The COVID-19 pandemic has changed the corporate world as we know it. As quarantines were enforced on a global scale, an unprecedented number of office-based workers started remote working overnight. With a few months of this “new reality” now under our belt and with companies seeing that they can maintain productivity with a remote workforce, it’s becoming clear that this seismic shift isn’t just a temporary measure.
Originally, this immediate change presented many significant challenges for organizations. Many wouldn’t have been readily equipped for such a stark adjustment: IT and security teams had to contend with making major updates to infrastructure, fast-tracking cloud migrations, rapidly deploying VPNs, modifying firewalls and more – all on top of their already-bloated workloads.
Nearly half of the U.S. workforce now consists of remote workers, with many companies opting to not return to their offices until 2021. Some may not return at all. With this in mind, it’s clear that enterprises need to get smarter about implementing their business continuity plans with remote working at top-of-mind. Network security and data privacy need to be a primary concern: securing a remote workforce adds new complications that need to be fully understood and considered.
The New Normal is Here to Stay. So, Now What?
IT and security teams need to form new strategies. If they managed to make it through the initial transitional phase, they need to now take a step back and establish long-term initiatives that will support a workforce that could potentially be permanently remote.
To start with, security teams need to gain visibility of their entire expanded security environment. The move to a mass, remote workforce has caused network perimeters to greatly expand. To secure new ingress and egress points, security professionals first need to be able to see what they need to protect. More than that, they will need to understand the context of all assets and vulnerabilities within their expanded environment and know just how exposed each of them is to potential attack.
They will also need to better educate their workforce. Phishing attacks have risen during the COVID-19 crisis and, considering how critical assets are now connected to non-proprietary home internet networks, the risk of new exploits is increasing. Accompanying this, they need to enforce proper segmentation to limit access to sensitive network areas.
Revisit Your Access Management
Organizations need to be able to control access to corporate resources with permissions needing to be carefully monitored. They could even go as far as determining which device (whether mobile, tablet or laptop) can be used to access resources and the time at which they can do so.
Processes previously established to provide access need to be revisited and refined in order to further reduce risk. The current crisis has struck at a time when criminal capabilities are stronger than ever: they are increasingly confident in their ability to infiltrate corporate networks and will be emboldened to act at a moment when organizations are struggling to operate through the chaos.
Security teams’ already-stretched workloads are facing greater strain as a result. This is where the automation of tasks like change management and firewall compliance becomes invaluable. They need to be able to limit the resource drain associated with these tasks, allowing them to reduce complexity and focus on the bigger picture.
Maintaining Compliance is Imperative
Most organizations will be squarely focused on ensuring business continuity. This will have reshaped their digital transformation priorities, curbed their growth plans and forced leadership to retool all strategies. The last thing any business needs now is to be hit with a fine for non-compliance. To avoid the iron fist of the regulators, organizations need to be able to continuously assess their risk posture against both compliance mandates and internal corporate policies.
To achieve this, they will first need to have an infrastructure-wide view of all corporate assets wherever they reside – this includes computer assets and network infrastructure. They will need to be able to conduct access and path analysis to critical systems and between network segments; to be confident in their abilities to address critical vulnerabilities on sensitive business assets; and to ensure proper configuration of VPN, firewalls, security and networking devices as well as all other ingress and egress points to critical assets.
Achieving all of this will be no small feat, but it’s important to recognize that these security requirements are necessary for our new reality. Through the development of rigorous and informed vulnerability management practices, by embracing automation and working with a focus to reduce the complexity inherent to cybersecurity management, we will all be able to make it through. Embracing change and ensuring better protections will put business leaders in a stronger position to manage our stop-start-stall recovery as we continue to navigate these unchartered waters.
About the Author: Gidi Cohen is the CEO, Skybox Security