Updated: Mar 31, 2020
COVID-19, mistakenly referred to by many as “the coronavirus” (there are many coronaviruses, but the one we’re all worried about is specific), is global and has affected just over 100,000 people directly and millions indirectly. For years we’ve heard in Information Security that “the perimeter is dead,” but now is the time that we test it as some companies look at completely closing physical access to buildings at scale in the coming weeks. The IT perimeter definitely exists; we can point to firewalls and DMZs and a loose correlation in most companies between some types of digital assets and the physical boundaries of the company. But the notion that the perimeter can stop serious, advanced attacks has long been put to rest. The real test now is if the business can survive outside of the perimeter, immediately, and if so, how to secure it.
Older companies in particular have some functions in G&A, operations, manufacturing and other key functions that are still very much tied to physical locations and to older IT stacks that even when IP-enabled are still only allowed local access and interaction. ERP systems and some mainframe applications are good examples of this; it’s not that they can’t be enabled for remote access but rather than many have not been allowed access from beyond the perimeter.
There are three simultaneous problems to solve for any business faced with frightened employees or with customers and partners who don’t want to meet face-to-face. These are (1) policies about the current crisis, (2) maintaining as many business functions as possible when no one comes to the office and (3) securing the Enterprise when the office becomes only a mailing address. Let’s look at these one-by-one, but first keep in mind that you don’t have to remove all risk. The golden rule is that companies exist to take acceptable risk for acceptable return on behalf of their shareholders; but we’ll come back to that at the end.
First, the “policies on the (COVID-19) crisis” problem. The genie is out of the bottle and the infection is real. Some nations are reporting numbers accurately and some are definitely not. Which is which is hard to say, but with COVID-19 being so infectious and persistent as long as it has active carriers, it’s a risk. The data at this time, in as much as it can be trusted, shows it’s growth slowing and it's lethality dropping. That can change, however. As executives of any stripe, it’s important to be aware of how dangerous this really is or isn’t and to dedicate people to understanding the data and the facts as they change. Most importantly, know that the data is lagging real-time, hard to verify and subject to change. No matter how you look at it, COVID-19 has some tricks left and is likely to surge and recede before it runs its course.
This brings us to meme-space and specifically to the idea of COVID-19 in the popular mind and imagination. Make no mistake, this is a very real and potentially very dangerous space; the meme-space is as real as any physical space. In addition to tracking the data, business executives and security professionals should also track the discussion and information about COVID-19. The idea of COVID-19 will have a life of its own, and will only loosely correlate to the data that you’re tracking from the first exercise. Do not dismiss fears or emergent behavior as irrational because they don’t track the data but rather deal with the ideas as fully real and deserving care and attention. If your employees are afraid to come to work, that’s real and needs to be respected and addressed. If your customers and partners don’t want to shake your hand or new protocols emerge around interpersonal interactions, that is likewise very real and will require thoughtful consideration and policy making.
Next, the “maintaining business functions” problem. At some point, whether in the current X-demic (“X” is used here since calling it an epidemic or a pandemic seems to be political and a subject of debate at this time) or at some future point when the next X-demic arrives, companies will have to look function-by-function and as a whole at the need free themselves of all perimeters and still maintain operations, perform transactions and manage risks. Now is the time for some to decide who gets to stay home and who doesn’t or, perhaps, to get ready for such a time. If you’re in an unaffected geography, do the homework now. If you’re in the thick of it in a country like South Korea, it’s decision time; and now is the time for IT to shine.
For some this is an easy transition, especially smaller and newer companies that are already more-or-less remote businesses. For most, some functions are already remote, like sales or field marketing; but be careful because the nature of activities, travel, expenses, processes and the like will change. Your sales people may not be in the office since they are in other people’s offices, but that doesn’t mean they are ready to keep performing when told to stay at home. And of course there are some more traditional businesses that aren’t ready at all for being cut off from physical buildings like factories, headquarters and customer-serving premises in hospitality, retail or transportation to name a few. Perhaps the most important thing to do is to ensure that HR and IT continuity support are if anything overly generous at this point in time: if people feel isolated, feel unsafe or can’t get support they may panic and suffer needlessly.
