One of the most interesting office work developments of the last 20-30 years, the home office has radically gained new relevance amid the developing coronavirus pandemic. With the goal of limiting the spread of the virus, many companies and employees must suddenly resort to the option of working entirely from home. This is not only self-evident but also urgently necessary and will support many companies in their continued existence at the same time.
Home office as an immediate pandemic quarantine measure
The advantages are clear: social contacts in real life will be reduced to a minimum, while a large number, if not all, of necessary activities, especially in the digital sector, can be continued. The tremendously important goal, which is propagated as #flattenthecurve via social media, i.e. the prevention of further infections especially at a still early stage of the infection, can thus be combined with business continuity for a multitude of organizations. But in practice, companies also face very specific technological challenges. That is because experiences with working from home are not equally distributed.
Different levels of experience
On one hand, there are companies that have often already geared their processes strongly towards roaming users. As "cloud-first" or even "cloud-only" organizations, they are perhaps already using digital corporate services as SaaS or offering secure access to the company's IT systems, even the critical ones, from outside (if such an "outside" still exists at all). Those employees are familiar with new processes, trustworthy handling of sensitive data, and the proper use of endpoint devices (computers, tablets, and smartphones).
Unfortunately, a large group of companies that have not yet taken these steps earlier will be severely challenged by the pandemic. They are facing major operational changes that must be implemented in a matter of days, which will almost inevitably mean that security might be their second priority at best.
A cultural change in only a few days
This surely shows the negative effects of the reluctance of more traditionally structured companies to adopt more recent, decentralized, agile and alternative working models. But considering the underlying causes is now of minor importance. Companies must enable their employees and their IT as quickly as possible by means of necessary processes and access to relevant systems so that the continued operation of their business is guaranteed even in times of crisis.
However, the crisis does not free the companies from their responsibilities regarding compliance, governance, the protection of personal data or critical company intellectual property. What operators of critical infrastructure have continuously prepared themselves for over the past few years is now necessary for virtually every company wishing to continue operating in a meaningful way.
Of course, it is essential to avoid the concrete physical dangers of the disease for individuals. But it is equally vital to carry out a quick, operative and yet sustainable risk assessment of the necessary systems, access routes and end devices of their users as the foundation for the protection of the company, its services, processes, and data.
Preventing the crisis after the crisis
It does not serve anyone's interests if, as a result of this change in the work model, an organization is exposed to an increasing number of unmanaged security risks.These risks are to a large extent to be addressed individually, but they can nevertheless be classified into a number of complex issues that must be considered: device protection (many users will have to resort to the use of private equipment due to the lack of corporate devices), secured communications, secure authentication, and authorization are increasingly important, particularly in such an exceptional situation.
Understanding the modified attack surface
When moving towards home office work as an undisputedly beneficial, alternative way of contributing to corporate processes, one insight is indispensable: This changes the attack surface of a company dramatically: all at once (without protective measures) a multitude of previously personal network access points and home networks become a vulnerable part of an enterprise network. Information and credentials stored therein are under threat and can presumably be used with little criminal energy as a doorway to a corporate network or digital services provided as Software-as-a-Service.
The loss or theft of an unprotected or inadequately protected access device with local data or credentials can be an immediate threat to a company, an NGO or a public authority not just today, but also later when the current crisis will hopefully be just a vague dark memory.
Taking the first appropriate steps
First of all, of course, all the fundamentally important technical measures are still necessary: local hard disk encryption, patching and monitoring of the clients used, securing home networks, scanners for viruses and other malware on the endpoints, secure access paths with multi-factor authentication and appropriate authorization systems, privilege management for securing critical systems and a multitude of other technologies with which we as analysts for Cybersecurity and Identity and Access Management (IAM) deal with on a daily basis.
However, adequate instruction and training of employees who now access critical systems in the company from their home environment, potentially from private devices, should also be included. Knowledge about malware, viruses, and phishing that is communicated swiftly and efficiently should help prevent negligent handling of these threats, which can be somewhere between annoying and costly in the private environment, but which can threaten a company's existence.
Work from home but work in the cloud
Knowing that the measures described above cannot be implemented quickly and in a scalable manner, it may be useful to consider other approaches: An important alternative to the traditional remote use of corporate resources can be a temporary or permanent switch to collaboration and business services in the cloud and provided as a service. In this case, data and processes remain in managed systems and the risks of working remotely will be noticeably reduced.
Some providers are already offering such platforms as an emergency measure (somewhere between practical solidarity and clever marketing) temporarily at significantly reduced costs or even free of charge.The use of such systems might be a mitigating measure to secure our abrupt change to the home office. But “just because” it’s urgent, such a step into the cloud needs to be well defined, aligned with a corporate cloud strategy and based on a risk assessment (compliance, governance and security).
A current and continuing challenge
The switch to working from a home office is a life-saving step for the individual and an important measure for containing the current pandemic. Enterprises are providing considerable support in this respect.
At the same time, however, they must consider and implement appropriate protective measures for today and beyond. KuppingerCole Analysts will continue to cover these topics in our research and in our blog as trusted advisors, aiming at providing actionable and valuable insights to the practitioners’ current challenges.