When employees across the globe transitioned to working from home in 2020, many organizations had to quickly put solutions in place that kept them connected to the business, their customers and one another. But, due to the unprecedented rate at which they were forced to adapt, there were difficult trade-offs that had to be made in the short-term to accommodate immediate business needs. Perhaps most notably, cybersecurity was oftentimes deprioritized in favor of expediency.
Troy Moritz, Chief Security Officer at TELUS International, says in the early days of COVID-19, nobody knew if the pandemic and its impacts were going to last “a week, a month, a year or a decade." The trend was for organizations to disproportionately focus on risk mitigation and stop-gaps to retain business continuity. Oftentimes, companies resorted to unencrypted videoconferencing technologies, employees used personal devices with unsecured logins and unapproved apps and file-sharing tools, and risk policies were relaxed or ignored under the extenuating circumstances.
“That's the way you end up with a very, very poor long-term design and a very panicked, rushed, unmanageable short-term solution," Moritz continues. “You're in the band-aid business."
Almost a year later, the effects and consequences of these actions and decisions are increasingly coming to light. And, with remote workforces having become a long-term reality for many, it's critical for organizations to develop better solutions for data security.
The ultimate stress test
According to a CNBC survey, more than half of IT execs had never stress-tested their cybersecurity infrastructure prior to COVID. At the same time, cyberattacks, phishing attempts and scams are "growing dramatically" — especially amongst organizations where secure networks aren't already in place.
Moritz says TELUS International had been building out the company's infrastructure to accommodate a remote workforce well before the pandemic and was able to quickly pivot its global team to work from home using secure devices and networks. But he says he recognizes that not every organization had that ability.
And there's only so much a company can control, technology-wise, when team members are working from home. A study by Trend Micro of more than 13,000 remote employees across 27 countries found nearly four-in-ten used personal devices to access corporate data, often via services and applications hosted in the cloud.
Moritz says bring-your-own-device (BYOD), if not thoughtfully implemented, can present tremendous risk to all parties involved because it creates new vulnerabilities that hackers can use to gain access to corporate data. “It's a strategy that cannot be done in desperation," he says. “Any company that implemented BYOD as a knee-jerk reaction to COVID inherently accepted its profound risk, which if it hasn't already, may still lead to negative impacts."
The good news is: organizations have an opportunity to rebuild their remote work model in a way that protects all parties involved going forward.
A 'human firewall'
Thinking long-term means prioritizing a cybersecurity reassessment. Companies should start by identifying the gaps in their security protocols and structures, and catalog temporary solutions that were put in place.
As for solutions, Moritz says, now more than ever, it's important to recognize that your team members need to be “the greatest human firewall that's ever been built." That means doubling down on security awareness training and keeping them informed about evolving threats. “They're the frontline and the best line of defense," he says.
He also recommends running phishing simulations to measure at-home performance versus in-office performance, and using that as a teachable moment to talk about what could have happened. Educating your "human firewall" on the threats is the first step in building out a longstanding blueprint for secure remote work.
Protecting the network
Setting out an extensive cybersecurity policy for remote work that identifies BYOD best practices is a vital part of long-term planning. You need to ask: is your virtual network protected? Do you know what remote team members have access to?
“The way to think of proper BYOD is when the secure computing environment never extends to the home…data is never stored in the home environment," he says. “Therefore, if the home has viruses or an insecure connection, the data stream and the data access is all insulated and protected from that."
And finally, know when to let go, says Moritz; take a step back and look at all the tools you have and what can be outsourced. “Mitigation is one tool we have, but what about transfer of risk?" he says. “If you weren't very good at cybersecurity to begin with, [maybe] you need to double down on your decision to go to some sort of cloud and outsourcing solution?"
He says whether that's public or private cloud technology, or a hybrid of both, transferring that risk means transferring your cybersecurity obligations to a well-regarded and respected partner. “Maybe transference of risk is as important as direct mitigation of risk," he says.
A new opportunity
Remote work isn't a new concept; some organizations have slowly been incorporating aspects of it into their operations for a while. COVID-19 merely accelerated its more widespread adoption. Moritz says he views this point in time as a key opportunity to demonstrate that remote work can be secure with the proper planning, implementation, technology, and expertise.
It's a sentiment that he's been hearing from clients who previously wouldn't entertain the concept, he says. “We've broken the barrier from the 'absolutely not' sentiment into the 'you can do it for a time' (to) 'we are really impressed, this is high quality, maybe we don't need to go back.'"