June 11, 2020//Tony Howlett
For the last few months, most IT departments have been struggling just to get through various pandemic-related fire drills such as overnight work-from-home infrastructures that need to be put into place and the greatly increased use of video conferencing and other distance collaboration tools. In addition to these challenges, many organizations have had to execute these directives with reduced staff and budgets. But at some point, the spending freezes will go away and budgets will come back. But what will be the new cybersecurity priorities in a post-COVID-19 world?
All indications are that there will be systemic changes, not just in IT but in our entire work culture and cultures at large. These changes will affect what assets you have to protect and how you protect them. Here are some predicted changes in workplace norms and how InfoSec departments might be expected to respond.
This was already in motion before the pandemic but now that most white-collar workers have been working from home for months, expect this movement to expand and accelerate. Workers who have seen benefits from working from home such as more exercise, less commute time and more time with the family will begin demanding it as a core benefit. Companies that might have been hesitant to implement a work-from-home policy fully before have seen that it can work. They might even be thinking this could be one of those rare win-win moves in business: saving money on real estate costs while offering more employees this benefit. However it happens, expect work-from-home arrangements to expand greatly and perhaps become the norm for most office workers.
This means that work-from-home infrastructure can no longer be viewed as an ancillary to your office and “inside the firewall” infrastructure. Where before you might have been okay with using a VPN and hoping and praying that one of those endpoints doesn’t get infected, that isn’t going to cut it in a 100% work from home culture. You will have to upgrade your thinking and your infrastructure to put your work from home endpoints right at the center of your network in terms of security and protect them accordingly. This means at a minimum company-owned and managed endpoint protection on every work from home device, including cell phones. You will also want to pursue other layers of protection for defense-in-depth, just like you do with your now mostly irrelevant hard perimeter. This could be the new zero trust framework, privileged access management (PAM) for administrative users and vendor privileged access management (VPAM) for third-party users. More monitoring will also be needed on those endpoints, which could bring up employee privacy issues.
Just like companies are having to re-evaluate the security of their work-from-home environments, primary schools, colleges and universities will have to take a more corporate-like approach to cybersecurity with the school-from-home (SFH) revolution that is coming as a result of the pandemic. Kids who have had a taste of it, as well as parents looking for a way to reduce the cost of higher education, will demand more of these kinds of offerings. These institutions, which aren’t used to thinking about security in the same way as enterprises, will have to reconsider their approach to how these newly expanded services will be delivered. The problems that have popped up so far, such as “Zoom Bombing,” and student privacy issues are just the tip of the iceberg. Imagine DDoS attacks on e-learning services during finals week or ransomware hitting grading systems.
Universities will have to start acting like the large corporations that they are and provide the proper level of cybersecurity for the services that they charge for. The days of keeping your university email long after you have left the school are probably over and other school-student interactions will probably have to become much more formal and locked down.
The pandemic laid bare issues with our national supply chain that had long existed under the surface. Complex supply chains for critical medical supplies that stretched across the globe were strained to the breaking point and the average citizen realized how fragile that the America of “everything available, all the time” really was. When toilet paper became a precious supply, we all realized how bad it was. Expect an increased emphasis in “Made in America,” especially for strategically important products such as PPE and medical testing supplies. The executive order for the utility industry is an early sign of this.
The cybersecurity of these critical industries was already coming under scrutiny before the pandemic, with vendor management processes and technology being required for many regulated entities. Expect more of the same in terms of executive orders, legislation and tax incentives to encourage companies to keep production more local and secure.
There will be many other effects than are listed here, such as the acceleration of the death of brick and mortar, restaurants morphing into takeout companies and more e-commerce in general, as well as others that are impossible to predict while we are still in the midst of it. But for those of us who have been in technology for a while, we know that the only constant in IT is change. So, the best advice is to be flexible and ready for change with your IT and InfoSec plans for the next 18-24 months, and you’ll be in the best position to not only survive but prosper in the post-COVID-19 age.