Business continuity management has been top of mind for large and extra-large organisations, regulated enterprises, government agencies and organisations with complex business operations for a number of years now, according to research firm Gartner. However, business continuity management activities tend to be lax or missing altogether in the SMB space, and Gartner expects to see more SMB adoption in the next half-decade.
Business continuity plans have tended to focus on the risk posed by natural disasters such as earthquakes, hurricanes, tornadoes or fires or civil unrest such as wars, riots or military occupation. A global health pandemic like COVID-19—where no company property was destroyed but staff would be asked to work remotely for months or even years—tended not to even factor into their risk calculations.
CRN spoke with 11 cybersecurity vendors, solution providers and industry organisations about the issues a coronavirus business continuity plan must address. From implementing user-specific access control policies and presenting applications through the cloud to preparing for staff augmentation and core system outages, here are the key pieces of any good plan.
Staff augmentation plan in case workers fall ill
Organisations should think about having a retainer-based model that provides immediate access to the right type of expertise in the event of a natural or health disaster, according to Harpreet Sidhu, who leads the global managed security services for Accenture. The staff on retainer should know how to support, maintain or recover the organization’s environment.
Accenture saw clients in retail, manufacturing, oil and gas and financial services have a situation arise during the coronavirus pandemic where employees couldn’t back one another up for health reasons, Sidhu said. The cost of having workers on retainer shouldn’t be very high, and Sidhu said it’s another way for businesses to ensure they have the right coverage in the event of widespread illness.
Businesses typically have a primary, secondary and tertiary person designated to support a given service, but people with secondary or tertiary designations often have primary designation on other functions, which Sidhu said can result in a logjam. Organisations that find that their entire support team would be affected by three or fewer workers falling ill should get a staff augmentation retainer, he said.
Strategy for addressing outages while working remotely
Organisations should ensure their systems are designed to fail over and continue running without human intervention, according to Kieran Norton, cyber risk services infrastructure solution leader for Deloitte Risk & Financial Advisory.
Businesses probably didn’t have a bunch of people sitting in a data center during the worst of COVID-19, meaning that they must ensure they’re able to bring up core systems in a rapid fashion using remote access in the event of an outage. Norton said this requires a different level of technical capability, planning and design. For starters, businesses must be able to access and communicate with core systems remotely.
Server architecture running out of internal data centers is incompatible with remote work if the server hard drives need to be replaced, if a section of the data center goes down and must be brought up manually, or if a failover requires people to run data backups when getting the other system up and running. Conversely, apps architected for the cloud can easily redirect resources and continue operating.
Ability to present key apps through the cloud
Cloud services like Amazon AppStream offer pure virtualization access from anywhere, meaning that organisations should take an inventory of their VPN capacity to determine if they’d need to present some applications through the cloud in the event of a shutdown, said McAfee Chief Information Officer Scott Howitt.
If a network becomes unavailable during a natural disaster, he said key apps can be presented through the cloud so that vital elements of the business will remain operational even if going to the office is not permitted as it was in certain countries during COVID-19. In this scenario, only the virtual interface is situated on the device rather than the content itself, meaning it doesn’t matter if employees are using personal devices.
Redundancy and availability are built into the cloud automatically, Howitt said, while in a traditional environment, the users would have to build in the redundancy themselves by having a presence in multiple data centers. Howitt said he expects more cloud providers to come out with their own version of AppStream.
Rapid shift to cloud-based technologies
High-performance VPN and endpoint security tools spanning both corporate and personal devices allowed businesses to access corporate and internal resources from anywhere during the coronavirus pandemic, while older computers, poor throughput firewalls and unscalable two-factor authentication were really put to the test, said Brian Babineau, senior vice president and general manager for Barracuda MSP.
Embracing the cloud really helped with business continuity during the worst of COVID-19, with businesses frequently turning to Zoom, Box and Dropbox and accelerating Microsoft Exchange to Office 365 migration projects, he said. Most of the older technology was designed to be run inside a building, and only works fast if the firewall and applications are running in close proximity and connected via a wire.
The performance of technology is really magnified when no one is sitting next to the tool in question, and Babineau said newer technologies are designed to serve customers better in the remote world. Many organisations previously only had a few remote workers with VPN access to corporate resources, and Babineau said the rapid shift to remote work has been a recipe for downtime and help desk calls.
More granular control over remote access rules
VPN provides users who are connected with universal access to the system, while a zero-trust model ensures employees don’t have access to anything other than the resources they need for the duration in which access is necessary, according to Dan Schiappa, chief product officer at Sophos. As a result, if an adversary gains control of a VPN connection, it also has access to the whole corporate environment.
Zero trust provides better controls over users and applications for traveling salespeople or remote workers, and provides equal access to all workers in departments like sales and accounting, which is probably sufficient, Schiappa said. But certain roles like malware researchers might require an encrypted channel to allow them to securely work with malware, according to Schiappa.
Unless both the resource and application are internal and cloud-based, Schiappa said it’s important for organisations to understand which users should have access to what materials. For instance, a technical company might have source code in the cloud, so figuring out who in the organization needs access to that source code might take time and effort, according to Schiappa.
