For many members of IT teams and other office workers, ‘going to work’ now means being at home. Although today’s pandemic may not have sounded the death knell of the traditional nine-to-five office-based work environment, the changes it has forced will have an impact long after this crisis has passed. There is no end date for this lockdown, and with the prospect of further lockdowns and disruption, we all need to make the best of the situation we find ourselves in.
For some employers, seeing that their people can work well remotely has been a welcome surprise, while for others, the negatives of home working are to some extent balanced by lower overheads, a positive environmental impact and a potentially happier workforce.
However, the wholesale move away from the office has been difficult for organisations where security concerns, distrust of employees or the difficulty of establishing IT processes to support a normally office-based workforce has, in the past, made large-scale home working almost unimaginable.
Shifting hundreds of millions of workers around the globe to work from home is hampering productivity for many, and there is an urgent need for IT teams and IT service providers to make working in this new way as efficient as possible.
Corporate IT policies and practices designed for office-based working don’t always translate well to the home environment, and IT teams need to be more agile, responsive and cross-functional in this fast-moving crisis. Workers are finding ways to continue delivering their workload, and if IT teams don’t safely scale these new practices, they may ultimately prevent or slow the productivity improvements they are being pressed to deliver.
At OGL Computer, we conducted a survey of UK SMEs four months ago, and found 94% already seeing a growth in the number of remote workers, 50% already using technology to enable remote working and 34% planning to adopt it. The pandemic has accelerated this adoption trend, and is certainly revealing a number of uncomfortable truths around business continuity, security, disadvantages of on-premise focused operating models and lack of flexibility.
Business continuity is imperative
Businesses tend to fall into three camps for business continuity:
· The Veterans: those that have learned the lessons of a natural or man-made disaster
· The Prepared: businesses that have prepared plans but never had to use them in anger
· The Optimists: those that have a more laissez-faire approach to business continuity readiness.
Gartner recommends five-phase strategy for business continuity
While delivering an existing business continuity plan is critical, IT teams should recognise the need to test plans against multiple scenarios through a sound, risk-based approach, and that business continuity is key to getting employees up and running quickly.
Even the most prepared have probably not planned for a pandemic, which differs in many ways to a traditional disaster. Its geographical scope is wider, it can last many months and unlike other scenarios, people are a major risk factor, so performance can be impacted. There are incidents (such as major environmental events, or terrorist attacks) that could create similar impacts, but not for the duration and global impact that we are seeing today.
Infrastructure and all aspects of important business services, from incident response to servers, should have been tested to simulate sudden high-demand types of situations. In terms of the response today, the scale is huge. We are seeing customers upgrading firewalls, from a handful of VPN users to 100+. From mid-March 2020, many companies and organisations had to mobilise their IT function very quickly; this was relatively easy for smaller to mid-sized companies, but large companies had a huge task. In mid-March, the scarcity of hardware in the IT channel posed a difficult challenge for IT managers anxiously looking to source hundreds of laptops.
The long-term security challenges
A long-term pivot to remote working presents a significant security challenge. The current change in working practices offers opportunities for criminals to profit. This is borne out by a 667% increase in phishing attacks in March compared to the previous month, and the Home Secretary revealing that fraudsters have used the crisis to con Britons out of £1.8 million so far.
With working from home comes a collective responsibility for security. A ‘secure working from home guide’ should be issued to all employees, with clear procedures for protecting business data and reporting suspected attacks.
Aside from deploying best practice technologies, it is also vital to maintain clear business visibility on data management. In an ideal scenario, employees should use encrypted work-only equipment and 2FA, rather than simple password protection. However, many employees may be using their own devices. There needs to be an element of back-to-basics, with multi-factor security and requirement for all home machines to be up-to-date with the latest software and security patches, and anti-virus, whether from market leaders such as Kaspersky or VMware Carbon Black, or in-built products such as Microsoft Windows Defender on Windows 10.
