COVID-19: Business Continuity Outside the Workplace
COVID-19, referred to the Novel Coronavirus, is globally affected over 100,000 people direcly and millions indirectly. For years we’ve heard in Information Security that “the perimeter is dead,” but now is the time that we test it as some companies look at completely closing physical access to buildings at scale during the Movement Control Order. The IT perimeter definitely exists; we can point to firewalls and DMZs and a loose correlation in most companies between some types of digital assets and the physical boundaries of the company. But the believe that the perimeter can stop serious, advanced attacks has long been put to rest. The real test now is if the business can survive outside of the perimeter, and if so, how to secure it.
There are 3 simultaneous problems to solve for any business faced with remote working employees or with customers and partners who don’t want to meet face-to-face.
- Policies about the current crisis
- Maintaining as many business functions as possible when no one comes to the office
- Securing the Enterprise when the office becomes only a mailing address
All of this brings us to the “securing the Enterprise when no one comes to the office” problem. It is hard to generalize since there are so many types of business. However, here’s a list of the basic things to consider to reduce risk in an optimal manner.
- Is your source of corporate identity accessible to the outside?
- Do you use strong authentication in all cases and, if you suddenly switch it on, will people be able to assert their identity in a strong manner and allow them to authorize and exercise entitlements?
- Will they be able to claim their identity in a way that you trust and do the things they are supposed to do?
- You might have some employees remote right now, but are all of them remote?
- Do you allow insider information to be accessed from remote, source code or strategic project documents?
Obviously, the VPN and your extranet strategy here matter and burst licensing might be required from suppliers, but consider by department what new data types are being accessed and what this exposure might mean from a risk perspective.
This is more than just security and protection, as are common with user endpoint management (UEM) and mobile device management (MDM). While these are important, the endpoint is about to become for many the newest, most distributed place where your corporate data exists.
This might be the simplest on the surface of all endpoints because many companies already allow personal phones or have a bring your own device (BYOD) policy. However, even before going remote, mobile is still a vulnerable medium and needs better security measures generally. Now might not be the time to beef up mobile, but the day is coming post-crisis when that is likely to be the hottest risk area for many businesses.
Laptops and Desktops
Every employee will be working on data that is by definition outside the office. If you haven’t use tool to encrypt your company data, now is not the time to turn it on blindly but rather to take note of what data is most sensitive and to come up with a policy for data-at-rest outside the company.
Security Operations and IR
Security operations and incident response are often group activities with highly specialized collaboration and tool use. Can your employees exchange ideas, talk, meet ad hoc, exchange data and so on securely? It might be time now to send a few home and make sure that the work can still be done before everyone potentially heads home for a few weeks.
This might be one of the biggest areas of concern. It is because not all employees have a home and personal space outside the office like yours.
- When your employees take the machine home, what is their home work environment like?
- Do you have simple policies that real human beings can follow to protects keyboard access, employee safety and media security?
- Do you have policies for what employees should do if they have a home break-in, if they suspect someone is overhearing on them in their personal space or if they feel unsafe working in their home environment?
During the Movement Control Order, it might be a good time to encourage a refresher in awareness programs and training as people move home. It will give them something to do and make them actively conscious of security issues.