Global pandemics have a way of accelerating the pace of change. Whether it’s immunology, or technology, the evolution that something like Covid-19 forces in each sector is permanent. For many companies, March 2020 was a pivotal time. As lockdowns loomed, businesses had to find ways to keep their employees working – outside the office. While some segments of the US economy were familiar with working remotely or from home, a significant percentage of the workforce had no such capability.
The ensuing panic to “do the best you can” in IT departments, especially in mid-market companies, has created a dangerous situation. Mid-market companies are notoriously under-staffed in cyber security departments – if they have one at all. So while IT was busy scrambling to make remote work a reality, virtually no one was watching to ensure they weren’t opening up new risks.
I’ve watched the evolution of security on the endpoint for almost 25 years now. When I first started, we were starting to think about the need to deploy centrally managed anti-virus software. Today, your corporate laptop has probably a dozen agent-based security tools on it. It’s been a rough ride.
The problem with security is that it always feels additive, essentially because it is. More agents, more control, more processing power sucked away to security tasks. At least that’s how it feels to our user base. So let me get to the heart of the matter.
The result of the Covid-19 lockdown panic for IT was three-fold, in increasing order of severity:
- Unmanaged security – Even companies with occasional remote-work policies had issues. While these companies provided devices capable of working remotely, they still primarily relied on coming back into the ‘corporate network’ (or “the office”) to receive updates and such. The security infrastructure was reliant on devices that could occasionally, and for short periods, remove themselves from the corporate office but needed to come back regularly. With “the office” essentially closed for months without an end in sight, these devices quickly became outdated and feral. Their security tools became out of date and as much a liability as other out-of-date software packages. Never mind the inability to protect from new threats as they mounted during the pandemic crisis.
- Personal devices – Some companies didn’t have the resources to give everyone a laptop that worked remotely; therefore, they told people to “use your own devices” to access corporate sensitive applications and data. It went about as well as you’d expect. With virtually no security on the end device to speak of and no control over sensitive data, once data landed on that local device, security was anyone’s guess. We may never know how much sensitive data criminals stole from unprotected personal devices. We may never know how much damage was done long-term, but what I am sure of is this is not a sustainable strategy going forward. Luckily, most IT organizations realized this was a disaster and worked to issue remote-work-capable corporate devices. The problem, though, is that with the pandemic’s negative impact on the economy many companies can’t simply afford to buy a few hundred laptops that are then prepared and deployed. It’s either still an ongoing issue or being addressed in a trickle.
- Exposed applications – Many applications that were only available internally suddenly became accessible to the world. That would be acceptable if these applications didn’t rely on the security protections afforded them by the corporate network. The problem is many of these applications are exploitable; therefore, criminals can steal data at will. In the hurry-up world of pandemic panic, no one had time to fortify applications that were decades old, with little to no application security forethought. The lack of secure software development is a much bigger issue that was exposed by the pandemic.
A combination of three issues has created a clear and present catastrophe waiting to happen in the mid-market. The pandemic has exposed the soft underbelly of IT – unprepared, understaffed, and under-resourced. Throwing more technology and tools at the problem – which I’m seeing happening currently – is not the solution. The need to implement forward-thinking strategy, appropriate levels of staffing (or partnership), and meaningfully integrated technology have never been greater
Let’s face it, this is likely going to happen again. What will your company do next time?