While many companies indeed had a business continuity plan in place when the COVID-19 pandemic began wreaking havoc, it likely did not account for the potential need to support a fully remote workforce. As a result, many organizations were unprepared for the sudden rush of “shelter in place” orders issued by governments around the world.
Many organizations experienced some technological challenges associated with a fully remote workforce, such as capacity issues with virtual private networks (VPNs), but most were able to continue doing business during the crisis. However, the ability to continue operating and to do so securely are not necessarily the same thing.
Remote work introduces security risks that do not exist with a fully on-site workforce. Additionally, many organizations are operating with antiquated security models that do not properly address these risks. A shift to zero trust security is essential to supporting secure telework at scale.
COVID-19 Demonstrated Business Continuity Flaws
Prior to COVID-19 many organizations had business continuity plans that were driven by regulatory compliance requirements, internal business needs, or both. By creating strategies to handle disaster situations, organizations could prioritize strategic investments and create processes to ensure that the business could continue to operate during a crisis.
The COVID-19 pandemic demonstrated to many organizations that their existing business continuity plans were inadequate. Few companies anticipated the possibility that national and global economies would be essentially put on hold and that “non-essential” businesses would either be forced to operate with a mostly or fully remote workforce or to shut down entirely.
This rapid shift to telework caught many organizations unprepared. They lacked sufficient laptop computers to enable all employees to work from home on a company-owned device, and existing network infrastructure was incapable of supporting the massive surge in VPN connections from remote workers.
Remote Work Introduces New Cyber Risks
The technological problems experienced by organizations suddenly trying to support a remote workforce also created security problems. Working remotely carries its own security risks, and employees and organizations who are unprepared to do so securely create even more.
One example of the increased cyber risks associated with remote workers is their exposure to malware. When working remotely, employees may not be connecting to the Internet via the corporate VPN, which routes all traffic through the company firewall. As a result, these employees are more likely to become infected by malware than if they were working on-site.
This issue is only exacerbated when employees are working remotely from untrusted devices. Company-owned devices may have the corporate antivirus and antimalware solution installed and comply with the company patch policy. However, the same cannot be said of employees’ personal devices that are used for telework and to connect to the corporate network during a crisis. The increased risk of malware, and other cyber threats associated with remote work, put the organization’s network and sensitive data at risk. However, organizations transitioning suddenly to telework due to a crisis may have no choice but to allow employees to work remotely from untrusted, potentially infected machines.
Most Organizations Are Not Prepared for Secure Telework
When transitioning to support for remote work, regardless of the reason, an organization must have a strategy for ensuring that employees can work from home securely. However, for the majority of organizations, this is not the case.
Many organizations are still operating based upon a perimeter-based security model. Under this model, the organization deploys an array of security solutions at the network perimeter and attempts to detect and block any malicious content from entering the network boundary. If the organization can successfully accomplish this (and has no malicious or rogue employees), it can assume that everyone inside of the network is “trusted” and all threats come from outside the network. This simplifies internal security since there is no need to protect company assets and data from “trusted” internal users.
While this model has many flaws, one of the biggest is the assumption that everyone with legitimate access to the network is trusted. Remote workers, while “trusted employees”, may be connecting from untrusted devices from outside the network. If an employee’s computer is infected with malware, it could be used as a stepping stone to attack the rest of the network.
Zero Trust is Essential for Secure Telework
The flaws with the perimeter-based security model have inspired a push towards implementing “zero trust” security. Under the zero trust security model, no one is automatically trusted, regardless of their location within the network. Instead, access to every resource within the corporate network is individually controlled. Once a user has authenticated, the permissions associated with their account are compared with the access controls on any resource that they request. Only if they have authorization are they permitted access.
This security model is ideally suited to minimizing the security risks associated with telework. Remote workers must prove their identity, which reduces the probability of a lost or stolen device being used to access the company network, and are restricted to data that they need for their jobs, decreasing the impact of a potential breach.
Despite these advantages, only 15% of organizations have zero trust security controls in place, with another 19% actively implementing them. Deploying a zero trust security strategy, backed by cybersecurity solutions capable of enforcing it, is essential to secure telework.