Report: Enterprises caught off-guard by remote work cybersecurity challenges

Sept. 15, 2020
Swift transition to telework in wake of pandemic has resulted in unforeseen consequences for many organizations

More than a few organizations were struggling to find remote working solutions even before the arrival of a global pandemic. In the wake of widespread shelter-in-place orders, plans that had been penciled in for the next year (or the next five) had to be rushed. It’s no surprise, given this, that recent research shows firms struggling to ensure security during the “Age of Telework.”

The most detailed of this research comes from Fortinet, whose new “2020 Remote Workforce Cybersecurity Report explores the challenges of remote working and how large companies are planning to support the new normal.

The Challenges of Remote Work

We shouldn’t be surprised, given the speed at which the COVID-19 pandemic spread, that enterprises have found the last few months challenging to the extreme. Still, the scale of this challenge – as captured in Fortinet’s research – boggles the mind. Nearly two-thirds of the businesses surveyed had to transition over half of their workforce to remote work practically overnight. And 83% of those organizations found this transition moderately, very, or extremely challenging.

Respondents reported that they encountered difficulties in many areas during this transition, but two issues stood out as the most mentioned. These are the size of the “shadow” IT infrastructure that now exists in most firms, and the problems it causes when trying to scale remote work solutions.

Shadow IT Infrastructure
 

Most IT administrators were aware of the security issues with shadow IT infrastructure long before the pandemic forced many workers to stay home. However, systems engineers – myself included – had a nasty surprise when they realized just how much shadow IT was already being used in their organization, and how hard it was to convince managers not to use their personal smartphones.

Had we read the research beforehand, we might not have been so surprised. A 2012 RSA study reported that 35 percent of employees feel like they need to work around their company's security policies just to get their job done. In other words, the world of shadow IT infrastructure has long existed in a state of dangerous equilibrium, with employees continually trying to subvert security protocols, and IT managers trying to stop them.

In this context, it’s not surprising that a sudden rise in remote working caused a “pandemic” of difficulties. Cybersecurity professionals found themselves in the unenviable position of trying to mass-secure a herd of personal mobile devices suddenly pressed into use for work. Imagine entire days and weeks devoted to little more than overseeing the installation of encryption software to protect consumer-grade phones that hadn’t been vetted.

Simultaneously, cyber adversaries from opportunistic phishers to nation-state actors focused on finding ways to exploit what were typically lightly-protected home Wi-Fi networks.

To make matters worse, the dispersal of employees also dispersed data, which had the effect of making existing cybersecurity platforms obsolete for all practical purposes. These platforms were designed to secure a centralized server farm. Using them to protect dozens, hundreds, or thousands of personal computers and mobile devices was a task they were not designed to do.

Scaling Remote Solutions 

The second major issue uncovered by Fortinet’s recent research was one of scale. More specifically, many organizations who already possessed excellent cybersecurity infrastructure found that many traditional NGFW (Next Generation Firewall) solutions were simply unable to scale as broadly as needed. Worse, they were unable to provide deep inspection of that VPN traffic without severely impacting the performance of business-critical applications and services.

In response, some turned to new, untested cloud providers. Others hired new staff just to support this shift. However, often it has turned out to not be the security of storage itself that was the biggest vulnerability, but (once again) the novel way in which employees wanted to access it.

This is where things really get messy. Most cybersecurity engineers were able to deal with their existing level of shadow IT infrastructure, but they were doing it largely through extending enterprise systems to personal devices. Not only is this an inelegant way of using these systems, it can be a dangerous undertaking when systems need to be scaled quickly.

This was, perhaps, another difficulty that we should have seen coming. The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA)’s list of best practices has long stressed the need for cybersecurity solutions that are able to quickly scale to meet increased demand. And to give credit where it is due, most organizations were able to scale up their security quite dramatically. It’s just that, as Fortinet’s research shows, in many cases this caused severe difficulties.

The Bottom Line

In many ways, the shift to remote work over the past few months has not shown us anything new. Cybersecurity analysts have long been aware of the security risks that the practice represents, and have long known that no matter how well employees are briefed on the dangers of remote working, it remains a supersized security threat.

It's no surprise, therefore, that investment in remote work solutions will increase. In the same research mentioned above, almost all organizations surveyed expect to invest more to secure telework long-term, with 92% of enterprises expecting an increase in the security budget for remote work security issues, and nearly 60% reporting that they will spend more than $250,000 in secure telework investments in the next 24 months.

This investment should be intelligently targeted, though. It must focus on systems that are scalable, and able to be adapted to consumer-level devices. Otherwise, the next global pandemic that shows itself will spawn a rerun, and nobody wants to watch that.

About the Author:

Bernard Brode is a product researcher at Microscopic Machines and remains eternally curious about where the intersection of AI, cybersecurity, and nanotechnology will eventually take us.