The Importance of Including Telework in Business Continuity Strategies
The COVID-19 pandemic has had global impacts. One of the biggest changes for businesses was a forced transition to a remote workforce, a move that many organizations were not prepared for. This sudden shift to telework was not covered (or at least not appropriately addressed) in many organizations’ business continuity plans. As a result, many organizations have employees working from personal machines and onsite network and security infrastructure that is straining to manage the increased load of a mostly or wholly remote workforce.
This failure to properly plan and prepare for an event like the COVID-19 has created multiple security challenges for organizations. These challenges are numerous and diverse and include issues with scalability and user authentication. Securing a remote workforce may require architectural redesign and an understanding of what is Identity and Access Management (IAM) and how IAM relates to and is especially vital during the COVID-19 pandemic.
Security Challenges of Remote Work
Most organizations do not have a remote workforce. In the past, workers were kept on-site because remote work was infeasible, computers were too expensive to take home and modern telework solutions did not exist, and many managers only trust their employees to work effectively and diligently when the manager is able to keep an eye on them.
Despite the fact that modern technology has made telework possible in most industries and that research has demonstrated that employees are actually more effective when permitted to work from home, most organizations have not changed their telework policies. That is until COVID-19 gave them the choice to allow remote work or shut down for several months.
The sudden shift to a remote workforce has created many security challenges for organizations since they lack the infrastructure to support it and employees accustomed to working from home securely. Some of the greatest technical challenges faced by organizations are scaling their virtual private network (VPN) infrastructure and ensuring that a supposed remote worker is who they claim to be.
- VPNs Don’t Scale Well
VPNs work on a simple model: the client and server create a secure connection between them where all traffic flowing in either direction is encrypted. This ensures that the user experience is the same as if they were physically connected to the enterprise network.
However, VPN connectivity does not scale well. Each user requires their own connection to the VPN endpoint, and encryption and decryption of traffic is computationally expensive. As a result, an organization’s existing VPN infrastructure is likely to struggle under the increased load caused by the COVID-19 switch to remote work.
The VPN scalability issue can be solved in a couple of different ways. An organization can either try to scale their existing infrastructure, by adding more VPN endpoints and firewalls, or transition to a new model, such as software-defined wide area networking (SD-WAN). While making the upgrade can be expensive, having the infrastructure in place to secure a remote workforce is essential for business continuity in the face of events like COVID-19.
- Remote Workers Require Stronger Authentication
With a remote workforce, it becomes much harder for an organization to ensure that incoming connections to the enterprise network are legitimate. Under normal circumstances, it can be easy to ensure that sensitive data remains behind the company firewall since most requests come from internal machines. However, with a remote workforce, sensitive data will be leaving the network all the time in the course of normal business.
Traditional methods of identifying anomalous connection requests, such as comparing the location and timestamp of the request to normal patterns of use, may not work as well for a remote workforce. An assumption that employees work mainly from the home office during standard business hours doesn’t apply when employees are signing in from the couch to get some work done after putting the kids to bed.
A remote workforce requires stronger user authentication and access controls to minimize the probability of a data breach or other incident. Deploying a strong IAM solution, capable of identifying both a user and the device in use, and transitioning to a zero-trust security model puts an organization in a much better place for business continuity in the face of a sudden transition to telework.
Building Security for a Remote Workforce
The COVID-19 pandemic has demonstrated the shortcomings and holes in many organizations’ business continuity and disaster recovery plans. Despite the fact that a wide variety of situations could have forced such a change (natural disasters, power failure, pandemics, etc.), many organizations simply were not prepared to transition most or all of their workforce to telework in a matter of days or weeks.
The COVID-19 pandemic provides an opportunity for organizations worldwide to evaluate the effectiveness of their current policies and procedures and extract valuable lessons learned from a real-world crisis.
One clear takeaway is that, for most businesses, allowing employees to work remotely is not only possible but potentially desirable. Many organizations have transitioned relatively smoothly to telework, and, in many cases, employees are more efficient (without the need to commute each day) and companies lack the overhead associated with operating on-site facilities.
The other major lesson learned is the importance of being ready to adapt to new scenarios at short notice. Many organizations lacked the policies, procedures, infrastructure, and security to support a remote workforce. As a result, cybersecurity incidents and data breaches are likely to reach record highs in 2020.