Forced digitalization probably saved many outdated businesses and strengthened many others in their resilience against further pandemics or lockdowns.
As more employees return to office to work in the next phases of easing back from social distancing, what are the risks companies might face?
What if a second wave of COVID-19 infections rise up and cause another round of lockdowns around the world? How should organizations stay vigilant and prepared?
The sudden rush for businesses to send staff home to work has already created a giant upsurge in pandemic-related email scams, malware attacks and fake news campaigns. Will the peoples’ gradual return to the office—whether in rotating teams or on some ad hoc basis create vulnerabilities in corporate networks?
Time for business lockdown planning
Many small and medium enterprises (SMEs) did not have any concrete business continuity planning (BCP), or at least one catering to a sustained pandemic. Now with the likelihood of lockdowns being reimposed if infection rates rise out of control again, perhaps businesses need to create or tweak their BCP into BLP — business lockdown planning — for quick reversion to WFH, digital commerce and socially-distanced product deliveries and takeaways.
Said Stephanie Balaouras, VP and Group Research Director, Forrester: “A general business recovery plan is only helpful in dealing with disruptions caused by an extreme weather event or an IT failure. A pandemic recovery, just as with pandemic planning, requires its own unique response because disease outbreaks can subside and then flare up again. Since this global pandemic is the first in 10 years, and only the second in 50 years, organizations need guidance on how to quickly close and reopen their operations if there is a new burst of infections or a second wave.”
During this tentative period where badly-hit businesses hardly have time to figure out how to partially resume operations with limited manpower and supply chains, the top priorities still remain: comply with and even exceed safety measures for both staff and customers.
According to Mao Gen Foo, Head of Qualtrics, South-east Asia: “As businesses and workplaces begin to reopen, keeping a pulse on how customer and employee confidence and expectations change at each stage is critical to successfully navigating the new reality. These insights are an essential tool guiding business on the actions they need to take to ensure teams and customers feel safe, supported, and ready to return. Recent Qualtrics research revealed a customer- and employee- first mindset is key to building trust right now.”
Revalidating WFH devices in the office
The move to more remote work due to the pandemic has brought authentication and remote access into the spotlight for countless organizations. Similarly, the return of such WFH devices to the corporate network must raise alarm bells in IT personnel.
Given that many organizations still rely on passwords for authentication, this increased remote work is also increasing IT security risks. “The quick and immediate need to make the workforce remote has highlighted the need for firms to secure the employee’s endpoint, which includes solutions such as enterprise, detection, and response (EDR). The good news is that many vendors have begun developing passwordless authentication mechanisms to provide stronger authentication than static passwords,” said Merritt Maxim, VP and Research Director, Forrester. “The changes imposed by the coronavirus are also changing the governance, risk, and compliance (GRC) function in organizations as they look to these solutions to help them better manage an increasing range of risks.” This may be the time to relook authentication and privileged access management in the BLP.
Since office appliances such as printers, wireless devices, and internal servers have all been left dormant, unused, and unmanaged, IT and security teams should probably do a version check across all their IT assets and conduct security patching across all of those assets, said Chua Bo Si, Technical Program Manager, HackerOne. “It will also be important to make sure that IT teams disable any remote working capabilities or applications if they are not needed any longer (e.g., remote desktop), as those applications only add to the attack surface unnecessarily. Lastly, it wouldn’t hurt to run anti-malware scans on all machines before introducing them back to the corporate network. But all in all, I think going back office does not directly introduce more vulnerabilities (as opposed to the reverse).”
‘Winging it’ in the ‘new normal’
At the end of the day, there is no standardized model that organizations could follow to transition back to work-from-office or even back to WFH. Different circumstances like government regulations, industry requirements, and people’s opinions can considerably impact the timeframe when particular offices are reopened or forced back into remote operations. The practical approach to any BLP could be to just ‘wing it’ as long as key priorities and mandates are addressed intelligently.
Said Tommi Maekilae, Senior Solutions Architect, Synopsys Software Integrity Group: “Businesses on many occasions will ultimately face a hybrid situation where a part of the workforce will remain in a WFH setting for an extended period of time, while others may return to the previously normal office environment.”
