IT and security response to the coronavirus pandemic was heroic. Although many organizations had some degree of remote-work capabilities pre-COVID-19, the past year brought this work to new levels.
Enterprise security has had to quickly evolve alongside the shift to remote work and cloud adoption. For example, companies successfully ramped up VPN infrastructure, shifted to online models of collaboration software, and re-examined security policies in light of a highly distributed workforce.
Yet, these changes are only the beginning; a recent survey conducted by IDG and Comcast Business has revealed that organizations will increase their investments in remote IT operations and cybersecurity to better support remote work.
That’s because the COVID scramble led to new challenges, according to participants in a recent IDG TechTalk Twitter chat, sponsored by Comcast Business. (comments lightly edited for spelling or punctuation).
It has made a lot of security teams move faster than they would like as organizations moved quickly to the cloud and accelerated their digital transformation. #idgtechtalk @ComcastBusiness George Gerchow @georgegerchow
Specifically, the rush to invest in or significantly expand work-from-home solutions may have resulted in weakened security, with knock-on effects to compliance, security operations, and infrastructure.
I think the one #infosec and #compliance concern I would have in the midterm in the face of #COVID remains the amount of #techdebt organizations are taking on board to make architectural changes for distributed workforces. Wayne Anderson @DigitalSecArch
Even basic security hygiene took a hit, suggested Ben Rothke @benrothke:
Remote work makes patching harder. Many IT departments scrambled to manage demand on VPNs & other systems while triaging user help-desk requests. With everything going on, many fell behind on patching, exposing their orgs to greater risk.
However, now that the dust has settled, it’s time to prep for a new era of continued distributed workforces and cloud-services adoption — all with new challenges.
First things first
In thinking about how organizations can shore up their infrastructures to become more secure and resilient, participants underlined several strategies.
First, take a breath:
Part of #COVID has actually been a pace acceleration. You may have to help your team slow down; give them permission to say “no” to some things. Help them be intentional on setting pace and creating circuit breakers in our new #remote meeting culture. #IDGTechTalk Wayne Anderson @DigitalSecArch
Then, get your house in order. Understand your environment and your core competencies:
Short term is one thing. CIOs must step back and do complete staffing strategy for IT and work with business on theirs. Shift roles that are common or not needed in-house to partners. Tim McBreen @tim_mcbreen
An accurate inventory of your hardware and software assets would be nice. Can’t even tell you how many companies I talk with that have no idea where their doors and windows are, let alone if they’re locked. #idgtechtalk Jay Ferro @jayferro
Cloud, cloud and did I say, more cloud? Why waste time managing and securing something that is not core to your business? If you are Honda, stick to making cars not building data centers. #idgtechtalk George Gerchow @georgegerchow
Next, if you haven’t yet, start working on Zero Trust. It’s a framework that assumes no trust in a network, device, or identity. It requires users and devices accessing resources to prove who they are. It also leverages identity and access management (IAM) technologies:
Start managing identities. Identities of people, identities of devices. Build gold images. Turn up logging for when folks are logging in, and where they’re logging in. And please avoid multi-cloud if you haven’t started Zero Trust. #IDGTechTalk Kayne McGladrey @kaynemcgladrey
Secure IAM. It should be multi-factor authentication, but also easy to use. Data management and governance are also key, along with attribute-based access control, encryption, and privacy controls. Amélie E. Koran@webjedi
It’s time to look beyond the age-old VPN models and look to #IAM, #ZeroTrust, and improved #datagovernance to protect themselves in a future where their employees & partners may not always be operating in infrastructure the org owns. #idgtechtalk Will Kelly @willkelly
Participants also stressed the need to educate end users and their families in this highly distributed workplace:
Most orgs still don’t do enough educating users on #security best practices, and instead look for all types of tech to try and build an impenetrable vault. Spend time educating your most valuable assets up front (e.g., phishing, identity safeguards, surfing, etc.) #idgtechtalk Jack Gold @jckgld
And this needs to extend to families that may be sharing devices with corporate VPN access to students who are participating involuntarily in remote school. A single #phishing link can move laterally if kids aren’t contextually aware but sharing a device. #IDGTechTalk Kayne McGladrey @kaynemcgladrey
Securing cloud deployments
Considering the likelihood that many workers will permanently work from home or remote locations, it’s critical to think about securing cloud infrastructure, apps, and data. That starts with some basics — from understanding vulnerabilities to what you must protect:
Take time to learn the shared responsibility model. Train your teams, and leverage cloud-based security platforms to manage and secure cloud workloads. #idgtechtalk George Gerchow @georgegerchow
Too many execs think the cloud is inherently secure & they have to do nothing, until you show them a responsibility matrix from Google/AWS/Azure. It’s one heck of a wake-up call. We must realize that every security control for on-premises infrastructure has an equal cloud equivalent. An example of many: misconfigurations & inability to detect excessive access to sensitive data is significant #cloud #infosec threats. #IDGTECHtalk Ben Rothke @benrothke
From experience, don’t remove the basic security configs. All those S3 buckets exposed were due to developers neutering relatively good security controls. Think about all the “blocks” you are also gluing together during your service design. Amélie E. Koran@webjedi
In addition, get third-party audits and assessments of cloud environments.
