As I talk to security leaders, whether that means CISOs, Chief Risk Officers (CROs), or Data Protection Officers (DPOs), it’s clear that many companies are tracking against a similar journey as they adapt to a new way of working. Ultimately, success often depends on partnership and strong ties with other key leaders in their organization, especially the CIO or CTO. If we consider last week as the starting point in the timeline, here’s what company security and IT infrastructure leaders are working through
Week One – A network-centric and communications medium focus
Our customers who had a business continuity plan to rely on started there. At this stage in the journey, customers focused on enabling remote workers and on scaling Internet access and VPN capacity to accommodate large groups of remote users. Next, they started to dive into access-to-application capacity testing as well as making access rules more granular (for example at a country, departmental or when possible, at the application level) to make sure NGFWs and VPN access scaled to meet overall business needs while managing security exposure. This first part was about ensuring enough bandwidth to support a massive wave of remote workers in short order. Next was making sure to enable collaboration at scale, by operating in near-real time when it comes to e-mail, instant messaging and file sharing, with a good user experience when it comes to audio and video conferencing.
Week Two (the current week we’re in) – Focused on application access
For many customers, this week is consumed by ensuring access to both legacy and cloud apps at an extended level. And this includes getting a handle on the SaaS applications that have been activated to address bottlenecks or gaps identified during week one. It’s about making sure business runs smoothly across the company and the friction can be reduced as much as possible. This may mean rolling out broader remote access to a larger number of workers who need to access legacy apps through a VPN. It may also mean making existing cloud apps available to larger groups of employees, or rolling out a video conference solution from select departments to the whole company, or maybe wider access to collaboration apps. There’s a sense of urgency to ensure all employees have access to the tools that help them get work done remotely and adjusting to the local “office” constraints, e.g. the capped bandwidth limits at home or the shared use of computers in some cases.
There’s a risk on this front I’m warning customers about: the sense of urgency also extends to remote workers. They are eager to get access to the apps they need to be effective, which sometimes means creating accounts to access free or premium versions of cloud apps, i.e. shadow IT making a comeback. Also, in times like these, where employees might be setting up apps, they may fall victim to sophisticated phishing attacks that look remarkably like the legitimate setup processes they’re trying to work through. End result, security teams should expect increases in phishing attacks meant to hijack employee credentials. It’s a good time to remind employees of this reality to help them be better prepared.
Week Three – Time to fine tune, focus on data and a first “lessons learned” review
Next week, as companies start shifting from a critical operations business continuity mindset to one that is more business-as-usual -one that is likely to last-they will most likely focus more time and energy around fine-tuning and making access to networks and applications more granular, as well as reviewing their security posture to include their data protection needs. It’s a given that most companies leveraged the cloud to help scale over the past few weeks.
In week three, I also expect some customers to focus on data protection. As more employees access cloud apps and want to overcome bandwidth limitations by storing data locally, there will be a greater need to get a handle on how to secure the workarounds: employees using personal cloud storage solutions to store work-related files if they didn’t have access to the corporate editions, or employees emailing work-related files via their personal free email accounts to circumvent file size limitations. In many cases, that means researching data loss prevention (DLP) solutions as well as how cloud access security broker (CASB) solutions could help with their brand new or expanded and distributed hybrid IT system.
Beyond technology, this is a time to assess lessons learned from invoking business continuity to better understand what to transfer to “business-as-usual” operations in order for the business to move ahead. As an example, at Forcepoint we analyzed data gathered during our remote work tests from a couple weeks ago (we shut offices two consecutive days pre-lockdown to test work-from-home at scale) to assess where we need to put more resources, validate processes and identify gaps early – as a leadership team. It’s also showing us which areas of the business are experiencing little to no impact. Understanding this data also tells us where we need to revise our business continuity plan or if our plan is working as designed.
Some companies don’t have a complete business continuity plan in place or they may need to update the one they have. As this becomes the new way of working for the foreseeable future, this is a foundational aspect of keeping a business operational. Additionally, good business continuity plans can also help mitigate negative long-term impacts to business.