Only a few months ago, the idea of moving the entire workforce online seemed impossible. Do it on a three-month timeline? Forget it. Over one weekend? You must be joking. And yet in March 2020, this is the task that IT professionals were given on a Friday. Get everyone online, working remotely. By Monday.
And we did it. We did it with more than a few all-nighters. We did it thanks to heroic actions by IT teams frantically distributing laptops. We did it successfully — while keeping cybersecurity top of mind. If you haven’t already, it’s time to give yourself and your IT team a well-deserved pat on the back.
Now that we have some breathing room, it’s worth taking the time to take stock of the rapid changes we experienced and reflect on what we can do better next time. As cybersecurity threats increase and the real possibility of a second pandemic wave looms, now is the time to plan ahead and make sure you’re prepared.
With these goals in mind, it was my pleasure to participate in a discussion with Ben Sapiro (Global CISO at Great-West Life Co) and Nick Aleks (Director of Security at Wealthsimple), moderated by Kris Hansen (CTO at KOHO). Together we shared our lessons learned from going remote, thoughts on today’s cybersecurity threats, and perspectives on what’s to come. Our key takeaways are summarized below.
Lessons Learned from Going 100% Remote
Transitioning from corporate desktops and servers to laptops using cloud services overnight was no smooth ride. Here are a few lessons we learned while navigating the turbulence.
Exercise care with communications. When preparing to send out an all-company email, make sure to clear it with senior executives, HR, and compliance departments first. When it comes to updating your remote work protocols, there are likely to be a few exceptions, including employees who still need to come into the office to perform essential on-premise work. Avoid panic by looping these people in ahead of time and assuring them that the appropriate PPE and security controls will be in place at the office. Don’t leave anyone in the dark.
Focus on education, and over-communicate when necessary. Don’t assume employees will absorb everything they need to know from mass emails. When people receive too much information, they tend to tune in out. Consider communicating in different ways, such as hosting a lunch-and-learn webinar or tutorial to get everyone up to speed. Remind employees that it is their responsibility to stay more vigilant and suspicious of potential threats. (There are plenty of resources for employees on how to work from home securely. For a quick refresher, check out Nick’s 8 Tips for Going Remote and SANS Work from Home Kit.)
Anticipate stumbling blocks and make your controls “foolproof.” As cybersecurity professionals, we often remind employees what they shouldn’t do: don’t log in from public Wi-Fi, don’t access your work accounts from personal devices, don’t plug in external devices. But everyone makes innocent mistakes. Whenever possible, build in controls that do not let employees do the things you don’t want them to do — even by accident.
Line up your vendors ahead of time. During the first few days of “shelter-in-place,” the biggest impediment to getting employees online was making sure they had laptops. When you take the time to develop strong relationships with vendors, you may be able to “jump the queue” when your organization needs equipment on a short time.
Accelerate infrastructure upgrade projects. Before the pandemic hit, many of us already had plans to upgrade our VPN or data loss prevention systems in the pipeline. Understandably, the adoption period for new tech tends to lag, because we want to be thorough and cover all bases. But it’s worth it to push and get projects over the line now, so a future crisis situation doesn’t leave you in the lurch.
Recent Developments in Cyber Threats
With large segments of the economy moving online, it’s no surprise that cyber threats are on the rise. In our experience, today’s cyber attackers aren’t doing anything novel, per se. But the number of attackers has increased, and they are taking aim at new targets.
Given the increased focus on healthcare, groups of cybercriminals are increasingly targeting hospitals. Nation-state backed threat actors are trying to gain access to pandemic vaccine research. As financial transactions become increasingly digital, attackers are launching account takeover attacks on fintech companies, attempting to gain access to users’ bank accounts to steal government support cheques. Fraudsters are also engaging in elaborate social engineering and reconnaissance schemes by creating fake LinkedIn accounts to probe for business operations procedures for large scale financial theft.
When it comes to cybercriminals, there is no weakness they will not exploit. Phishing schemes typically attempt to mimic local context and culture. Now there is a universal hook to get clicks: COVID-19 anxiety. Taking advantage of insecurities surrounding the pandemic, fraudsters have launched fake pandemic-related websites and contact tracing apps to infect computers. Now, they are even co-opting the language around the Black Lives Matter movement to spread malware.
Keep in mind that financial recessions typically become cyberfraud seasons. Part-time hackers and fraudsters have lost their jobs and are looking for a new source of income. Cybercrime will continue to increase, so now is the time to bolster your defenses.
The Future of Corporate IT & Remote Work
While the future won’t be 100% remote, today’s challenges can offer us lessons on what’s to come. Here are just a few trends we see developing in the months ahead.
It seems likely that the role of physical office spaces will change but not disappear entirely. In the short term, most companies are still beholden to lease agreements, and there will be a natural pressure for employees to come back and use these assets. Fund managers realize there is a crater coming to the commercial real estate market, but the effects of this blow are yet to be seen.
Rather than divesting from office space entirely, companies must focus on consciously building a company culture flexible enough to work remotely when necessary. From an IT perspective, we must rethink the onboarding process. Given churn, how do we onboard and get people up to speed in a remote environment? How do we handle new employees using their personal laptops? For older companies that are still addicted to physical paper processes, how do we create digital alternatives to these processes? Learning from our recent experience, we can identify the clear choke points.
In our rapidly-developing environment, companies and IT teams must adopt a forward-looking perspective. Planning for black swan events — like a global pandemic — was not taken seriously before. Now that we’ve learned our lesson, we must invest the time to scenario-plan and do tabletop exercises for crisis situations.
Start now by planning for the possibility of a second COVID wave. Employees returning to the office are likely to remain cautious about distancing. But as cybersecurity professionals, we know what will eventually happen: people get lax. A second wave could hit next week, and your security team could go offline. How will you respond?
The good news is that remote work during the pandemic has accelerated us toward a truly global workforce. Right now the demand for cybersecurity professionals far outstrips the supply. Those of us who have leveraged in-person networking must find alternative ways of building our teams, at least in the short term. But in today’s environment, we are no longer beholden to talent in the immediate vicinity. Building up capability in Europe and Asia can be cost-effective and allow for 24/7 operations. The potential talent pool is much greater, and so are the possibilities for up-leveling your team.
As cybersecurity professionals, we are on the cutting edge of changes in today’s volatile global economy. By critically evaluating our response to the first wave of the pandemic and learning from mistakes, we can adapt and fortify our teams to respond to threats and challenges in the uncertain times ahead.
June 22, 2020