All of this brings us to the “securing the Enterprise when no one comes to the office” problem. And this is hard to generalize since there are so many types of business. However, here’s a list of the basic things to consider; but don’t just read and panic. Rather, read this list and make some notes in an unordered list. This will form the first step of a plan because you can’t do it all and you shouldn’t try. Your job as an executive, security or otherwise, is not to eliminate all risk but rather to reduce risk in an optimal manner. So without further ado, here is the list of things to consider:
Identity: is your source of corporate identity accessible to the outside? Do you use strong authentication in all cases and, if you suddenly switch it on, will people be able to assert their identity in a strong manner and allow them to authorize and exercise entitlements? In layman's terms, will they be able to claim their identity in a way that you trust and do the things they are supposed to do?
Remote Access: you might have some employees remote right now, but are all of them remote? Do you allow insider information to be accessed from remote, source code or strategic project documents like M&A named projects? Obviously, the VPN and your extranet strategy here matter and burst licensing might be required from suppliers, but consider by department what new data types are being accessed and what this exposure might mean from a risk perspective.
Endpoint Security: this is more than just hygiene and checkmarks, as are common with EPP solutions: DLP, Antivirus, Personal Firewalls, etc. While these are important, the endpoint is about to become for many the newest, most distributed place where your corporate data exists.
Mobile: amazingly, this might be the simplest on the surface of all endpoints because many companies already allow personal phones or have a BYOD policy. However, even before going remote, mobile is still a vulnerable medium and needs better security measures generally. Now might not be the time to beef up mobile, but the day is coming post-crisis when that is likely to be the hottest risk area for many businesses.
Laptops and Desktops: In a very real way, every employee will be working on data that is by definition outside the perimeter. If you don’t already use tools like Full-Disk Encryption, now is not the time to turn it on blindly but rather to take note of what data is most sensitive and to come up with a policy for data-at-rest outside the company.
Security Operations and IR: security operations and incident response are often group activities with highly specialized collaboration and tool use. Can your employees exchange ideas, talk, meet ad hoc, exchange data and so on securely? It might be time now to send a few home and make sure that the work can still be done before everyone potentially heads home for a few weeks.
Physical Security: this might be one of the biggest areas of concern. When your employees take the machine home, what is their home work environment like? With other family members present and perhaps connecting on live social media streams, bringing other devices nearby or even the security of facilities, do you have simple policies that real Human beings can follow to protects keyboard access, employee safety and media security? Do you have policies for what employees should do if they have a home break-in, if they suspect someone is eavesdropping on them in their personal space or if they feel unsafe working in their home environment? Remember, not all employees have a home and personal space outside the office like yours.
Awareness Training: it might be a good time to encourage a refresher in awareness programs and training as people move home. It will give them something to do and make them actively conscious of security issues. I suspect that there will be a few new modules in most awareness curricula soon around working from remote or at least an emphasis on these, but you can always encourage the creation of a new module around your company’s move.
Let’s return to the unordered list you are probably keeping now on a piece of paper, in a text document or in your head and to the notion that companies exist to take acceptable risk for acceptable return on behalf of their shareholders. This might seem self-evident, but executives who are contemplating closing premises for COVID-19 or planning for a future ability to do so should start with conversations at senior management levels right now:
Are you tracking the data on COVID-19 and the real, direct risks to employees, customers and the business? Are you also tracking the meme-space and the very real potential risks and pains from media coverage, traditional or social media?
Which functions have to leave the building having never done so before? Can they do so and, if not, what has to be done to enable that? Is there a critical function or bottleneck that would hamstring the business that you can identify right now? Have you established a help desk or support function for HR and for IT continuity support
From a security perspective what new risks emerge due to Identity, Remote Access, Endpoint Security, Security Operations and IR and Physical Security? Can you rank order them and work on the most critical ones first? If the business decides to turn out the lights in HQ today, can you articulate the new risks to be signed off on that will exist and the time-to-correction?
Finally, realize that attackers may use the crisis for phishing attacks, to find gaps in security operations, to target your employee homes and systems and may even create deep fakes in very targeted ways. Above all, communicate early and often with your employees.