When COVID-19 first hit and many organizations were faced with having to quickly enable their workforce to work from home, there was a lot of scrambling around to figure out how to get everyone up and running with the resources they needed from their homes. Employees were often using their personal devices (phones, tablets, laptops and desktops) to access company systems. They were also now using their home networks to connect to those resources. This meant that company data and customer data were now more exposed than ever. Security teams were seeing the nice safe walls they had built around their organizations data and resources be demolished.
Many of these organizations had a Business Continuity Plan (BCP) in place. They had identified key personnel that needed to be contacted in case of an emergency, marked safe locations to go to, and designed systems that could failover to other locations, but very few had planned for a pandemic that forced people out of their offices and into their homes so quickly and for such a long period of time. Cyberattackers took advantage of this change in behavior and were able to infiltrate organizations frequently over the past year. One key issue arose in organizations around the world: How can we secure access to our data and our customers’ data when our employees are using devices we cannot control and networks we have not secured?
Luckily, having to protect data that is being accessed from anywhere and from any device is not a new concept. A Zero Trust security model is based on the assumption that data could be accessed from anywhere and requires that all access requests to its data and resources must be verified. There is, in fact, a new security design approach that is built off of this idea of Zero Trust: cybersecurity mesh. A cybersecurity mesh is not based upon establishing a security perimeter to protect. Instead, it focuses on the identities of the people and the devices that are connecting to resources. This approach is going to have to be the cornerstone of security design of the future.
Traditional security design had set perimeters that it protected; the perimeters have been destroyed. Even when COVID-19 is under control and people can go back to working in their offices, the idea of work from anywhere is not going to go away soon. As the old saying goes, “The cat is out of the bag.” Businesses are no longer defined by the physical location where the work takes place. The work can take place anywhere. Business Continuity Plans need to now take this into consideration. Communication channels, networks, and basic services remaining available beyond the office location could now become an issue. Whether that means that businesses need to start thinking about providing their employees with redundant internet connections is going to be up to them. But from a security perspective, it is and will continue to be imperative to rethink security design and assume that what was once only accessed from within a safe perimeter can now be accessed from anywhere and any device.
We have certainly learned that having some sort of plan in place is imperative, supply chains can be disrupted, and people’s lives can be at risk if we don’t have plans in place. If you haven’t done so already, now is the time to revisit your BCP and see if you have addressed all possible scenarios. If you need a checklist to refer to for ideas of possible disasters, you can use what has happened in the last year as reference. The main lesson we have learned, however, is that we need to rethink how we have traditionally approached security design. Start with your BCP review; as you review, work with your security team to ensure that security needs are fulfilled with each contingency plan.