Moving security from “Keeping the lights on” to “Getting back to normal”
In the first quarter of 2020 IT and security teams around the world faced an unprecedented challenge. The coronavirus pandemic grew in a matter of weeks to a phenomenon that would disrupt businesses, lives and the economy like nothing else we have faced before.
The introduction of lockdowns, travel restrictions and stay-at-home orders forced many businesses to adjust almost overnight to a different way of working that avoided staff being in offices or on sites. Some staff had to balance work obligations with a need to home-school children, some had to shelter for their own safety, some were furloughed or laid off – leaving businesses without access to their abilities.
Cyber security and the lockdown
All businesses rapidly moved to allow remote or home working, swapped face-to-face meetings to Zoom or Teams or Slack, worked around site visits, put data in hastily arranged cloud based file stores and swapped to a model where everyone didn’t have to come to work in the same city centre office location. Even after-work socialising and team catch-ups migrated to social media or collaboration platforms so people could still keep in touch.
In some cases, this has meant compromise, especially with respect to cyber security.
- Data that may have been kept safe on servers was moved to more easily accessible systems that people could get to remotely; with security still – but with less control and less visibility.
- Users without portable computers were allowed to use home PC’s to access systems via remote access VPN’s or access to cloud-based platforms; with less control over the users who had access to the computer or the security controls such as anti-virus that it had installed.
- Operational security duties that operated on site, audits and reviews of systems or third parties and security improvement projects were put on hold, delayed or even cancelled where they could not be undertaken.
- Remote access facilities that were once limited to senior management and remote workers/sales teams suddenly had to onboard a much larger cohort of the workforce.
- Videoconferencing, once used as an exception where getting together face to face was not convenient, suddenly rolled out to be used by all personnel and all teams for external and internal meetings (including internal collaboration facilities being opened up to outside entities and publicly available video conferencing platforms being used by internal teams).
However, all this was only meant to be temporary – it would last a few weeks, maybe a month or two. The risks were acceptable – and necessary – in the circumstances.
As we draw (hopefully) out of the worst of the coronavirus crisis however, businesses are recognising that working patterns may not return to the same “normal” that they were before the pandemic struck.
What was put in place “temporarily” and often hastily to address a crisis might now become “permanent” and operational for a much longer time period.
This means that risks which were accepted out of necessity and on the basis they wouldn’t last for ever may now need to be reviewed, and that activities that could be paused for a few weeks because undertaking them was difficult, are now problems that do need to be addressed and have solutions found for them.
Security under the “new normal”
There are obvious areas where security approaches will have to adapt. We have written about the way that security reviews and assessments can be improved here – allowing the review and assessment of security controls in data centres and remote offices without the need for site visits or a reliance on local IT staff providing answers via questionnaires that may or may not be accurate.
We’ve also written a piece here about how the assessment of third parties needs to evolve to accommodate large numbers of suppliers or partners who can’t be visited but might also be in a different risk posture than before the pandemic struck.
There are two other areas where security functions need to work hand in hand with the evolving business models.
Home working, the cloud and security
With the recent emphasis on home working and the fact that businesses have had to “make it work” there is a good chance some people will opt/ask to remain home based and others may find that their jobs move out of expensive city centre offices to become home based too.
One can argue that the reason people clump together in buildings to work is because we are social animals and the need to exchange ideas and interact with people is a strong one. Whatever the balance between saving money on office real estate, respecting social distancing requirements and the need to bring people together, there is almost certainly going to be a need for greater flexibility and mobility.
That may mean security teams have to ensure that users working from home PC’s have secure routes to gain access to corporate systems and email and that robust mechanisms for file sharing and storage are in place. In general, it is not acceptable for data to end up being stored on home user systems where it cannot be protected and controlled.
This will mean in some cases providing laptops in place of desktop systems or allowing access to cloud-based applications rather than trying to use legacy office/data centre hosted servers or working with spreadsheets on shared drives that don’t scale well when people are remote and might need local copies or have to try and synch their accesses.
This method of IT service delivery is not impossible to achieve, but the change in focus from a few people needing to work remotely to a larger proportion of the workforce will have implications.
Part of this is the way in which controls such as anti-virus, patching and security monitoring work. For systems connected to a corporate network, the ability to administer, connect and link to management systems for security controls is a lot easier than when these devices are being used in a remote location.
For example, one approach to security was to quarantine a system on the network if it was found to have a virus or a user was found to be acting suspiciously (inadvertently in the case of a virus). This way you could limit access to a part of the network where there was reduced risk of further spread but still give access to patch, AV and security intranet servers. In a remotely managed workforce this quarantining would have to work through a VPN connection that the user might or might not have activated. It’s not impossible, it’s just different.
For security teams the way the estate is managed, updated and monitored will need to adapt.
Collaboration and team working
The need for collaboration, videoconferencing and team working solutions has also meant changes for IT functions. In some cases, for themselves so they can continue to operate.
Many businesses already had a facility for webinar-style meetings. More often telephone based, so people could make the calls from mobile phones or quiet meeting rooms. A more normal way of working now seems to be using computer audio – an odd but perceptible shift in usage patterns – more natural when people are using videoconferencing and audio and visual are integrated.
Also, for those people that didn’t have the facility and were more used to just arranging a meeting room, there will be some who have signed up for free systems such as Zoom to deal with their own requirements irrespective of what their corporate provision is. Some teams or departments will also have agreed at a local/team level to install tools such as Slack to keep in touch and possibly even set up shared cloud drives to handle data exchange “because it’s easier” than using a corporate solution.
What seems certain is that there will be a continued use of these types of systems and facilities for conducting meetings and sharing contact and data between internal and external partners, between offices and between people.
For security teams trying to build security around “getting back to normal” this may mean ensuring their corporate facilities are available and mandated so that little “islands of personal use” and free offerings don’t crop up to fill a void, and that the ability to monitor and police these new communications mechanisms can be found.
Finally, the network bandwidth of 50 people on video conferences and using VoIP might mean that previously uncongested LAN or WAN provisions start to feel the pinch in a way that they didn’t when meetings were face to face or over the phone.
Security in the “new normal”
Security in the post-lockdown “new normal” won’t be the same as the “old normal”, but it won’t be the same as under “the lockdown” either. There will be some changes and adaptions needed and a greater need to deliver assurance and protection to a business environment that has greater flexibility in how it operates.
Central security management, monitoring and oversight will have more systems and technologies to implement policy for, and a more disparate network of systems and users to do it in. This will mean that IT security teams will be forced to look at security delivery/architectural models like “Zero trust” and will have to find ways to protect data that don’t depend on there being a physical location, corporate network and secure endpoint that can be controlled – because there won’t be any of those things for some users.
When this extends to the assurance, visibility and monitoring of systems, there will be a need to decide what data is available, where it can be collected from and what threats (including new or changed ones) need to be detectable from within the security operations function. The oversight and audit team will have different controls and platforms to assure in order to give senior stakeholders confidence that levels of protection haven’t been weakened, and risk introduced, as the business has adapted to the wider environment,