operations grind to a halt, as demonstrated at many organisations in recent months.
The lesson here is to look for more resilient methods for keeping your people working when they can’t get to the office.
Here, a critical security initiative is to give workers access to key applications, so that they can continue their jobs. It sounds simple, but in practice, it’s been quite difficult for many. Traditional solutions, such as virtual private networks (VPNs), haven’t worked well during these unprecedented times, as organisations have struggled to install required VPN software on employees’ and contractors’ machines. Even large providers of VPN solutions haven’t been immune to the challenges of getting tens of thousands of new VPN users up and running.
A zero trust approach
The lesson here is to look for more resilient methods for keeping your people working when they can’t get to the office. For example, Google has used a zero trust approach that scales to over 100,000 workers easily, for almost a decade. It’s been so successful that we’ve built on it to develop BeyondCorp Remote Access, a cloud solution that allows employees and extended workforces to access internal web apps from virtually any device, anywhere, without a traditional remote-access VPN.
Remote work blurs the line between personal and business
Another common observation in recent months is that workers, now stuck at home, struggle to balance work time and personal time. Without experience managing this, people find that they can’t focus and don’t know when to shut their machine off.
However, there is a security aspect to this blurring as well. A common security control is to forbid workers from using the same machine and account for personal use (such as checking personal email, surfing the web, or accessing social media) and for business use (signing in to payroll systems, developer portals, corporate networks, and so on). You don’t want someone to pick up a password-stealing virus while visiting a chat room, then sign in to a corporate design system.
A common security control is to forbid workers from using the same machine and account for personal use and for business use. Enforcing this becomes more difficult when everyone is working from home.
This is easier to enforce when employees use their business workstations at the office and then use personal computers at home. Enforcing this gets much more difficult when everyone is working from home, often on a single machine.
For example: A financial analyst might be working on quarter-end close in the morning, shift to taking a lunch break and surfing the web, and then shift back to the corporate financial systems. If the analyst inadvertently downloaded malware while surfing, attackers may access the network remotely and gain early access to financial information. They may later access other confidential data as well. In short, an unexpected remote workforce may result in more threats entering the corporate network.
The lesson here is twofold. First, make sure that all workers’ machines have effective security technologies—such as antivirus software and two-factor authentication—in place to deter phishing, malware, and other threats, and make sure they get the latest updates.
Second, and more importantly, make sure your security monitoring is up to snuff so you can detect unusual behaviour, such as a worker’s machine connecting to a dodgy web domain that no one else has accessed before. The technology to harden worker’s machines, to detect new threats, and to monitor unusual activity exists today. It is easily deployed and is much more effective than earlier technologies, so take advantage of it.
And when considering the human element, remember that human error is often just as much of a threat—if not more so — than outside malice.
The biggest thing employees can do to help IT secure data is to remain vigilant for potential threats.
It’s true that we don’t know how long the current situation will last, let alone what will come afterward, but the need for effective cyber security remains constant. Fortunately, organisations are showing success with approaches like zero trust and strengthened security monitoring that enable their teams to work securely and effectively in times of uncertainty.
Keep Reading
Download your copy of Redefining Security Analytics to learn how to investigate and hunt at the speed of search here.
To learn more follow us on Twitter: @GoogleCloud_ME
