Ben Carr, Chief Information Security Officer, Qualys, explains why the existing cybersecurity practices must be updated in order to secure the hybrid workforce in the post-COVID world.
With vaccines being rolled out across the UAE, we’re all optimistic that a post-COVID future is on the horizon. But as we emerge from our cocoons, we are also faced with the question of what we do next. The pandemic forced us to experiment at scale with technologies that were previously mere curios. Remote working has allowed entire economies to mitigate the rigours of the coronavirus, and across the Middle East, enterprises are discovering that operations can tick along quite efficiently under the new normal.
The UAE government has long made it clear it is in favour of a surge in remote working. The Ministry of Human Resources and Emiratisation has cited benefits such as reductions in transportation expenses, pollution and traffic congestion, as well as more job opportunities for those living in remote areas. Just this past March, in the very early days of the pandemic, Statista reported that more than a third of Gulf companies (35%) were open to remote working. Around half of these (18%) were already working remotely and the other 17% were either considering it or were starting soon. Necessity being the mother of invention, COVID accelerated this migration.
So, if remote working is here to stay, should we not be establishing new policies to cope with the hordes of bad actors we know are still out there? You can be sure that they know the old ways are unfit for purpose; and you can also be sure they know those ways are still in use.
Make a list
New best practices are required to ensure everyone can work wherever, whenever, and however, they need to. For a start, asset management should be prioritised. Remote workers give rise to unwieldy hybrid environments of cloud storage, containerisation, personal devices and unvetted public networks. With an always-accurate inventory you can at least identify weak points more easily and formulate action plans to address them. Otherwise, you are in the dark, waiting for the inevitable breach. When you consider this scenario and the potential catastrophes it portends, you can appreciate how the phrase “Shadow IT” was coined. It always sounded ominous, and for good reason.
Today, IT asset management is largely automated. Even at massive scale, any device that connects to the corporate network is assessed and logged, from home PCs to cloud services, software containers and IoT devices. If it reads, creates, or updates data, you will know about it. Welcome to a world in which real-time tracking and vulnerability scanning are standard.
Sound asset management allows you to patch more easily. Vulnerabilities are a fact of life in technology ecosystems. Dealing with them sensibly is one of the most essential jobs of today’s IT teams. But methodically going through every app and manually applying every available fix is impractical and counterproductive. Instead, you need to form a priority list of fixes that accounts for how easy the flaw is to exploit and how damaging the resultant penetration could be. Each business will have its own nightmare scenarios, and its own critical apps and data.
Get your priorities straight
Modern vulnerability management also needs to consider the pace at which the network changes. In the hybrid-working world, there is a perpetual revolving door of devices joining and leaving the corporate network, each with their own holes waiting to be patched. A priority framework will address all of this and rank vulnerabilities, meaning resources will not be wasted on addressing the more trivial issues. Doing this properly will not only lead to greater operational efficiency within the security function itself. It will also make it easier to feed line of business with clear reporting on how protection measures are applied across the entire business… and how effective they are.
The unique consequences of the global COVID-19 pandemic have forced some hard decisions upon organisations and their CISOs. The economic malady outside the walls will force security teams to justify their budgets and even their very existence. Cloud security spending may be on the rise, according to analysts around the world, but operational efficiency will still be expected by enterprise leadership teams. Automation of humdrum tasks is vital so that trained professionals can concentrate on the kinds of threats that call for uniquely human qualities like judgement and instinct. When freed up to attend to these trickier scenarios, security professionals can better demonstrate their worth.
The shifting frontier
But because we live in a world forever changed, and because we can expect the workplace to remain in this hybrid state for the foreseeable future, we must adopt security standards that will live comfortably alongside our new routines. Put another way, there is no end to this road we are on; we are now in a state of perpetual adaptability. While the region’s workplaces are changing, some other realities are not. Attackers are still out to get us; regulators still expect compliance, and customers still expect privacy and safe commerce.
So, while we chase a galloping horizon, we should be vigilant. Transparency regarding performance, regular reporting, benchmarks, metrics and all the tools of accountability must be brought to bear on those responsible for delivering safe environments. Nobody ever said implementing best practices was easy. But the rewards are significant, and the alternative is unthinkable.