The unprecedented events that have pushed organizations to evaluate their business continuity planning brings up memories of my time working for the federal government, and remind me of a story that I'd like to share.
The emails and statements started coming in from the U.S. Department of Health and Human Services (HHS), the Centers for Disease Control and Prevention (CDC), and the Federal Emergency Management Agency (FEMA): A contagious virus threatened to upend the functions of the federal government.
My staff and I would be expected to work remotely for an indeterminate amount of time. Our services wouldn't be impacted that much, I thought, since many of us had laptops, and we all had mobile phones. We supported hundreds of remote sites around the country. Surely, we could operate as a distributed team during this time of crisis. And besides, we serve a technologically advanced, first-world country. How bad could an Ebola outbreak be?
Turns out, bad. And no, we couldn't operate well as a distributed team during that time of crisis. It was 2014, and it was only a drill. The Ebola scenario was a coordinated exercise of civilian and government readiness for operational continuity during a hypothetical viral outbreak. It was a test that we failed.
Not everyone in our department had laptops, let alone "fast enough" access to the internet from home. Cell phones, though prevalent, weren't suitable analogs for office desktop computers. Worse, though half the department was able to log on remotely, traffic overloaded the bottlenecked VPN, causing lag, delaying (or blocking) connectivity, and impacting productivity. (This was especially an issue with outlying hospitals trying to practice telemedicine.) We rationed equipment, shuffled work hours, and prioritized access. And our VPN still couldn't handle the overload.
It's six years later. The human toll of the coronavirus outbreak cannot be measured, and right now, enterprises must focus on protecting the health of employees and community members. The top priority for all organizations must be to mitigate the risks associated with the spread of COVID-19. With that in mind, organizations now must do what they can to preserve enterprise productivity in a “new normal” of work away from the office.
Business continuity planning (BCP) should be (and ideally, should have been) a key component of your corporate strategy. But even if that's not the case in your organization, you can still do something about it.
Right now, BCP is (by necessity) about telework. And that seems straightforward. If you can't work in the office, just work from home. Many IT organizations plan corporate network capacity to accommodate remote access for 20 to 30 percent of the workforce. But what happens when that grows to 100 percent? Overnight? IT leaders around the globe are learning that getting everyone online from home isn't a trivial exercise:
There’s another more serious issue than remote-connectivity limitations. If your organization relies on VPN to access internal resources and/or internet egress, extending that access to a broader percentage (say, 100 percent) of your workforce dramatically increases your organization’s potential attack surface. The further distance corporate data has to travel, the more opportunities for compromise.
Compounding that, end users who are accustomed to Netflix-like download speeds at home will be frustrated when they encounter latency introduced by VPN constraints and MPLS backhauling. The risk is that they “go rogue” and bypass security controls in the “interest of getting the job done” faster, further exposing internal systems to outside attack.
It’s time to change the way you think about security. This current unprecedented event is accelerating changes in how we access applications and data securely. Remote work must be enabled without compromise to security. But this doesn't mean less security, it means different security.
As a CISO, what can you do to facilitate remote work in the face of such connectivity and security challenges? In this newest “new normal,” you will have to make triage decisions:
We are going to get through this. But we have to learn. (Back in my government days, we said “never let a crisis go to waste.”) Right now, nothing is more important than ensuring the health of your colleagues and community. And the best thing you can do as a CISO is to facilitate remote work.
Forgive the dispassionate cynicism, but enterprises that weather this storm will have a competitive advantage when it passes. And when your organization comes out the other side, don’t stop planning for business continuity. You’ll be better prepared if—perish the thought—there’s a next time.
Stan Lowe is the Zscaler Global Chief Information Security Officer