With employees tasked with operating from their own homes, workplaces now have to open up their trusted databases and servers to computers that are not within their "circle of trust."
The last time the world had seen a pandemic that caused this much disruption to daily life was in 1918, long before we conceptualized computers in their modern form. Nobody in the world expected a global pandemic to his society like that again. How wrong we were. Statistics from the European Center for Disease Control put the amount of infected in the world at a little over 3 million, with deaths totaling 227,000 all told. To limit the spread of the disease, several governments have enforced shelter-in-place orders as their fallback control measure.
A looming depression
One of the most significant impacts happened when many employees either lost their jobs or faced the option of remaining on no-pay leave. The Washington Post mentions that over 17 million Americans filed for unemployment benefits over the last month. In an economy like the United States, this is a scary prospect. Luckily, many companies that don't require the physical presence of their employees inside their offices have opted for remote working. However, while it is a positive solution that makes the best of a bad situation, it brings with it a new set of challenges for these companies to overcome.
Cybersecurity and work from home
With employees tasked with operating from their own homes, workplaces now have to open up their trusted databases and servers to computers that are not within their "circle of trust." Typically, commercial cybersecurity operates on a "moat-and-castle" analogy. Everything outside the company is considered unwanted, but things inside the wall of security are trusted. This sort of security setup comes with its own problems. Harvard Business Review notes that the most significant threats to cybersecurity happen from within the business itself. Now that companies have to open up their systems to their employees, the whole point of a "circle of trust" might just not exist since there's no way to ensure that those user machines are free of infection before establishing a connection.
The introduction of a zero-trust system
Moat and castle is a dated concept, and can't stand in the current atmosphere that requires a work-from-home perspective. The other paradigm that has surfaced to deal with this problem is the "zero-trust" system. In a zero-trust framework, there's no such thing as a "circle of trust," and cybersecurity departments assume that attacks can happen both internally and externally. To deal with these threats, users only get to use the least amount of resources necessary to perform their functions. Thus, whereas in a moat-and-castle system, all employees would have access to the whole network, in a zero-trust methodology, those employees would only have access to the systems they need to use.
For example, a programmer working on a particular page for the company's website doesn't need to have access to personnel employee records or company payment information. To ensure that this data remains secure, the company may store them on a separate "slice" of the server with further authentication systems attached. In situations like these, multi-factor authentication is one of the best ways to approach different levels of access to company resources.
The term used for keeping different records on different parts of the company's server is known as micro-segmentation. This concept is an important one because it helps manage data breaches, should they occur. You can consider micro-segmentation similarly to bulkheads in a ship. If part of the ship's hull were to become compromised and start flooding below-decks, the crew could seal off the bulkheads between where the breach occurs. This measure keeps the rest of the ships safe from flooding and ensures it can remain afloat.
Similarly, if a malicious user breaches the company's security, they are limited to where the user they are piggybacking on has access. Sensitive data can, therefore, be kept secure. Only high-level security access passwords with multi-level authentication can have access to the company's most sensitive data.
Who is most vulnerable to intrusion?
Even before the COVID-19 crisis, the most at-risk companies were those with less money to spend on cybersecurity. As Verizon noted in 2019, as much as 43% of all data breaches happened in small businesses. These breaches included things like phishing, insider threats, malware, or brute-force attacks on their secure databases. User data collected by small companies are a lot easier for hackers to get access to than those housed by large businesses.
Many large companies only fall prey to malicious users because of their own negligence and carelessness. Most of the recent enterprise-level hacks on large businesses came about because of poor implementation of security on cloud servers. Following this, the next most substantial volume of breaches happened because sensitive information was stored in plain-text format anonymously on the open internet. In both of these cases, the affected companies could avoid the issue by paying more attention to detail. Even so, these breaches were resolved in short order, because large companies have the money to throw behind them. Small businesses don't have the same luxury, and because of that, they need to spend more time in prevention since they can't afford the cure.
With many small businesses, the issue isn't so much about not wanting to spend money on cybersecurity, but rather a limitation of their budgets. Small businesses already operate on slim margins. The increased demand for cybersecurity resources needed for ensuring that all employee computers fall under their "circle of trust" is too much for any small business to bear and remain profitable in the long term. Luckily, there are ways that small businesses can start setting up their zero-trust cybersecurity framework that doesn't cost them much.
Managing the inherent risks associated with remote work
Some published, open-source frameworks for zero-trust systems already exist, such as the one developed by the National Institute of Standards and Technology (NIST). The robust framework they provide is highly extensible. Most security teams already have personnel versed in implementing cybersecurity measures, the framework just makes their job easier by giving them a basis for their edits. Skilled security teams can take these existing frameworks and incorporate a business's cybersecurity measures alongside the provisions that the code base supplies. The features such a structure offers include levels of authorization as well as data protection (both in-transit and stored).
Implementing increased security alongside requisite training to ensure that employees are aware of their role as stakeholders can go a long way towards preventing cyberattacks in a work-from-home type arrangement. These measures do require a deep dive into how the company implements its IT architecture. Being aware of the threats to the company's data ensures the cybersecurity team has measures to deal with these problems before they arise. The zero-trust system introduces protections that limit the scope of a breach, but preventing them still relies on educating staff on the way to avoid getting infected while online.
The new normal
Governments around the world have been discussing relieving quarantine orders once the amount of infected has dropped to a more acceptable level. Even so, the way companies do business, especially with their employees, will change thanks to this pandemic. Businesses can no longer justify having their workers show up at offices if they can realistically and efficiently perform their duties at home. The heart of surviving this crisis and ensuring the company's data remains intact with these work-from-home orders starts and ends with the cybersecurity team. The measures they take will reverberate through the company's interaction with its employees for years to come.