Dalton Brown
February 9, 2021
It did not take long for almost every aspect of our world to feel an impact from the COVID-19 pandemic. Retail stores now have barriers and floor markings for customers to enforce social distancing. Television shows are including masks and similar measures in their footage. The NBA and NHL played their 2020 playoffs within bubbles to prevent games from being impacted by the virus. It should come as no surprise that the pandemic also impacted security programs of businesses around the world, but to what extent?
A comprehensive security program often designs layers of defenses in order to better protect network assets and data. This is done for better security and to prevent a single point of failure within the organization. For instance, protecting a device on your network can include tools and processes such as network firewalls, intrusion prevention and detection systems, network segmentation, antivirus and endpoint protection suites, security monitoring teams, log review, and configuration management services, just to name a few.
Many of these processes are interconnected, overlapping to form a web of capability to ensure that security teams can properly defend the network. However, many of the industry models for layered defenses involve a common assumption – working on a controlled and contained network. When the pandemic hit countries around the world, this common assumption, something that many security teams didn’t realize they took for granted, vanished. For the visual learners, this is what that felt like to most security teams:
Security teams were suddenly asked to continue providing the same coverage and security for an entity that changed completely overnight. It can be difficult enough to defend client workstations on their own network, but now these security teams are having to defend them on networks that they do not control, without tools that they regularly depend on. This task would have been even more arduous for the smaller businesses where the security team is likely a part-time assignment for one or two IT workers on staff.
There are, of course, tools that can be acquired to alleviate some of these concerns, but tools cost money for licensing, running their backend architecture, training staff to get acquainted with them, and the labor investment for implementation. These kinds of rollouts are often tedious, carefully planned, and can last weeks or months to see realization.
Philosophically, the IT industry as a whole has been moving away from traditional network architectures and tool usage for some time, and instead has been shifting towards an environment where client workstations and cloud-hosted tools are all that may be used by most businesses. In response, security companies have developed tools, such as endpoint detect-and-response (EDR) platforms, to move the focus of security teams towards the newer direction in IT. Such offerings likely found many new customers during this pandemic. Everyone else either made do with what they already had or accepted the increased risk and has crossed their fingers that they were not the victim of a cybersecurity incident during this time.
Remote work is not a new concept. The Bureau of Labor Statistics observed that at least 16% of the U.S. labor force was working remotely at least part-time in 2019. However, most of these remote opportunities were likely concentrated within fields that had a requirement for the additional flexibility. Sales professionals and online education institutions come to mind, just to name a few. A large percentage of businesses may not have considered remote work possibilities as an ongoing constant in their environment to account for until this moment in time. As significant and impactful as the pandemic has been, it did not create a remote work crisis, but instead exacerbated gaps that already existed. Add to this that most businesses were shrinking budgets during this time, and it becomes that much harder for those same institutions to address these now wide-open problems.
With those items in mind, one assertion is that the pandemic simply forced many businesses to quickly evolve their security programs to be more in-line with current IT industry trends during this time. The businesses that worked with the increased risk during the pandemic were likely driven by budget or an expectation that their operations would return to previous working standards once the pandemic is under control. However, now that a larger portion of the working population has been exposed to remote work, and businesses have seen what is possible from a remote staff, the next question that comes to mind is “how long until remote work is more the standard than the exception?” If that answer is sooner than most would expect, the security programs that were able to evolve for remote workers now will surely benefit in the long run.