Modifications for control based on physical location
Any security control that was based on physical location has needed to be reconsidered during the coronavirus pandemic since the organisation can’t guarantee that the computer or device are where they expected them to be, said Morey Haber, chief technology officer and chief information security officer at BeyondTrust. In contrast, a zero-trust model doesn’t care where the user is logging in from.
Physical location-based security controls can include access controllers for networks as well as network zoning, both of which Haber said were standard for any office-based environment. But now, Haber said businesses need to shift away from a model that permits access inside a specific geolocation and instead look at the trustworthiness of the device itself, with additional gating for BYOD situations.
Swapping location control with something more obtuse can give organisations more confidence that a user and device are who they say they are, according to Haber. A bank in Europe that works with BeyondTrust had to drop all physical location security controls to facilitate work from home during COVID-19, which Haber said required the company’s CISO to jump through some very challenging hoops.
Security controls that work outside office perimeter
Businesses should understand where their data sits, what redundancy looks like for them, and the order in which certain systems would be brought back online to get the business running in the most efficient way possible, said Seth Robinson, senior director of technology analysis on the CompTIA research team. Companies should understand which systems are critical to what piece of business operations.
Many companies are wrestling for the first time with how they can secure data itself rather than assuming data is secure based on its location, Robinson said. With the coronavirus forcing more workers outside the secure perimeter of corporate headquarters, Robinson said businesses have needed to put identity and access management controls in place to ensure their systems are safe for remote work.
Rather than giving employees full access from their laptops at home, Robinson said the IT department has typically pulled security into the back end of the system through VPN or a virtual desktop. For many businesses, Robinson said it is their way of dealing with the notion that workers have left the secure perimeter.
Strategy for securing endpoints in absence of firewall
Security during the coronavirus pandemic lies a lot in ensuring endpoints are protected since organisations no longer have a big firewall to hide behind, according to (ISC)2 Chief Information Officer Bruce Beam. With other family members downloading who knows what on the home network the employee is currently using, Beam said companies need to think about security in depth.
From anti-virus software to always-on VPN, Beam said there are many things businesses can consider implementing to provide comprehensive endpoint security to a remote workforce. When it comes to working outside the office, Beam said users are definitely the new attack vector.
When COVID-19 began, Beam said businesses were buying all the computing equipment they could at Best Buy and handing out devices of unknown name and origins to get employees online. Businesses have needed to embrace remote working at some level and figure out a long-term strategy for providing products and services to an employee base that’s spread around the world, Beam said.
Segmentation for devices on home networks
A zero-trust model dictated that companies treat their corporate LAN like public Wi-Fi, and now that everyone is off the company network due to COVID-19, it aligns with how businesses thought about the situation, said Ryan Kalember, Proofpoint’s executive vice president of cybersecurity strategy. There are only a few things a typical work-from-home endpoint should ever touch, he said.
Allowing an attacker to move laterally from a remote endpoint is a huge risk for organisations, especially as it relates to minimizing damage from any potential ransomware infestation, Kalember said. As VPN was rolled out in a panic in February and March, Kalember said personal devices sitting behind cable modems could come straight into the network if they felt like it.
There’s a huge potential for lateral movement following escalation of privileges by an adversary if the compromised device isn’t segmented from the rest of the corporate environment, Kalember said. Network detection and response (NDR) technology can help locate attackers who are moving laterally in the company network, and businesses should also be hunting for devices displaying attacker behavior.
Health checks to spot potential vulnerabilities
Health checks allow solution providers to create an overview for customers of where they’re strong, where they’re vulnerable and what steps they should take to mitigate those vulnerabilities, according to Kurt Mills, Mimecast’s vice president of channel sales. There have been a lot more front-end discussions around health checks since the onset of the coronavirus pandemic from concerned customers, he said.
With IT departments very focused on keeping their organisations up and running in the virtual world, Mills said it has become very difficult for customers who took a best-of-breed approach to technology procurement and are now stuck managing more than 40 disparate tools. Mills advised IT departments to take a step back and really think about if the company needs everything that’s been procured, he said.
Specifically, Mills said businesses should consider if they’re overpaying for technology, if they can consolidate the number of disparate tools they’re using, and if there are certain vendors that can help drive that consolidation. Problems organisations were unaware of became more apparent during the coronavirus pandemic as employees worked apart from one another at their home offices, he said.
Visibility into users and devices seeking remote access
Employers were moving their entire company remotely so quickly during the early days of the coronavirus pandemic that they didn’t always know what types of devices should be seeking virtual access to the corporate network and if they had permission to do so, according to Frank Lento, senior director and global head of Cisco’s Global Security Sales Partner Organisation.
As a result, Lento said businesses were challenged to ensure they were working in a trusted environment and had secured both workforce and workplace. With remote work potentially becoming permanent, Lento said customers and employees need to become comfortable working in a remote location and being secure.
Some of the most effective ways to secure remote workers include endpoint security, multifactor authentication and DNS protection to defend against malware, Lento said. When COVID-19 began, people and equipment moved rapidly to keep businesses profitable and productive, and companies are now doubling back to make sure their security tools are keeping their data safe and compliant.