Truly we are living in interesting times (incidentally, this expression, commonly known as “the Chinese curse”, has nothing to do with China). Just a couple of weeks ago the world was watching China fighting the coronavirus outbreak as something that surely can never happen in other countries. Today Europe and the United States are facing the same crisis and we’re quickly coming to the realization that neither memes nor thoughts and prayers are going to help: many countries have already introduced substantial quarantine measures to limit social interactions and thus slow down the spread of the virus.
Suddenly, for many companies, the only sensible way to continue their business is to let everyone work from home. Naturally, the Internet is full of recommendations on things you need to do to ease this transition. For a change, I’d like to compile a short and practical list of IT- and security-related things you should avoid doing now to save yourself from regrets later… This is mostly targeted towards smaller companies that, on one hand, probably never had any plans prepared for situations like this but on the other hand can be much quicker and more flexible in actually implementing changes in their processes on such short notice. Check out my colleague John Tolbert's post if you're looking for advice for large enterprises.
Let’s start with a few general recommendations…
The pandemic is not an excuse for GDPR violations
First and foremost – don’t panic (knowing where your towel is wouldn’t hurt either)! It isn’t easy to stay calm and level-headed looking at the sensationalized media coverage from countries like Italy, but making impulsive irrational decisions is the worst possible thing to do in a crisis. This doesn’t only apply to hoarding toilet paper and pasta: if you’re considering actions like purchasing 100 laptops today to issue one to your every employee tomorrow, you might want to think twice…
Don’t think that the pandemic will be a universal excuse for any potential violation of security and compliance regulations, however: the crisis will be over sooner or later, and GDPR or PCI DSS will still apply… Having said that, don’t blindly trust anyone’s recommendations, not even ours! This especially applies to unscrupulous marketing activities of some vendors who might attempt to cash in on the opportunity. Only you can properly assess the risks of enabling remote access to certain types of sensitive corporate or customer data and to adjust your business processes accordingly.
Last but not least, don’t try to build a virtual office for remote workers. With a handful of obvious exceptions (like, for example, accessing legacy on-prem equipment or dealing with highly regulated personal information), people working from home don’t really need to pretend to be in the office. Consider the current situation a once-in-a-lifetime opportunity to radically upgrade your business workflows. Maybe you don’t really need to clock in every employee? Are your daily morning meetings so important that you need to pay for an online collaboration platform to continue them? Again, only you can decide!
Want some more practical advice?
Analyst Advice - Senior Analyst Warwick Ashford
Business Resilience Management is key to business survival in the face of rapidly changing IT, cyber threat, and regulatory environments.
Security from the cloud as a modern VPN alternative
How about this: you don’t need a VPN! Seriously, if you don’t have one already, don’t even think about investing in one. VPNs are not really a modern technology; not only do they not scale for situations like this, but they also introduce gaping holes in security perimeters by giving users full access to whole corporate networks.
With multiple known vulnerabilities in VPN products, which will more likely not be patched in time by overstressed IT teams, malicious actors will get additional opportunities to compromise your security. Instead, consider a more modern Zero Trust approach with software-defined perimeter (SDP) solutions, which enable fine-grained, authenticated and audited access to specific internal services and applications from anywhere without a bottleneck of a VPN. Companies like Zscaler, Akamai or CloudFlare among others are offering such solutions completely delivered and managed from the cloud. The latter even offers its solution for free for small businesses during the pandemic emergency.
Also, if your office security still relies on a hub-and-spoke architecture with firewalls and other appliances filtering all corporate traffic, don’t forget that it leaves remote workers unprotected! This approach has long been proven to be inefficient and hard to scale, so again consider a great opportunity to switch to a cloud-delivered security solution! Whether you’ll opt for a service from Akamai, Cisco or Zscaler among other possibilities, you should choose one that does not require any network changes or software deployment to keep your employees safe working from home, even from their personal devices.
Separating work and private life in home office
However, if you’re still not comfortable with BYOD, you don’t need to compromise! Consider a much more convenient and safer (if somewhat more expensive) enterprise mobility management solution that will maintain a secure air gap between private and corporate things on every employee’s device. Whether you opt for a solution from Microsoft or VMware among others, you’ll maintain full control over security policies regardless of every worker’s current location.
You don’t need to spend additional money to stay in touch with your colleagues and business partners: you can continue using whatever online collaboration platform you’re already using. Each has its own small quirks, but in the end, GoToMeeting, WebEx, Google Hangouts, Microsoft Teams or any other tool seem to get their job done pretty well. If you are still unsure which one you prefer the most, have a look at this website: some vendors are offering special extended trials or even free versions of their tools for small businesses.
Protecting the weakest link in your security chain
Don’t forget about the human factor! Every humanitarian crisis gives rise to various social engineering attacks aimed to deceive users into running malicious software or simply hijacking their accounts. Unsurprisingly, security researchers already report various malicious attacks exploiting coronavirus fears. With email still being the most popular (and incidentally the least secure) communication channel for businesses, you probably already have at least some kind of email security solution in place for your employees. However, none of those are impenetrable, and people often fall victim to a simple scam that has nothing to do with malware. Educating your employees about potential risks is a good idea, but proactive protection is more important.
Thus, if you still haven’t deployed multi-factor authentication in your company, don’t wait any longer! According to multiple reports, simply enabling MFA on an online service used by your business can protect your employees from over 99% of credential-based attacks. And it does not have to be expensive as well – most notable online services, including Google, Microsoft, Salesforce or Dropbox, support a range of different authentication options.
Even the simplest One Time Password generated by a smartphone app is vastly more secure than no MFA. For additional security across multiple online services, you may want to consider FIDO2-based authentication devices. The Yubikey is perhaps the most popular one, but Google offers its own Titan Key as well and you can find many more FIDO-certified products on the alliance’s website.
Don't just look at the labels: asking the right questions
Traditional antimalware protection for each endpoint device is, of course, still important, but now that you have to consider the option of letting your employees use their own devices for work, what it is the best product you can buy? To be honest, I don’t have an easy answer for that – whether you’ll opt for a “best-of-breed” endpoint protection product like Kaspersky, an integrated cloud-native protection platform like Carbon Black or a radical AI-powered antivirus replacement like SentinelOne, don’t just look at product labels, ask vendors about supported capabilities and other concrete technical things. You might want to refer to KuppingerCole’s research like this Buyer’s Compass if you need to know which questions to ask. Check out Paul Fisher's post as well for an in-depth view of potential applications of AI in fighting the consequences of the pandemic.
In fact, don’t hesitate to reach out to us for independent, vendor-neutral guidance and support in all things related to cybersecurity. And more importantly, stay safe and healthy. Use this opportunity to relax a bit, be with your family and think of new opportunities after the crisis is over. And don’t forget to wash your hands!