What's Next After the Big 'Zero Trust' Welcome Back to the Office?

Businesses who changed overnight to accommodate the enforced displacement of workers from their desks to their own homes have been cautiously welcoming them (and their devices) back to the office.

The challenge is now to look beyond those reactive first 100 days since lockdown began and muster the effort to put lasting long-term security measures in place that address the new reality of work.  

The initial response in the face of a sudden crisis was the kind of superhuman focus you get when adrenaline flows. Things that were thought to take months are done in hours; adjusting working practices to remain operational, standing-up new digital business models, replacing physical interactions with virtual. Then came managing the knock-on effects of increased IT dependency, bandwidth demands, new applications and the need to secure it all.

Has this ‘fire-fighting’ proved a distraction away from the bigger picture? Or have you already begun to make the best out of the opportunities for improvement that only a crisis can create? Fighting fires is important, exciting and exhausting. Being short term they bring rapid satisfaction. However, it doesn’t take you forward to confront the radically different set of circumstances your organization’s wider cyber strategy needs to address.

Corporate information is everywhere whether you like it or not

Organizations must prepare for a future where (according to Gartner) 74% of CFOs plan to cash-in on the financial savings and productivity gains of a permanent work-from-home culture for most if not all employees. Whatever hybrid of office-based and remote working the future looks like – nothing is going to put the WFH genie back into the bottle. COVID has shaken things up and left many exposed to new levels of risk.

Policies need to be overhauled

Organizations must accept that the same endpoint devices will be used for personal and business use, and that employers have limited scope to dictate the quality or security of home networks. The de facto IT model is ‘buy your own device’, and a new strategic approach to security and IT policy needs to reflect this.

Enabling WFH technically isn’t the same as embracing WFH culturally

It is transparent to everyone that organizations facilitating universal work from home capabilities were forced into it. Therefore, previous suspicion of remote working as suboptimal (and people who do it as workshy and unaccountable) cannot be allowed to creep back.

Organizations must decide whether their culture permits or embraces WFH. Being more open like this can make it easier to promote user education of social engineering and other cyber threats in a WFH context.

Increased cloud adoption is good for business

The macro trend for digital transformation and continuous development is being driven by cloud-based IT consumption models, and the acceleration in containerized cloud workloads and remote working technologies is aligned with this. We are seeing in-house developed/hosted collaboration tools being progressively unfit for purpose, particularly with tools such as Slack becoming preeminent.

IT is no longer an effective gatekeeper

COVID has been an accelerant for good and bad. Shadow IT is a bit of both. The necessity of remaining productive in a new situation provoked a mass uptake of new communications and collaboration tools, and there is nothing you could do about it. You might have tried banning Zoom, for example, but employees cut off from friends and family would have fought you tooth and nail. IT needs to facilitate productivity and cope with new challenges, not be blocker on progress.

Remote access lacks long-term feasibility

Many organizations route user connections via the main corporate site, default tunneling bandwidth-intensive video communications over VPN so security policies are applied prior to accessing the public internet. This approach is becoming unsustainable now that data volumes have risen exponentially, causing performance and latency issues and the need to spend big on bandwidth and gateway/firewall upgrades at corporate sites.

There’s a real risk of users simply refusing to dial-in in this way, and instead use cloud-based subscription services over their own broadband. If the IT department cannot match the speed, responsiveness, scalability and ease of use of public cloud services then why should users obey IT’s direction to use inferior provisions instead?

Rearchitect endpoint detection and response

Most, if not all the changes that have come about since the onset of COVID, point to a renewed focus on application and endpoint protection. The perimeter has dissolved. The explosion in COVID-related phishing threats is symptomatic of how attackers view home-based endpoints as the primary vector and greatest opportunity.

Rethinking endpoint protection means confronting a reality without VPN connections and based on ‘buy your own device’ so that agents are autonomous, and continue to be effective even when offline. 

Now that the shock is over and the intensive period of response has subsided, organizations need to maintain energy levels for the recovery and rebuilding phases and switch out of short-term firefighting to a new long-term strategy to protect data as it is utilized in more dynamic and risky ways.

Endpoint protection demands re-examination with a fresh perspective in order to capitalize on the agility of cloud-based communications and collaboration without compromising privacy and security.

What’s Hot on Infosecurity Magazine?