What does remote working mean for security?
Chair: Martin Gill
- Linda Florence (US)
- Mike Reddington (UK)
- Samuele Caruso (Italy)
- Dave Tyson (US)
Working from home is not new, but it is on this scale. The speed of change makes it far from clear that remote working is taking place securely. Often, equipment is being used for a different purpose, processes are being tested in a different way, any staff training and preparation for implementing security largely took place in a different context when there was a different culture. Remote working has different demands, the balance between home and working life can become blurred and that is not easy for all people to manage. For some it can be quite isolating, home environments for all sorts of reasons are not necessarily conducive to work, even in good times. Some people may become depressed, there may well be mental health issues and how are these being identified and managed? Even though resources are being directed at managing the crisis this cannot go on forever, some surely will be disillusioned, what then?
Security personnel have been occupied managing many different aspects and consequences of the virus, have the specific requirements of remote working security kept apace? How many companies are sure that the people accessing their systems are staff that are entitled to do so? How many can trust their employees not to become rogue, and what about disgruntled ones? What about those who are no longer part of the company, are companies sure that their access rights have been removed?
In these chaotic times some business continuity arrangements have been found wanting; the sheer duration of the crisis was not foreseen. The financial pressure on companies has resulted in cutbacks, including for security, albeit the demands have not always lessened and in some cases they have increased. Then there are staff absences which take a toll. In this time, when security staff are stretched, focusing on the security requirements of remote working has been seen as a distraction, this is to underestimate its importance.
What we don’t know is what the model for business will be going forward. Will there be an operational shift to remote working? Already influencing leaders in organisations about security is not easy and not being in close physical proximity may not make this easier, certainly new ways of influencing may be needed. The crisis in some cases, and the weaknesses in some approaches, has exposed a lack of strategy and this will need to be addressed. It is easier at this stage to identify some of the security questions than it is good answers. For example, the relationship between physical, electronic and cyber security, is it optimal? Is convergence and enterprise security risk management at the core of operations and should they be? What guidelines need to be written for employees in the new world, and how can they be best communicated to encourage adoption? How can remote workers be effectively engaged generally and with regards to security? What sort of information do they need, how can they be incentivized to follow good security practices? What skills will security teams need to be effective?
Remote working does not apply to everyone. Many security people are at the forefront, as Dr Linda Florence says, often the first to arrive and last to leave. Staff are finding themselves in new situations that are without modern precedent. There has been a need to adapt as events unfold, to learn on the hoof. The scale makes this difficult.
Only time will tell whether remote working becomes more of a norm. In the meantime, we need to be aware that security is identifying loopholes that need to be tackled and these are important. The consequences can be enormous yet they have received relatively little attention. What we know for sure is that situations where security is weak provide fertile ground for one group, who are unfortunately good at what they do, they are collectively called (cyber) offenders.
Points from the panelists’ opening statements
Dr Linda Florence
It is not always possible to be remote, security personnel not only need to be present they are often the first there and the last to leave, this is still the case in a crisis. Moreover, companies have needed additional officers.
In a different way business continuity is at the forefront and sometimes people are finding that they are having to act without expertise and security is part of this. We need to remember this is affecting the entire world and we have not experienced anything like this before.
The level of increase in remote working has been dramatic, and the need to adapt to new ways of operating has been sudden. Questions are arising about whether staff have the right equipment, and whether they can operate it fully. Data protection has been a significant issue in recent years but are all companies aware of the risks posed by new ways of working and are they sure staff are not storing data locally for example? There is a need for a remote working culture, taking time to learn about new ways of working, and new requirements for security, from colleagues. The security guidelines that apply to security need to be understood.
Business Continuity plans have been tested and many companies found they didn’t go as planned. Often, they did not anticipate a crisis of this duration. There is pressure to act quickly, it is a busy period, but many CISOs are being required to cut their budgets – this is a financial crisis too after all – sometimes by a half. There are always dangers when fear drives behavior. And people are going sick, data centre managers are losing staff with implications for the security of data there . Meanwhile, remote working has provided opportunities for cyber criminals, the number of attacks are increasing. There are dangers in using equipment from home, but the issues are magnified by the difficulties in scaling up security that is fit for purpose. In a different way some aspects of business continuity restrict the ability to communicate effectively with remote workers.
Times may have changed but many of the old risks still exist albeit the context is different. It is no longer so easy to guard the perimeters, either in the physical or cyber world, the security arrangements in both is being tested. There was not enough preparation for a crisis quite like this one and there has been a need to adapt, to rethink policy as events unfold. Then there are the new risks emerging, for example, verifying that the people accessing systems are in fact employees and entitled to do so.