A recap of a fireside conversation between security experts
COVID-19 has changed the work landscape dramatically in 2020. Although remote working has been trending for years now, the pandemic caused some companies to go mostly or fully remote almost overnight. This change has, in turn, affected how businesses handle and think about security in a world where workforces and devices are no longer physically in an environment that’s controlled by companies.
Last month, our CEO Tony Huie moderated an engaging conversation in which a small group of security experts shared their experiences and insights about the move to an all-remote working environment. Headlining the panel were two very interesting guests: Selim Aissi, SVP & CISO of Ellie Mae, a company that processes more than a third of all U.S. mortgage applications, and Bryan Wise, VP & Head of IT of Gitlab, the world’s largest all-remote company.
A recording of the event is at the bottom of this post, but here are some key takeaways and insights from the discussion:
1. COVID-19 has increased the overall security threat level.
Remote workers are no longer in an environment that’s controlled or directly secured by companies. Instead, they work from varied environments that are generally more vulnerable. For example, improperly configured wifi can make homes susceptible to “drive-by” attacks.
Responsibility for security now falls more on the shoulders of workers, who have a lot of other things on their mind these days. Moreover, one participant noted that they were seeing an increased level of malicious online activity since the onset of remote work, possibly due to COVID-19 resulting in more people being at home with more time on their hands.
The increased level of vulnerability combined with the increased incidence of threats make it more urgent for companies to really rethink how they approach security.
2. Transition from being reactive to proactive, and plan ahead for different remote work scenarios.
The unanimous opinion was that proactive preparedness activities are key to staying ahead of the challenges and threats that come with a remote workforce. While COVID-19 caught almost everyone by surprise and shifted companies into a reactive posture, the companies that recovered the quickest tended to be those who had been more proactive in their planning.
Tabletop exercises, simulated disasters, and external penetration testing are good ways to identify any gaps or deficiencies that could use more attention. It will also help companies to figure out what “knobs you can turn” to react when situations change. For example, teams should think about how they would scale infrastructure if the number of people working from home increases significantly (or if there is a loss of infrastructure). Considerations include buying spare capacity and even transitioning away from hub-and-spoke network architectures (like VPNs) that may be more brittle.
As companies start to come to grips with remote working, they are now also starting to shift to a more proactive mindset. It’s not too late to start thinking ahead.
3. The zero trust model has become essential because remote working is here to stay.
COVID-19 has caused a fundamental change in how companies work. While some people will eventually return to the office, remote working will be normal rather than exceptional. Being remote means being in an environment out of companies’ control. This means, as one participant put it, that the traditional corporate network perimeter is “dying.”
Devices and people are the new perimeter, and the internet cafe is the new office: view it as nothing more than a source of unsecured internet connectivity for workers, and then build up your security architecture from there. If you assume that the network is hostile, security should be pushed out to endpoints, and the zero trust network access model is not only the right model for companies to upgrade to, but companies will eventually be “forced” to adopt it if they want to be secure.
4. Monitoring is critical, but do it thoughtfully.
Lack of control and physical access to workers’ environments also means that IT teams have less visibility over what their workforce is doing. Therefore, data collection and monitoring become even more important. However, this needs to be tempered by privacy concerns (and compliance with laws - especially in other countries) relating to over-collection of data or collection of irrelevant data. There’s also the practical consideration of collecting more data than can be reasonably analyzed. Businesses should identify what data is the most important to collect (what actually matters), and set alerts for unusual patterns. To build trust with workforces, be very transparent about what data is being collected, and even show employees what data has been collected from them.
5. Don’t forget about endpoint security.
Remote access security and endpoint security go hand in hand - businesses should focus on both. With all your employees working from home, the reality is that your employees device is now the edge of your network. All the participants described needing to rethink security programs to account for this dynamic. This may include education, new tools, new processes, etc.
6. Use the pandemic to increase security awareness.
While providing basic security education and guidelines is the domain of an information security team, security is the business of everyone in a company. COVID-19 is actually a great catalyst for building security awareness in companies. Try rolling out initiatives that encourage team members to drive cultural awareness throughout the organization (e.g. Ellie Mae has a cyber champion program that awards trophies that are now highly sought after).
7. Workforce health impacts security.
When working from home, people’s personal and professional lives blur together in a single environment. Particularly during the COVID-19 pandemic, the stressors of life can create distraction, fatigue, and inattention which could create additional security risks. Ensuring that the mental and physical health of team members is taken care of can actually improve an organization’s security posture. If you can help to simplify employees' lives, that can only help.
Watch the event
Click here to watch the entire event, or jump directly to a section of interest:
- 4:15 Remote working horror stories
- 11:10 Impact of COVID-19 on remote working at Gitlab
- 17:00 Employee fatigue and relation to security risk
- 19:45 Challenges of working from home during COVID-19
- 21:50 Responding to COVID-19 and remote work becoming the norm
- 26:00 Transitioning to zero trust
- 28:45 Remote work readiness and risk management at AuditBoard
- 31:35 Experience and challenges of going all remote at Compeat
- 35:50 COVID as a catalyst for building security awareness
- 41:10 Visibility, data collection, monitoring, and privacy
- 47:00 Managing the transition away from a corporate network perimeter
- 50:10 From reactive to proactive: what's the focus going forward?
- 55:55 Where does Twingate fit in?
If you’re interested in learning how Twingate can help your organization to efficiently transition to a more secure, simple, and maintainable zero trust solution for remote access, schedule a call with us today. Twingate provides easily configurable, granular access and visibility over the whole enterprise network, and simplifies security for administrators and end users alike.