How to survive the transition from two office locations to 25,000 and still remain secure
Photo: Alex Kotliarskyi
The COVID-19 pandemic has critically changed the traditional concept of work for a major part of the workforce, possibly forever, as office staff work from home, and traveling salesmen work opportunities by video conference with customers. But what are the implications of this change for corporate cybersecurity and how can CIOs and CISOs adapt their technology infrastructure and cybersecurity controls to this new reality? These are just some of the questions that my panel was asked to address in a recent virtual cybersecurity conference on 'the challenges of working through an epidemic'.
With ‘Stay at Home’ orders in effect across most of the world, this of course means that many customer-facing businesses are suffering. It’s certainly not a good time to be in the airline, hotel, or restaurant business as nearly everyone stays at home. Similarly, companies that have not completed their migration to the cloud and cloud-based services may be experiencing additional difficulties necessitating that remote staff VPN into the corporate network in order to access legacy client-server systems and applications.
And of course, the COVID-19 Pandemic since its humble beginnings in Wuhan China and subsequent spread around the globe, has reaped massive emotional and economic distress, as well as the deaths of thousands, and the making of millions more sick. Whether the recent relaxation of lockdowns in China and elsewhere is a permanent condition or results in a second wave of infections remains to be seen, but the global pandemic will have lasting effects on globalization and supply chains for critical medical and other supplies. It may also permanently change the way many of us work.
Photo: William Manuel Son
The King is dead. Long live the king!
Is there really a need for companies to continue to rent expensive downtown city office space? Is it really necessary for your employees to sit in their cars each day for two hours commuting to their tiny cube through noxious traffic and pollution, or be confined to a cramped subway or train car with potentially lots of disease-carrying passengers? It took Spanish Flu 18 months to work itself out of the population, so any notion of a full return to what was ‘normal’ in a few weeks time, is unlikely even for the greatest optimists. The bigger question is do we really want to return to the way things were just for the sake of it? I would suggest not.
Now that the cat is out of the bag, and bosses have seen that their staff work just as well from home, if not more productively than from their office cubes, the argument to keep things the way they are today, suddenly has a lot more weight.
Photo: Mike Von
But how should you go about securing tens of thousands of staff now working from their patios, dining room tables, or home offices, connecting to your applications and infrastructure via an over-taxed VPN back to the nearest corporate office? And what other questions should you ask?
Do you provide your staff with laptops and Integrated Services Routers (ISRs) to connect back to corporate and for VOIP calling via a secured point to point connection?
If not are your staff connecting to your assets directly from their home internet connection?
Have you put in place policies for remote access such that staff are expected to update firmware on their $50 home cable modem or DSL router and are they required to change the default username and password on these devices from admin: admin?
Are your staff required to run WPA2 encryption at home? Are staff allowed to connect from the open WiFi at Starbucks? And if not, how can you ensure that your staff’s home wireless internet connection is not being snooped upon if they are not encapsulating and sending everything over a VPN?
Do you even know if split tunneling is enabled in your corporate VPN and if not, what happens when that employee needs to print something to their home printer and has to disconnect from the VPN? Conversely, without split tunneling your corporate internet connection may be struggling.
Do you provide staff with a laptop running a locked-down application stack with your security tools installed? Taking home the office workstation may not be an option and trying to purchase laptops in times of mass demand is now almost impossible.
Do you allow your staff to use their own (BYOD) computers to access your applications and data, and if so, what do you require in the way of AV, patching and acceptable use on these machines?
These and other questions were put to my team of security subject matter experts who joined me on virtual stage for a special CTG Intelligence conference on remote business working during Covid-19. Their answers and shared insights may help you to prepare for the new ‘normal’ for as long as it lasts.
The panel comprised of:
Richard Staynings, Chief Security Strategist at Cylera, out of Boulder, CO, USA
Page Jeffrey, Cyber Security Consultant at Trace3, out of Colorado Springs, CO, USA.
Luke McOmie, CxO Advisor Offensive Security at Coalfire out of Westminster, CO, USA.
Steve Harrington, Managing Director at Masergy out of London, UK.
Tanya Walters, Independent Cyber Operations Advisor out of Phoenix, AZ, USA.
Anthony Dezilva, Dir. CxO Services out of Scottsdale, AZ, USA.