As industries commit to "flattening the curve," IT has its eye on sustainable cybersecurity for a remote and distributed workforce. Bad actors will use the time to exploit vulnerabilities and personalize phishing emails.
While it's tempting to think companies have to adopt entirely new cybersecurity strategies, chaos offers more time to enhance solutions already in use.
"I have realized that there are not any companies prepared for the long-term ramifications," Chris Kennedy, CISO at AttackIQ, told CIO Dive. "We will witness lots of legacy transformation" as companies reevaluate their pre-coronavirus remote philosophies.
Unlike sectors known for legacy tech, such as healthcare, technology companies are testing security measures they already had in place.
Matt Deres, CIO at Rocket Software, is keeping tabs on about 1,500 global employees, including those in China. "China's very far ahead of us in terms of what they've experienced and what they've done. Rocket Software is learning from its Chinese workforce, who was working remotely for six weeks. They are starting to go back to the office as U.S. employees start to stay home, he told CIO Dive.
"I think that what we really need to leverage here is patience more than anything else," said Deres.
Identity's role in security
There are a number of reasons why companies prefer keeping their employees in office, but those that have remote workers — whether a handful or a few thousand — already know the associated risks. These are the security questions companies must answer:
How are companies will assure the identity of a remote worker?
What is the degree of repudiation?
How are companies assuring that the asset that's connecting to the internal network is trustworthy?
How are companies protecting the internal network from an external asset?
Modern companies likely know the answers to these questions, it's just a matter of scale now.
"Almost every company in the world is going to invite somebody from the outside world into their company, whether it's an auditor or some kind of contractor," said Deres. While most of the workforce is working from their couches right now, security is focused on identity assurance of who is connecting to what and how.
From there, security meets capacity issues, which "we can manage pretty easily," he said.
While the cloud keeps companies afloat and at scale, it eliminates the defined security perimeter. To secure the network, companies are turning to zero trust, which assumes bad actors are already living in a system and promotes a bare minimum access model to prevent an escalated intrusion.
"I think that what we really need to leverage here is patience more than anything else."
CIO at Rocket Software
While industry has tossed around the strategy for about a decade, unique identifiers for people, devices and machines is a difficult task and cannot be done in a moment's notice, according to Kennedy. Transitioning to a zero trust network demands investments in security management and "powerful" endpoint, data and identity management adjustments.
A zero trust network demands investments in security management, endpoint, data and identity management, Kennedy said. It requires unique identifiers for people, devices and machines, which cannot be done in a moment's notice
A perimeter-free cybersecurity strategy is the long-term goal and it does take time, beginning with the deployment of remote proxies, according to Goodman. Zero trust was not intended to be an emergency business continuity plan.
The limits of VPNs
Tools that companies are turning to in a panic, such as virtual private networks (VPNs), could invite further risk into a remote environment.
"IT teams may need to open up gaps in their corporate network and security policy in order to allow access to certain apps and services through a VPN or virtual desktop," Ben Goodman, CISSP and SVP of global business and corporate development, ForgeRock, told CIO Dive.
Others are more optimistic about real-time zero trust adoption — though with caveats. "You can change very, very rapidly in technology," said Deres. "If I didn't really care about the individual, we could do all sorts of things … but there's only so many things that you can inflict on a person at any given time."
If a company were to suddenly roll out multifactor authentication for all employees to connect to VPNs, the workforce would retaliate, said Deres.
The human and culture factor is as much of a consideration as the technology. There will always be a significant part of the workforce — no matter if a company is in the technology industry or not — that will need assistance in tech changes.
"Ideally, enterprises should rethink application access from the zero-trust architecture perspective, and allow VPN use for the few use cases, if any, where nothing else will do."
technical director at Valimail
Zero trust cannot be used as "a tactical mitigation" in response to overloading VPNs, Ash Wilson, technical director, Valimail, told CIO Dive. VPN use is intentionally limited because bandwidth can lead to bottlenecking.
"Ideally, enterprises should rethink application access from the zero-trust architecture perspective, and allow VPN use for the few use cases, if any, where nothing else will do," Wilson said.
As of Sunday, the U.S. has increased its use of VPNs 53%, according to research from VPN provider Atlas, examining 50,000 weekly users. In Italy, usage jumped 112%.
Experts advise discretion for adopting VPNs in one fell swoop because the results can be messy and inhibit productivity.
VPNs and virtual desktops have "finite capacities," said Goodman. Companies should only designate VPNs for a small group of employees who need access to on-premise services.
Pressure to use VPNs or mobile device management software can lead to latency issues and bottomed-out productivity. "VPNs also violate the core principle of zero-trust by granting users full access to company networks rather than to the specific resources therein," Jacob Serpa, senior product marketing manager at Bitglass, told CIO Dive.
Over-communication with IT is essential for non-IT employees as cyberattacks will become personalized. Cybercriminals love a crisis, though misinformation campaigns are preferable, Russian-based cybercriminals are selling digital coronavirus malware kits for $200.
The risk of an infestation — likely due to emailed phishing attacks — is at a high. Employees can personally extend the zero trust mentality to how they go through their email inbox: question everything.
Domain authentication can prevent spoofing, according to Wilson. But in case something does happen, "no employee should ever wonder what the appropriate response is to a suspected security incident."