As we approach a new year, it is important to reflect on the trends and developments that have taken place over the last year, particularly where security is concerned. Nathan Howe, Head of Transformation Strategy EMEA at Zscaler, tells us how the remote working circumstances inflicted upon us by the pandemic meant security protocol was bypassed and an inevitable increase in ransomware threatened operations.
By the time you’re reading this, there’s a very good chance that you’ve not been into the office for nearly 10 months. For nearly a full year, the vast majority of the working world has spent their time operating out of home offices, spare bedrooms and living rooms. Despite this, the work is getting done and, bar sectors where in-person interaction is essential, businesses are still viable.
The path to get to this point, however, has not been smooth. Businesses of all sizes and in all sectors have grappled with the technological infrastructure needed to keep their workers productive. There have been failures, cut corners and complacency to get to today. Truth be told, we’re not yet where we need to be to continue making this a long-term viable means of working.
Before we deal with the here and now though, we must first look to 2019 to provide context for the transformational journey businesses have been on that set the stage for this tumultuous year.
How 2019’s tech investments impacted 2020
Unaware of what was to come, there were two key goals for businesses in 2019 in regards to their IT infrastructure. Firstly, they wanted to drive applications to the cloud and reap the cost benefits and competitive advantage that these transformations enable. Secondly, they were looking at how to simplify their IT in general and this was most commonly via investment in SD-WAN projects.
Although companies that went down this route were making sensible decisions at the time and under the circumstances, when lockdowns started being enforced in March, their Business Continuity Planning (BCP) was effectively made irrelevant. As lockdowns hit and workers went remote, those sites connected via SD-WAN had no one using them and started gathering dust.
The battleground suddenly switched to one of resourcing and connectivity. ‘How can I ensure my workers can stay connected and do their jobs?’ That played out in a few different ways as the year went on.
March – The scarcity phase
Without the infrastructure to support en-masse remote working, scarcity marked the early days of lockdown as businesses scrambled to ensure connectivity and Business Continuity. There was a shortage on two fronts – network connections and devices.
For example, on the connections side, often remote workers had to VPN into the data centre to get access to the Internet. This was a solution built to maybe handle 20-30% of the workforce, so having everyone try to access it at once impacted productivity hugely as the connections were unreliable at best.
Other businesses simply didn’t have enough laptops to provide to their workforce. Others might have had them, but the logistics of getting them to their employees was unfeasible. To handle the shortage of devices, some businesses started separating workforces into two teams and alternating between working remotely and in the office.
These were scrappy times for enabling remote working, and with pressure mounting to ensure productivity and profitability, businesses became ever more desperate to keep their workforces connected.
April and May – The bypassing phase
By this point, connectivity was the key resource every business needed to ensure its continuity. There was mounting pressure and a complete reliance on the IT team to facilitate this connectivity. For those without the infrastructure to enable it in short order, sacrifices had to be made to achieve it. More often than not, this meant bypassing security controls.
For those with hardware shortages, they empowered employees to take their entire desktop workstations home and connect them to their home networks. Alternatively, IT teams spun up low cost remote desktop solutions, enabling workers to use their personal computers, or home tablet, to remotely access the corporate network. Security policy would never have allowed this under normal circumstances.
June – The hero IT team and stability
By June, through the hard work and resourcefulness of IT teams around the world, businesses managed to take a breath. By this point of the pandemic, the solutions that had been put in place in April and May were up and running and business productivity was stabilising.
For the IT team, this signalled a more profound shift. For once, IT had become a critical business function, with a bigger seat at the table. The IT teams were rightly celebrated for their achievements.
This stability, however, was temporary and limited to access and connectivity. Security had been bypassed and the end of summer would begin to reveal those vulnerabilities.
August to November – The cracks begin to show
In mid October, the U.S. National Security Agency released a list of the top 25 security vulnerabilities that Chinese hackers are actively exploiting to steal intellectual property, economic, political and military information. It’s no coincidence that among them sit numerous remote desktop and VPN vulnerabilities. In recent months, we’ve also seen a surge in ransomware targeting multinational businesses.
The attacks that have happened since the end of summer are all the inevitable results of basic security principles such as change control and patching management that have been overlooked to enable that connectivity.
The 2021 challenge – Wiping the slate clean
The remote access workarounds that marked the early stages of the pandemic were a necessary evil for many IT teams. Not all businesses faced the same challenges, but for those that did, the new task is to balance their performance needs without sacrificing security.
What will benefit these companies going into 2021 is that they’ve opened themselves up to the possibility of change. Businesses, particularly large multinationals, can be resistant to change. It breeds risk, it costs money and it takes time.
Now, however, almost all companies have been forced to change, and will be forced to change again going into 2021. Most will understandably start with their user base to enable secure access. However, this also provides the opportunity to look at the broader ecosystem and consider their application base, their server base and their cloud base.
I think 2020 will be a lesson learned for many businesses. Moving forward, organisations will have to stop differentiating between access within the corporate office and remote access. In a modern work environment, staff will be able to securely access their business critical apps in an identical manner, no matter where they are working from. However, businesses will need to shift their mindset to make this a reality.Click below to share this article