How is infrastructure security changing and where is it going in the future?
Read on for insights into how enterprises can put up their best defenses to maintaining successful operations. This article recaps the Unitas Global hosted panel, Rethinking Infrastructure and Security Practices: Yesterday, Today, and Tomorrow, on the future of infrastructure and security. The moderator, Unitas Global VP, Channel Development Monique Stone, was joined by panelists Mark Hughes, CFO at Advanced Concepts and Technologies International and James Reid, VP of Infrastructure at Shane Co.
Overnight, COVID-19 has changed how we think about infrastructure and security.
Before COVID-19 became a global issue, our panelists saw that at a high level, companies had an aversion to working remotely. Then the situation necessitated a nearly total remote situation worldwide, which required companies to take a deeper look at their processes and revise their assumptions about capacity planning.
Mark Hughes offered that the global health situation caused the problems that were already present to become dynamic and evolving. Instead of having a controlled IT environment with concerns mainly around compliance, we now have a forced work–from–home situation with uncontrolled endpoints: companies do not know who is connecting to their networks. A lot of shortcuts have been taken around security measures to just “make it work” when running businesses from home. Where we previously had point-to-point connections, now they’re diffused, making it possible to get hacked at many locations. Malware, phishing, and cybercrime attacks are on the rise as well. While hacking was predicted earlier in the year to be around activism and the 2020 US Presidential Election, now the quality of the threat and who is behind it has changed because of the global situation.
A key point that Hughes shared is that the people who were serving as IT staff at their companies, fixing routine problems, are now being asked to think strategically about infrastructure and security, which might be beyond their scope.
James Reid agreed the attack surface has changed since companies have people located everywhere. Processes and change management have become loose and access is being granted offsite in a rush. He noted many companies are reacting to the situation, not approaching it strategically, which is where they’re falling behind.
Companies are falling short of maintaining security best practices.
The panelists are seeing that companies are falling behind in the same ways they have always been, with inconsistent security policies applied across the board. The current situation is amplifying many existing issues. Backdoor entries are granted for specific individuals, there is little to no security training, and breaches are low priority. Reactive efforts like these leave companies scrambling to create a response.
Reid advised companies to pause on reacting to the current situation and think about what effects a considered response might have so as not to get pitted into another corner. He stressed the importance of acting strategically with the future in mind.
Where to start with work from home security.
Now is as good a time as any to think through and implement proactive security policies. Points to evaluate could include things like the security training employees receive, breach detection and protocol for response, patching, etc. Hughes recommended asking employees to take basic security measures when working from home. “I believe in basics first. It’s no different than protecting your house: do the first things first that are easier and take care of 80% of the problems. You don’t have to have exotic systems, start with basic processes.”
Reid agreed, “When I think of infrastructure, I’m not going to implement a fancy layer 7 if I don’t have a basic solution in place. You build the foundation and put up the walls first before you go further. In terms of a framework, you have to make a list and capture it somewhere, get other folks’ input to capture all the threads you don’t know about, and assess [the list]. How likely is it to occur? How much does it cost to fix? And prioritize.”
Another quick start security tactic Reid recommended: “I think the biggest thing we can do coming out of the pandemic is to catalog what has changed...Do you actually know, if you think about what you’ve done in the last 90, 120, 150 days just to keep the ship afloat to adapt to this remote workforce, to open up permissions here—do you have a list of that somewhere? And I think that’s probably the first thing I would do if you haven’t done it already is from a change management perspective, try and capture what you’ve already done so you can see where the landscape’s changed.”
What to consider for security in the long term.
“Be intentional about capacity planning and assessments. Let’s not wait until there’s another event or problem. Do regular audits,” said Reid. He stressed the importance of having a point person who ‘owns’ security, runs the audits, and creates and implements the protocol for addressing a security incident should one occur. Hughes concurred, stressing that security must be a C-level issue, as it “cannot be relegated to company IT; it needs real budget in there. If you don’t think there’s a real cost to it, ask your CEO what cost of insurance is against breaches like this. Plus the soft cost of your reputation.”
With intentional, preemptive capacity planning and assessments, companies will be best prepared to handle specific threats that may come their way and will know what business-critical assets to protect. “There will be issues, there will be mistakes made. You can’t stop everything, but you want to limit it,” said Hughes. “You don’t want to be the CISO or CTO that says oh, I didn’t know that.” If threats are regularly assessed, added Reid, they can be discussed with transparency. Companies can proactively get in front of issues. “But you have to be doing regular assessments in order to do that.”
Click here to read stories of how Unitas is working with companies to transition to remote working, securely and efficiently.