As the impact of COVID-19 continues to take shape beyond the initial business continuity efforts, organizations are now establishing new operating models that address unplanned, rapid, and massive shifts to a remote workforce. Deloitte’s US Cyber Risk Services leader, Deborah Golden, spoke with TechRepublic about the top 9 challenges she has seen enterprises face now that thousands of enterprises are weeks into the massive shift to remote work.
“Many people are making unplanned, rapid shifts in a very short period of time, with the majority of change being getting nearly everyone into a remote workforce situation. With that comes many changes to people, processes and technology,” Golden said. “Several of the challenges that we see highlighted with that are causing us to take a step back and look at the broader organizational cyber hygiene.”
SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium)
1. Increased use of collaboration tools
One of the most publicized problems businesses across the world have been having is with collaboration tools that have had to scale up significantly since millions moved to working from home.
The problem also extends out to customers as well, as dozens of enterprises are forced to conduct official business over video or digital platforms.
“The need to have these types of tools and technologies has been in organizations prior to COVID-19 but have grown exponentially in use, so the desire to have video and voice at the same time while also sharing and collecting and leveraging for work has caused some challenges that we’re seeing across the board,” Golden said.
2. More devices mean more attack surfaces
Coming hand in hand with the need for collaboration tools is the need for a variety of devices now that people have to work away from their office computers and laptops.
Golden said it has been tough for enterprises to figure out how to outfit employees with new devices that they can use from home while upholding security and compliance protocols.
“We have a lot of clients who are working on desktop environments and all of a sudden, when you push to a remote workforce, you now have to worry about how to get devices, how to get laptops and how to get people to adapt to a cloud environment or use those types of operating platforms in order to connect for people that no longer have their desktop,” Golden said.
3. Unsecure home networks
Many enterprises had strict rules prohibiting employees from connecting to corporate networks from home, and those have had to go by the wayside now that everyone is forced to telework.
Enterprises now have no choice but to allow employees to connect to centralized corporate networking through home devices on home networks, increasing concerns of security teams that now have to manage an exponential growth in physical, logical connections to an organization’s operating environment.
“The speed with which this is going is forcing people to implement things in a fairly hasty fashion and that’s to be expected, but at times some of those fast decisions are causing a lack of sufficient hardening of security controls. And perhaps someone may say ‘I’ll come back to that later’ simply because they’ve got days, if not weeks, to actually set up some of these environments,” Golden said. “So some things may be put by the wayside while focusing on mission critical safety of humans or mission critical business objectives.”
4. Insider threats
Insider threats have always been a problem, but because of the drastic changes in the economy, businesses have had to make tough decisions in terms of personnel. Labor department statistics show that nearly 10% of the American workforce filed for unemployment, and those numbers may double the longer the economy is forced to retract as part of efforts to contain the coronavirus pandemic.
“From an economy perspective, you’ve got more and more potential for insider threats as we see disgruntled or displaced employees and contractors, obviously with the growth in unemployment. The challenges that are faced with those individuals are increasing insider threats and are also becoming a large potential opportunity for cyber challenges in an organization,” Golden added.
SEE: Secure your data with two-factor authentication (free PDF) (TechRepublic)
5. Compliance challenges
For enterprises in more regulated industries, telecommuting presents even more problems. Golden noted that surprisingly, some organizations have said regulations have been alleviated since the crisis while others say everything needs to stay the same as it’s always been in terms of compliance.
“The challenge we have is that because of the pace that things are moving, it’s really difficult to understand your existing baseline which is changing daily. How do you abide by the compliance and regulations that a particular industry or client needs to abide by?” she said.
6. Larger adversarial landscape
Golden highlighted the huge security risks enterprises face with people far away from IT teams and security parameters present in most workplaces.
With the expansion of the network, technology, devices and operational environment, there is now a giant adversarial landscape.
“Bad actors have many new ways to get in and out of your organization now, much of which may or may not have been protected and may or may not be regulated in this time of chaos,” Golden said. “We’ve now expanded this adversarial landscape, which is also making it difficult for organizations to be able to track, let alone hunt, these bad actors.”
One of the biggest problems with home networks is that you are not alone in using them, giving cyberattackers more ways to get into your network. A person’s children, parents, siblings, or partners are also connected to the home network, so how do enterprises secure these home networks so they’re not leveraged to gain access to your organization?
7. Lack of talented cybersecurity officials
Companies were already struggling to fill cybersecurity positions and there has been a longstanding dearth of talent available for enterprises, even before organizations were struggling with dozens more devices and networks to secure.
“We’ve got the chaotic nature of the environment. We’ve got the changing aptitudes when it comes to the people and the process. And we’re forcing our cyber professionals to work even harder, faster and quicker when they were already short in terms of supply,” Golden said.
8. Stress on employees
With all of these operational changes and in some cases a severely reduced workforce, employees are now being forced to do more work and perform different jobs to make up for any drastic changes an enterprise is undergoing.
Fewer employees are being asked to take on more roles and responsibilities. Some organizations are dealing with people leaving because of COVID-19 concerns, leading to people picking up the jobs that are now left by individuals that can no longer perform them.
“We’re giving access to individuals who in the past may not have performed that job. How do you make sure you sustain and control the identity of that person, the applications they have access to and what they’re provisioned to do so they don’t have some inordinate amount of access,” Golden said.
9. Supply chain issues
Even if an organization is able to avoid all of these concerns and problems, they may have no choice but to deal with them because they are intimately tied to other companies in their supply chain. While this may not be a huge concern for smaller businesses, larger enterprises are facing the prospect of suppliers or partners who may have lapses with any one of these many concerns.
“The other challenge that both large and small businesses have, but particularly small businesses have, is the supply chain. When you think about that impact, much of the supply chain could be made up of small businesses or large ones that may have to tackle liquidity challenges and then the economy in general,” Golden said.
This will be a difficult stretch for all enterprises, but Golden said organizations should focus on the basic cyber hygiene that they turned to in the past. Make sure everything is encrypted and that all video meetings have passwords.
Many of the basic cybersecurity rules and measures still apply, but there may be room for more modern security technology like artificial intelligence and machine learning that can help mitigate some of the concerns business leaders have.
“As we continue to look forward and we continue to understand where we’re headed from a marketplace perspective, going back to the basics and understanding the baseline are great,” Golden said.