Distributing work away from the office has morphed employees into an at-home helpdesk. Regardless of technical expertise, employees have to manage the technology infrastructure of their home network, including network security and patch deployment.
While IT help desks offer support, troubleshooting takes place at a distance. Adequately managing infrastructure requires simplicity.
"I don't think users who are now their own IT departments should really be required to understand what patching even is. But to be told to reboot once a month, no big deal," Michael Hamilton, former CISO of Seattle and current CISO for CI Security, told CIO Dive.
It is IT's responsibility to understand what technology is installed — hardware, software, applications, etc. — and navigate governance. Endpoint security concerns have plagued IT and the coronavirus only highlighted the lack of end-to-end visibility.
For cloud-native companies, it's a bit easier to administer patches to a remote workforce, but not every organization was prepared to be out of office.
"Now there's no building anymore, there are no security guards, his employees are spread between 10,000 different houses, and he has no clue what they connect."
Yossi Appleboum
Former Israeli offensive intelligence agent and current CEO of Sepio Systems
Yossi Appleboum, former Israeli offensive intelligence agent and current CEO of Sepio Systems, was speaking with the CISO of one of the top-five banks in the U.S. The bank's physical offices have security guards, ensuring no one brings anything in or out of the office.
"Now there's no building anymore, there are no security guards, his employees are spread between 10,000 different houses, and he has no clue what they connect," he told CIO Dive.
If an employee is working from a personal device, IT has no visibility into patching needs. The only way for companies to grow their visibility is through policy: Make sure only authorized computers can get on the corporate network.
Quick fixes for remote security
In an office environment, IT had administrative and management capabilities. Now deploying security updates and patches depends on if the organization manages the endpoint security updates and patches. If a company's Office 365 administrators and security personnel have adequate visibility into specific endpoints, issuing updates is the same process, regardless of workforce location.
Smaller organizations without centralized management for patching or antivirus updates, leave updates to the whim of the individual.
Companies that have never operated remotely to full capacity might have less control for the first time, particularly for those in highly regulated industries, Steve Stover, VP at SolarWinds, told CIO Dive.
As a result, Stover expects some cyberthreats to leak through the cracks. Organizations have two response options:
-
Businesses fail to catch a threat when it comes about or they're quickly trying to figure out how to do some of the automated patching, including Microsoft SCCM Patch Management.
-
Businesses hire a third party, such as an managed service provider, to manage updates for them if the attack surface is large enough.
Remote access for administrators are enabled to help nontechnical end users. "I know exactly who still needs to reboot from the last patches, and so we can message those individuals directly" for missed updates, said Hamilton. Companies increased their use of solutions, such as TeamViewer or remote desktop protocol (RDP), over the last several months despite its dangers.
Flaws in RDP leave a user vulnerable. The endpoint has "a little server running, waiting for someone to come knock on the door" offering remote support, said Hamilton. And because it's unlikely users have firewalls in their home, they're susceptible to internet intrusion.
If someone correctly guesses a password, they have a full view of a network.
In addition to RDP, companies can rely on remote workspaces in the cloud. The IT unit can't control the endpoint, but they can manipulate virtual systems as necessary.
If a system becomes hazardous, or murky, switch it on and back off "and it's right back to where it was," said Hamilton.
While IT and their non-technical counterparts adjust to remote support, Stover recommends a little bit of patience and understanding, because IT misses the ticket system too.
Patching policies have not changed drastically during the pandemic, but they have become more distributed.
"I don't think you're going to necessarily see a substantive security policy change," said Stover. The operational environment shouldn't require major changes, however "renovations" to existing policies are likely.
VPNs, for example, are "no different than being inside your office and not running a VPN versus running your VPN outside your office. Your policy doesn't need to change" if end users were issued company devices, approved for accessing the corporate network, said Stover.