Third-party risk assessment is critical in the cloud era. Make sure they’re following the right standards and that they’re doing what they say. #idgtechtalk Larry Larmeu @LarryLarmeu
Third-party audits of environments including pen-testing and code scanning must be done frequently. You can’t rely on internal teams to ensure security. Security often uses an old Russian phrase, “Trust, but verify.” Go further, don’t ever trust…always verify. #IDGTechTalk Jason James @itlinchpin
Know when you need help
Managed services providers received a good deal of attention from TechTalkers, who emphasized that organizations large and small can benefit. They cited multiple ways to take advantage of MSPs — from day-to-day security tasks to more advanced capabilities:
Top 5 services organizations want from a managed network security provider imho. #SOAR, #SASE or #SDWAN #phishing prevention #ResilientRecovery aka HA and advanced #firewall or #APT #idgtechtalk @comcastbusiness Adam Stein @apstein2
Network monitoring, threat detection, incident response, penetration testing, and code scanning are all popular services these days. #IDGTechTalk Jason James @itlinchpin
Managed advisory services for proactive regulatory advice, managed XDR for defense, managed threat hunting for proactive eviction, and managed SOAR/SIEM. All of these because there’s not enough time in the day. #IDGTechTalk #cybersecurity Kayne McGladrey @kaynemcgladrey
Ability to leverage AI/ML to help predict and assess risk. Trying to keep up/stay ahead of the game is no longer a human scale project. #IDGTechTalk Nick Gonzalez @nickg1421
Also ensure that the MSP also is upskilled enough to meet your needs (no bait and switch for staff) as well as the ability to independently audit them as well – and ensure their response to your compliance needs. #FoxHenhouse Amélie E. Koran@webjedi
A look at security investments
Just because the dust is starting to settle on 2020, it doesn’t mean the job is done — security’s work never ends. Thinking about investments for the long term, TechTalk participants strongly advocated for people rather than specific tools.
Invest in educating your staff. With everyone WFH, educating regularly on new business threats will help. Invest in improving security posture and shift to a PROACTIVE APPROACH > reactive. Proactive will save you much more money in the long run. #IDGTechTalk Nick Gonzalez @nickg1421
Forget about buying #infosec appliances, or software that ends up as shelfware. The best thing to invest in is your security people. A strong security team has the best ROI and will, in fact, be the most effective in the long term. And that is what truly counts. #IDGTECHtalk. Ben Rothke @benrothke
And if necessary, consider bringing in managed services to act as a force multiplier for that team. #cybersecurity is too broad a topic for one small team to know everything. #IDGTechTalk Kayne McGladrey @kaynemcgladrey
Security is everyone’s responsibility. Investing in tools and solutions is crucial, but it goes beyond that. People are always the weakest security link. Ongoing training and testing must be part of the overall plan. Zero trust models are table stakes at this point. #IDGTechTalk Jason James @itlinchpin
Wrapping up
It’s worth noting that this conversation took place during #CybersecurityAwareness Month. To that end, a few reminders:
#CyberSecurity has no more boundaries anymore. #idgtechtalk Arsalan Khan @ArsalanAKhan
The remote shift has made #CyberSecurity concerns something we are all thinking of. It is a very important issue, but now it is protecting the only way we have to work. We need to be keeping an eye on our procedures now more than ever. Debra Ruh @debraruh
CIOs must constantly be beating the drum of shutting down legacy (and duplicative) systems. Shrink your attack surface. Simplify. Simplify. #idgtechtalk Jay Ferro @jayferro