The Covid-19 pandemic has affected businesses all over the world, leading many to adopt mass remote working, almost overnight. While some organizations were well-prepared for this shift, many had only experienced a small percentage of their staff work remotely at any time before. In fact, recent Leesman research of over 700,000 employees worldwide found that 52 per cent have little to no experience of working from home, and even of those who do, 83 percent typically do so for just one day a week, or less. As lockdowns ease and economies slowly begin to kickstart again, businesses are now looking at options for returning staff to the office safely and the question on many people’s lips is whether remote working is here to stay?
The answer to that question is not a straightforward one. There are a number of factors that businesses need to take into account to ensure successful future remote working. Unsurprisingly the dramatic shift that companies of all sizes have been confronted with has resulted in a host of challenges for IT teams. A major issue has been and continues to be around security, with issues arising around data access control, VPN security, and fast changes to infrastructure. The challenge is a two-pronged one that involves managing existing threats, which are now intensified by a far-reaching shift to remote working, as well as protecting employees and systems from an increased cyber threat as cybercriminals look to exploit the magnified uncertainty caused by the pandemic.
It’s important that businesses tackle these security-related issues now, not only to efficiently navigate the current landscape, but also to future-proof their organization for what will no doubt become a lasting change to the way we work in the longer-term.
The lack of preparedness that is clear amongst most organizations may leave them unprotected in a number of areas. First and foremost is from a device management perspective given the newly created endpoint network that is significantly dispersed. Businesses that have not heeded the calls of security experts in recent years and have not implemented multi-factor authentication capabilities will be vulnerable to brute force tactics such as password reuse attacks. More critically though, an outdated mentality which sees security as ‘behind the firewall, or not’ will result in insufficient controls when it comes to managing the unprecedented blend of BYOD and managed devices that make up a remote workforce.
A multi-pronged approach
There are a number of steps that companies should consider to reduce the potential threat, and a multi-pronged approach is the best strategy. IT teams should ensure that comprehensive monitoring tools are put into place given that home networks are now essentially an extension of the office. In addition, they should also offer staff ongoing training and advice in relation to securing their own home networks. This new environment has put some cybersecurity in the hands of remote employees, so they need to be prepared to protect themselves and the organization.
Further to this, security needs to be extended to the device level. This means utilizing both hardware-based tools, as well as enabling software updates which can be easily implemented and scaled across all end-points. For example, Ubuntu Desktop allows users to facilitate unattended upgrades and Livepatch to protect endpoints from emerging threats, without any need for IT intervention. Using a corporate proxy server or VPN can also help to protect and monitor the newly extended network, while users can also enable low cost DNS filtering services like OpenDNS to prevent access to harmful sites.
VPNs: increased security not without risk
VPNs have unsurprisingly seen increased popularity in the current climate as they offer secure remote access for employees. According to a recent report, since March the UK has experienced a 48 per cent increase in the use of business VPNs, whilst globally this has increased by an astonishing 165%. Beyond standard functionalities such as authenticating users and providing layered access control, VPNs can be configured to use full tunneling for more substantial enterprise protection. Examples of this include the ability to harness corporate network filtering such as Intrusion Detection and Protection Systems (IDS/IPS), in addition to other situational awareness protocols like NetFlow to collect and analyze network traffic. However, with such an increase in VPN deployment and in such a short space of time as we’ve seen in recent months, there is more chance of an error occurring during network segmentation, which could unexpectedly expose company resources to a wider scope than anticipated.
Considerations for the cloud
Ongoing adoption of cloud-based products and services also poses a further area for concern in relation to security., Businesses making this shift to the cloud need to deliberate on how they secure their own services and data. Many assume that the cloud provider manages this for them, which is not necessarily the case and depends on the service. With this in mind, the same due diligence is needed when choosing a cloud platform as they would use when deploying their own infrastructure. Alternatively, companies can turn to a managed services approach, ensuring the underlying complexities of their cloud infrastructure and applications - in terms of maintenance, security and scalability - are run by a trusted partner, which means their IT teams can focus on other primacies, especially during these unprecedented times.
Ultimately, an after-effect of this pandemic will be that it illustrates a potential new future world of work, a future where remote working is the norm and people and organizations can continue working effectively, regardless of their location. Even for those who were perhaps reluctant to adopt a remote strategy before, these unprecedented times have shown that homeworking can be a successful part of their wider business strategy. As remote working becomes more universal, the explosion of cloud resources and VPN services will continue and new access control measures will be needed. For IT teams, this poses new associated security risks to overcome, in order to not only navigate the now but also the future of their business longer-term.
Joe McManus, director of security, Canonical