IT professionals know that quality security is ensured through proper governance and change-management practices, both of which took a backseat to getting America’s workforce up and running remotely earlier this year.
According to a survey by Insight Enterprises in May, 79 percent of IT professionals said they expect IT to take on a greater role within their organization than prior to the pandemic, and 65 percent cited business continuity planning or the ability to work remotely as their biggest lesson learned from the impact of COVID-19.
IT leaders had to respond at a rapid clip to the changing environment brought on by the pandemic, opening their organizations to security gaps and vulnerabilities. Now, however, CIOs have the opportunity to reflect on best practices as we settle into remote work for the long haul.
‘Zoom Bombings,’ Phishing, Oh My!
To initially transition to remote work, many IT departments opened up access to company servers without the right protocols in place, lowering the security profile of company resources and potentially granting access to a “man in the middle”: A bad actor who wouldn’t normally be able to intercept this transmission. Cloud-based Software-as-a-Service (SaaS) platforms, like Teams, are designed for transmission security, so calls and chats are highly encrypted.
However, these platforms aren’t particularly sophisticated in access control out-of-the-box and require an organization’s IT team to play a big role in securing access and managing them in sophisticated ways based on their established ecosystem. This means that signals are secure, but access may not be, creating a vulnerability for attacks like “Zoom bombings” if IT isn’t hands-on from the start.
Organizations are not operating in a vacuum, and hackers know that. Large companies often have hundreds of smaller, third-party connections whose security practices are less likely to meet the enterprise-level standard, especially in this remote environment. The onus is upon IT to consider these relationships and limit exposure to any associated security vulnerabilities.
Ultimately, the main security challenge to remote work is the off-premises user working from a personal device. Phishing attacks are also at an all-time high, and particularly nefarious as they are designed to prey upon flawed human judgement. The combination of phishing attacks and personal devices is especially dangerous as these devices do not typically encompass the same level of malware protection as enterprise-level technology provided by an employer.
Take a Minute to Double Down on Security
Now that many companies have been remote for nearly six months, CIOs can begin to put in place better security measures for today’s remote environment. This starts with an assessment of who has access to company resources: Now that companies have allowed the initial dust to settle, IT can fully restrict access to these resources, then put a plan in place to grant access to teammates through proper change management practices.
Even with top-tier identity access practices, using devices on private home networks remains a security vulnerability. Ideally, organizations would provide employees with company devices to be used on a secured network at the office.
Because that’s not currently possible in many cases, as an alternative, companies should consider providing SD-WAN devices to their remote employees. These devices are affordable: They cost about $90 each and function as a router, enabling internet access without allowing visibility from other networks. In practice, connecting to the internet through an SD-WAN device is no different than switching from a home network onto office Wi-Fi.
CIOs need to dip their toe into the CISO role and help their organizations prepare to continue to operate remotely and securely for the long term. These best practices include arming team members with physical tools to improve security, like SD-WAN devices, but also mandating telework policies including malware protection, restricting the use of certain applications, and multi-factor authentication. It’s also vital that IT stays in contact with all remote users, using analytics to identify not only what technical steps need to be taken but what behaviors need to be corrected. In essence, every endpoint should be treated just like any node on the network was before the pandemic caused workforces to disperse.
Rapidly transitioning thousands of employees to remote work was no easy task: IT departments have accomplished amazing work over the past few months and, at the time, had no choice but to accept the security gaps that resulted. Remote work is our current reality, so now is the time to patch these holes and find the best solutions to the challenges we’re facing.
CIOs and IT teams who are able to meet these goals now will be achieving a much larger objective that we’ve all been trying to accomplish for years: A workforce that can work seamlessly anytime, anywhere and from any device.
Brian Gatke is Director of IT services portfolio with Connected Workforce at Insight Enterprises.