Such a situation will require reconsideration of security practices like endpoint security, data protection, logging and monitoring, vulnerability management practices (application testing and patching) and authentication mechanisms. Worked into the BLP in such a way that retains efficiency and productivity even if another series of lockdowns are enforced, businesses will be much better prepared to support both the people working from home as well as people at the office/warehouse with an equal level of usability and security.
In this tentative recovery phase, Maekilae emphasizes that we need to take this time to “instil cyber hygiene awareness and communication to employees to understand best practices and potential risks, now more than ever.” Also, once people return to the office, any shortcuts or temporary changes—such as reduced security controls, allowing direct access to systems previously only available through a Virtual Private Network (VPN) or simply allowing temporary remote access to partners or customers—should be thoroughly assessed and reversed if not required. This “may prove problematic given the changes may have been hastily implemented to only parts of the system and not properly documented.”
While taking note of these potential hiccups, businesses should also use this time to streamline or standardize WFH equipment in preparation for any future lockdowns. During the unprecedented global lockdowns, employees may have found alternate ways of working and using new technologies to overcome teething issues in their suddenly-imposes remote work environment. “This might include consumer grade video conferencing, chat and file sharing applications that may have not been previously sanctioned for business within the company. While such technologies certainly pose a security risk due to inherent vulnerabilities during the WFH-period, they are also more likely bringing them back to the office upon their return for continued use,” Maekilae reiterates.
The problem is not only about people using their own devices and risky applications to handle potentially confidential data, but also businesses themselves having too much trust on traditional security mechanisms like anti-virus software, firewalls and VPN solutions, while not having proper vulnerability management and application security practices in place.
Concluded Maekilae: “Application security and vulnerability management practices sadly often focus on patch management only, which may also have been implemented with the general premise of equipment being physically present at the office and connected to the office network, thus potentially causing equipment taken home to lack important security updates. This then leads to a situation where company equipment may have any number of vulnerabilities left undetected and unpatched and may already have been silently compromised and running malware or having backdoors implemented.” Such devices ultimately pose a serious risk upon being returned and connected to the office environment despite the patches being applied eventually. So watch out for this caveat.
Customer-centricity still rules
Regardless of how BCP, BLP or other crisis operations plan get revised, one thing is clear: digitalization has to be the central focus behind customer centricity because the ‘old ways’ cannot be pandemic-proof.
Opined Robert Levine, Chief Operating Officer, Uniken: “We now have to ensure security, safety and convenience to meet the needs of the new normal. The need for a customer experience that is unified and consistent across all channels; enabling an ‘anywhere, anytime’ experience is now a mandate.”
Traditionally, for pragmatic or other reasons, business operations may have been siloed, having separate security, authentication and fraud mitigation methodologies. This creates friction and frustration for the consumer as the level of risk will dictate the quality of service that can be provided. Furthermore, it is expensive for the business to deploy and manage, and it is a boon for the fraudster that seeks out the weakest link in the chain.
“Our current situation can no longer trade off security for customer experience and must create consistent customer journeys. Just look at Zoom and why they succeeded (simple, easy and consistent)—but they forgot to focus on security and privacy,” said Levine.
With pandemic-proof customer-centricity comes the emergence of digital commerce as the dominant channel for business, even if bricks-and-mortar channels can still serve a niche in certain markets. Digital commerce creates the opportunity for businesses to rethink their security paradigm, allowing them to pivot to a customer-centric model that not only delivers a better customer experience, but also unlocks the true power of digital transformation.
For businesses that survive this pandemic this time, digital commerce is no longer a preparedness backup plan, but one that’s here to stay. The good news is that solutions are available that can enable any channel to service any request any time, including transaction verification and proactive marketing promotions, in a secure and frictionless way.
Opined Levine: “Unifying endpoint, identity and channel security solutions into one integrated customer-experience-focused platform enables businesses to secure, authenticate and transact with their customers across all channels.”