The future of work is remote, now security must follow
Home working has laid open organisations to attacks by opportunist cyber criminals, exploiting weakened security during the coronavirus pandemic
How strange that millions in isolation under lockdown could make the interconnected nature of our world felt so acutely. The response to the public health crisis is having a profound impact on reshaping the future of work, accelerating different approaches to communication and organisation. There's bound to be a tailwind of longer-term effects, and cloud, automation and artificial intelligence will be key for over-burdened IT teams to stay on top of them.
Most obviously, many of us work from home now. Businesses were forced to adapt to a digital-first model to remain operational and that's unlikely to go away. The UK's Department for Business, Energy and Industrial Strategy floated the possibility of a legal right to work from home; Germany is tabling legislation this autumn. Facebook expects more home working in the coming years and Twitter has said employees can work from home "forever" if they choose.
Consequences are already wide reaching, even bending previously held norms around time and space: Red Hat's chief security architect Mike Bursell asserts time zones "no longer exist". Box chief executive Aaron Levie agrees, saying that despite the highly stressful circumstances, the virtual mode of working does bring flexibility and agility, with employees able to collaborate quickly or engage with customers in any place at any hour. This was hardly impossible pre-coronavirus lockdown, but necessity has forced our hand.
More home working was always on the cards, says Richard Brinson, director of cyber security consultancy Savanti, but the speed and peculiar circumstances in which it happened has meant many companies racing to stand up infrastructure to enable safe and reliable home working at the eleventh hour. In some cases, this has exposed the weakness of business continuity plans.
Some firms aren't planning to reopen offices at all, already searching for lower outgoings when lockdown ends to cope with the economic fallout. It's not a case of if there will be changes to our post-COVID-19 working lives, or even when, Brinson adds. They're already being planned.
Digital first
The crisis has accelerated adoption of technologies that might have been on roadmaps, but organisations weren't ready for. Cloud adoption has soared to support remote working, opening a whole new can of worms and meaning security teams have to shoulder even greater pressures, ensuring organisations are operational and secure from a distance and with limited onsite access.
"A major issue when moving a lot more people to home working is companies still have a lot of on-premise or proprietary data centres, servers and systems that need to be accessed," says Brinson. "Either they have to open up holes in the firewall or dramatically increase the number of VPNs [virtual private networks] people are using."
The spike in home working is blowing apart notions of what enterprises look like. Rather than heavily-centralised IT, organisations must cope with large, disparate networks of devices. Brinson says that, given some businesses will be reducing headcount as a result of COVID-19 pressures, the potential for insider threats has increased. Unlike in normality, businesses may struggle to get their devices back without employing fleets of couriers.
"Everything we talked about for the past two decades is right back at the forefront," adds Levie. “BYOD [bring your own device], consumerisation of IT, video chat, cloud storage: these are the essentials of a remote-work strategy. The things we have taken for granted, some of the earliest innovation in the cloud, are obviously so fundamental."
Automate, automate, automate
Infosec professionals can easily find themselves trapped in Sisyphean games of whack-a-mole, locked into an unending arms race against attackers to stay on top of threats. With working norms overturned, that challenge intensifies. What might have been unusual network traffic no longer is, for example. Thankfully, smarter, machine learning-enabled tools can spot what traditional email security cannot.
There are also steps security professionals can take to help mitigate these threats. "Automate, automate, automate," advises Red Hat's Bursell. Security automation needn't be limited to businesses at the bleeding edge of technology. He says it "means having a process" and "making sure you can step through that easily without everything requiring 15 emails".
“Software has to have security built in by design; it can't be an afterthought”
"Design in the expertise, use the experts and apply their expertise at the right place," says Bursell. "Whether it's ensuring all laptops have disk encryption on – a basic, simple thing to do – it should be the bare minimum and you can automate that."
Brinson expects the growth of the zero-trust model, perhaps epitomised by Google's Beyondcorp implementation, that no network traffic is trusted until it's authenticated.
"We no longer have a castle with walls and a moat," he says, "because everybody's working from their houses. So treating people's identity as the thing that you have to secure, providing the right access to the right people at the right time, is what becomes the really important thing. It doesn't matter how they're accessing, it's a case of making sure it's the right person."
According to Levie, simplicity, usability and best-in-class software will be essential in tightening security across organisations, because employees are time limited for getting to grips with overly complex technologies.
"Software has to have security built in by design; it can't be an afterthought," he says. "It's got to be something that's baked in.”