The COVID-19 pandemic has become a wake-up call for companies to sharpen their business continuity plans. As the crisis continues on, many realize the business continuity strategies they have in place aren’t equipped to safeguard against the new and evolving security risks of the remote workforce, or resilient enough to sustain business operations through another potential outbreak.
A well-established business continuity plan lets businesses operate as close to normal as possible while staying secure, and it also keeps the gears of the enterprise churning as unexpected challenges arise.
Here are five ways security pros can ensure business continuity in the COVID-19 era:
- Identify the existing security gaps. Conduct a risk-based assessment of the technologies and processes in place to identify security gaps. Look for shortcomings in the company’s security strategy. Does the remote access infrastructure need an upgrade? Does reliance on Zoom pose a security risk? A precarious array of different tools and applications can also create a security nightmare for IT professionals, as a large number of misconfigured and exposed deployments of various software makes it almost impossible to orchestrate safely. Companies need to understand that hackers are stealing data at a scary pace during the COVID-19 period thanks to a world that’s now reliant on a series of jumbled networks and remote work applications. Closing any security gaps will reduce downtime and keep your operations humming along.
- Deploy a software-defined perimeter. Prior to the pandemic, traditional VPNs were sufficient for most companies as they had a smaller percentage of employees working remotely. Legacy VPNs were not built to support thousands or even millions of users globally, rendering enterprises and organizations of all sizes more vulnerable than ever to attacks and data breaches. Look for a system based on the software-defined perimeter architecture and the Zero Trust model. SDP products let IT managers customize permissions for the employees who need access to specific parts of the organization’s network. Additionally, by adopting the Zero Trust, need-to-know model, each remote employee will receive tailored secure access to only the resources necessary for their roles. By creating this kind of efficiency, employees will remain productive and security managers can spend more time focusing on external attacks.
- Focus on employee policies. It’s important to create policies based from the business strategy and on the needs of employees. In the case of COVID-19, it’s important to adjust employee policies in the light of the expanded use of remote access. For example, because they now work from home and can theoretically connect at any time, security teams may want to apply policies that restrict them from gaining access at all hours. By applying policies tied to access based on time, team and even day of the week, security teams can better monitor the network because it lets them more easily identify any anomalies or unusual activity. By implementing tools such as device monitoring, Wi-Fi security, and two-factor authentication, policies can also offer an additional layer of defense against unauthorized network access. The more layers of authentication present, the harder for hackers to gain authorized access.
- Look for unified, cloud-integrated security products. By investing in integrated cloud-native security products, companies can establish clear visibility into their networks and more easily detect unusual activity. Although it’s still a new concept, Network-Security-as-a-Service has already proven effective as a way to unify the tools that IT teams have had to incorporate as a response to their organization’s remote migration. It makes it much easier to create agile access policies, segment and onboard users, monitor network activity and deploy basic security technologies such as two-factor authentication and IPSec tunneling.
- Educate the staff. Educating employees on the importance of remote security helps them understand the impact they have on the organization. Teach them to think of security as a joint responsibility for everyone in the organization by laying out clear examples of their role and its impact on security. Today, with so many people working remotely, it’s dangerous for employees to think that the organization’s security falls solely on the security team. Conduct virtual trainings to familiarize employees with any new services the organization has adopted, as well as how to avoid risks such as phishing attacks. Educate employees to always double-check the email address, the tone of the email and the request itself. They may also need to learn more about how to segment their home networks and change the Wi-Fi password more frequently.
COVID-19 will not last forever, yet the lessons we learn from this experience will stick. Many organizations will emerge from this period stronger, with team members who have a deeper understanding of security and how to stay productive while working remotely. For organizations that have done their homework, whether it’s the next pandemic or a major hurricane, they will have baked security into their business continuity plans so that many of these policies will be second nature when another crisis hits. Most organizations weren’t ready for COVID-19. Everyone understands that can’t happen again.
Sivan Tehila, director, Solution Architecture, Perimeter 81