Distributed Offices Pose Our Next Great Challenge
What is an office? Is it a place of work for one person or lots of people? It’s a definition that many leadership teams are now answering. Do they maintain the dozens, thousands, millions of home offices they now have around the world or move people back to a few central points?
There are so many implications related to the decision they make. From maintaining and growing company culture, through ensuring inclusion, social connection, collaboration and participation at a safe distance.
A New Model
Speaking to clients and colleagues across the industry, it seems that as companies grapple with social distancing and productivity so a new model of working must emerge. The models they adopt will be closely related to how they technically adapted to lockdown in the first place.
It’s evident that the organisations that fared best were those that adopted a cloud applications strategy. These companies had made steps to allow working from home, or in the field, viable to some or all employees at some point in their working week well before lockdown.
In the main, their challenge in responding to lockdown was to scale up existing process and infrastructure at pace and make adjustments that helped people successfully work from home every day. It wasn’t to put in place a cloud environment 18 months earlier than planned.
That’s why we are already starting to hear of clients that won’t be looking back. For these forwarding looking companies, offices and the associated overheads, will be cut in favor of meet up spaces for team working events on specific occasions.
Of course, it’s not that straightforward for everyone, which is why there are other organisations that are considering offices that support A and B teams that travel to work on different days. It seems to be a workable, lower risk option if you have the office space, willingness and need to make it happen.
These are perhaps the fortunate ones, as for some companies there is no option. Work can’t be done remotely. Manufacturing and supply are a prime example of where the majority of employees will need to be present and safe at all times. A whole new conundrum in itself.
But no matter where your future strategy lies, a certainty that has emerged from day one of lockdown is that cyber security must be a priority.
We can’t escape the headlines of major hacks for customer data and prolific phishing scams. Though the details of every case aren’t known, experience tells us that less than perfect network and application security, and exceptional human engineering from scammers are to blame. Again, the companies that have managed to navigate moving people online and sustaining business and productivity levels are those that had business continuity plans that included cyber security.
So, as we move ahead, companies need to take charge of their security at a level not done before. Now that every employee could potentially log in to a system remotely it’s clear that the risk of a breach mounts. Any interaction with the network and its applications has to be secured.
There is plenty of innovation to take advantage of and it would be easy to wax lyrical about it all, but I believe that getting the basics right is the first and most important step to take. It boils down to how people access the tools they need to work, and their own security education.
Remote Access and VPNs
Let’s take access first. At the heart of every remote access plan needs to be secure VPNs. At the end of 2019 the security industry had witnessed a period of high alert as hackers exploited vulnerabilities in VPNs. Patches to fix the insecurities were supplied and were either applied by companies or if that was too onerous/costly they took the decision to withdraw the VPNs altogether until such a time as they could patch them. The chaos died away.
However, the rapid mobilisation of remote workers as COVID-19 moved around the globe, prompted many companies to roll out VPNs again at any cost, which meant security was the after-thought.
It was, and continues to be, a massive risk. That’s because, for the most part of 2019, and most certainly 2020, remote desktop protocol (or RDP), is the most important attack method for ransomware. By March 2020, VPNs suddenly became hot property for hackers again. Any that were unsecured were jumped on.
The reason why hackers like them has much to do with how easy it is to find unprotected VPNs but also the minimum effort needed to have impact. It only takes a 1MBps flow to cause a VPN service to go offline and create huge disruption.
Of course, the unscrupulous won’t stop there and as more companies move to cloud applications to keep their business operational, so they introduce risk. CIOs therefore need to acknowledge that introducing or extending home working broadens the attack surface – there is just more to attack. So, now more than ever, it’s vital to adapt risk models. You can’t roll out new services with emphasis on access and usability and not consider security. You simply won’t survive otherwise.
As part of this it’s worth noting that applications aren’t always designed and built with security in mind. It’s expected that security will be bolted on and although the DevSecOps community has done much to reverse this trend, it still goes on. It makes distributed denial of service attacks (DDoS) enticing and still one of the most preferred attack methods for hackers.
DDoS attacks will bring a business to a standstill as the network is flooded, but more than this they offer a route to gain access and steal confidential data. Often, it’s a direct attack, but sometimes it’s used as a smokescreen – a DDoS on one part of the business to divert attention, while another more damaging attack goes unnoticed elsewhere. Having an automated means to detect and mitigate these attacks will be essential in a post COVID-19 world. The more applications you add the more necessary it becomes. No human can monitor a network at the speed required, far better to have technology do it and use security teams to develop and implement strategy.
Next should be a focus on behaviour as people have been proven time and again to be the weak link in a security plan. It’s highly recommended that strong password hygiene or some form of multi-factor authentication (MFA) is imposed to secure the enterprise. Best practice would be to get all employees to reset their passwords as they connect remotely and force them to choose a new password that complies with strong password complexity guidelines.
As we know, people have a habit of reusing their passwords for one or more online services – services that might have fallen victim to a breach. Hackers will happily leverage these breaches because it is such easy and rich pickings.
Phishing also works on the principle of imitation. Make sure your employees know how to spot a fake email and question everything they aren’t expecting. They should feel confident to challenge things and know what to do to prevent a breach.
More Speed, Less Haste
There is clearly much for the board and CIOs to think about as they navigate new ways of working, but it is possible to secure a network by applying some well thought through tactics. Above all, I believe it comes down to having a ‘more speed, less haste’ approach to rolling out, scaling up and integrating technologies for home working. Technology alone is not the answer and should be mixed with an employee education program. As in reality, great technology and a coherent security strategy will never work if it is undermined by a click of a mouse.
Note: A version of this article first appeared in PrivSec Report.