The outbreak of the COVID-19 pandemic resulted in lockdown measures that were imposed to contain the spread of the virus, which included a freeze on commuting to the office to work in person for almost everyone but essential workers. This posed a challenge to many organizations that had not anticipated the risk of remote work in their business continuity plans. Enterprises that had already allowed employees to work from home (WFH), such as IT organizations, had an easier time adjusting than those that had not previously allowed WFH. Other organizations suffered, such as the manufacturing, logistics and trade industries. Because their services require a physical presence, working from home was not an option for their employees.
Even IT enterprises and service providers that already allowed some employees to work remotely on at least a semi-permanent basis never anticipated all employees working from home at all times.
As such, they have faced the following challenges:
- Organizations have been unable to achieve strong virtual private network (VPN) connections through their service providers, as their infrastructure is unable to handle the additional VPNs.
- Service providers were impacted by the lockdown and demand far exceeded their supply estimates.
- Organizations that had not anticipated requiring employees to use their own devices were forced to allow employees to do so. However, many employee-owned devices fell short of the organization’s security requirements.
- Certain organizations were forced to ship desktops to employees’ homes to enable them to work.
- Employees either did not have broadband connections or were not able to procure them on short notice. Moreover, employees who had such connections did not meet the organization’s security requirements.
- A sudden surge in the use of broadband resulted in service providers being unable to cater to additional demand causing network issues such as frequent disconnections or latency.
- A lack of familiarity with security awareness created scenarios where family members were able to shoulder-surf the information being accessed by employees. Instances were reported wherein employees had spouses who worked for competitors.
- Chief information security officers (CISOs) were left to deal with security incidents, having only limited resources at their disposal.
- COVID-based attacks using older techniques surged, targeting employees.
It is not humanly possible to exhaust all alternatives when planning for business continuity. There is a need to find a balance between available services and security.
Based on discussions with chief information officers (CIOs) and CISOs, the following are a few tips that can be considered as part of aligning objectives to security requirements:
- Utilize only secure access mechanisms for remote access such as Secure Sockets Layer (SSL) VPN, secure Remote Desktop Protocol (RDP) gateway, thin client access and others.
- Implement strong password policies and 2-factor authentication (2FA) for all remote access, including those for administrative purposes.
- Review any exceptions to password policies, policy bypass and nonstandard access.
- Review bring-your-own-device (BYOD) policies and enforce compliance around patches, malware signatures and BYOD devices.
- Implement geo-restrictions and login velocity restrictions wherever possible.
- Prevent multiple sessions and reuse of tokens wherever possible.
- Enforce privileged identity management solutions for remote administrative accesses.
- Plan for long-term WFH strategies.
- Revise security awareness training to include the security of home infrastructure and increase the frequency of such training.
- Address employee queries as quickly as possible.
In the first 3 months since lockdown measures were implemented, many IT organizations decided to vacate leases for their physical offices and adopt a permanent WFH approach. Perhaps that will be the new normal for IT services in a post-pandemic world.
Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP, is a consultant and trainer in IT governance and information security.