While geography has changed, endpoint security is still the same, so a robust VPN and robust deployment processes will ensure corporate settings are secure and correct. Companies, for example, simply should not be deploying hundreds of new Outlook web access servers, without 2FA or geo fencing.
Security vendors are coming to the rescue by providing free (time-limited) access to their solutions; for example, Kaspersky had made its core endpoint security products free for medical organisations, and WatchGuard is helping businesses to manage the surge of VPN traffic.
Services like Zoom, apps like Houseparty, and children learning from home are potentially huge threats to the IT environment, and decentralisation is also causing challenges. The full risks of security breaches due to the use of new web services is unknown, so where possible encrypted services should be used. For IT teams using threat intelligence services or working with managed security service providers (MSSPs), there will be regular updates listing malware and ransomware scams targeting employees, but be aware that hackers will be hunting down zero-day security vulnerabilities and may exploit them later in a kind of sleeper attack that is almost impossible to detect in advance.
Kaspersky provides its 10 tips for security and privacy when using Zoom
We also shouldn’t forget GDPR and protecting customer information. With malware and data breaches, potentially insecure Wi-Fi, and company devices mixed with private devices, the result being that some customer data may not be stored in a compliant manner, GDPR protocols need to be adhered to.
Routers on home networks generally don’t have the same security features as corporate firewalls and may expose devices on the home network to the Internet via Plug and Play technologies. Historically some brands of home routers have also had serious security vulnerabilities or have exposed a login page utilising default manufacturer credentials. In conjunction with users it would be possible to identify any such devices which present a substantial risk.
Patterns of what is classed as normal behaviour will have changed as more employees work remotely. Wherever possible, IT teams should monitor activity and look for suspicious patterns of behaviour, for example if your users are all UK based look for remote access connections originating from outside of the UK. A security incident and event management (SIEM) can help to spot unusual patterns of behaviour.
Sudden growth in cloud-first
This pandemic is potentially the largest ever pressure test on cloud apps, with the load-on services from most cloud and major SaaS vendors exploding. The cloud is supporting video conferencing, remote project collaboration, e-commerce, education, gaming and streaming in a way that would have been impossible a decade ago.
Those with a fully managed cloud infrastructure are finding it easier to move the business into a remote working environment that has business continuity built in. Cloud-first businesses are scalable, with little or no significant capital expenditure, reducing IT management costs, whilst automating updates and easily supporting employees working from home. Cloud telephony systems are also supporting communications by replicating corporate PBXs.
Much of this increased activity is already visible, with encrypted video conferencing from market leaders such as Microsoft, signing up twelve million new Teams users in the week commencing 23 March 2020 alone, and Cisco‘s video-conferencing app Webex registering a record 324 million attendees in the same month. Challengers like Zoom have seen growth; Zoom’s share price surged five-fold since going public in April last year, but the company has faced a backlash from users worried about the lack of full encryption of sessions (though it has now offering AES 256 encryption on all meetings), and zoombombing, where uninvited guests crash meetings.
Gearing up for the future
Many businesses will already be familiar with elements of Microsoft’s Office 365, and by building on top of the usual desktop suite of Word, Excel, PowerPoint and beginning to take advantage of powerful collaboration tools such SharePoint and Teams, businesses will not only avoid the need for multiple tools from different vendors, but also simplify data security and policy enforcement.
There will be an increase in data security, email security and web security requirements to combat threats such as ransomware. Here a hybrid support model could be useful, with outsourced security providers managing ongoing activity, like Incident Response monitoring, enabling in-house IT teams to focus on adding value.
How your IT team can support small business during the coronavirus lockdown
Short-term escalation of edge security to manage the enormous rise in employees accessing critical data through consumer level networking is necessary. It will be a challenge though, with many companies calling on MSSPs to ask how they build out VPN services quickly. Many don’t have biometrics or alternative measures in place for 2FA or hardened enterprise class security on the edge and putting those policies and practices in place can take time, but is necessary for the current crisis and any future pandemics.
The change in the way we work may never fully rebound, so this is the time to ensure robust business continuity planning, secure remote working and the adoption of a cloud-first business model.