It’s been four months since COVID-19 was declared a global pandemic by the World Health Organization (WHO). In that time, enterprises and organizations of all sizes have worked overtime to revamp their IT infrastructures to accommodate what is rapidly turning into an almost certain permanent work-from-home environment for employees.

Now that companies’ tech stacks and infrastructure have been updated, and the proverbial bleeding has stopped, what comes next?

Now that the initial scramble to get employees up and running from home—including investments in cloud service, video conferencing platforms and collaboration tools—is over, it’s time to rethink security policies when it comes to the risks that organizations are willing to take. This also includes how staff is trained to handle emerging cyber-threats related to COVID-19.

For observers such as Steve Durbin, the managing director of the non-profit Information Security Forum, it’s all about organizations’ data, who can access it, and how it must be protected and secured going forward. These are the types of conversations that CSOs and CISOs are having about the risks their organizations face in a permanent work-from-home world and how cyber security policies need updating to reflect that.

“What has happened in the current situation is that we know we can access stuff in the cloud, but a real concern for security people is around the way in which that data is then being accessed, and how do I secure that effectively,” Durbin told Dice. “We've now got all of these people working from [remote] locations, and frankly, we can't necessarily always assure ourselves of the security from those locations.”

What makes planning new security strategies in a world trying to recover from a pandemic difficult is that most organizations typically focus on one-off disasters—a single, localized incident. “When I talk to organizations about their disaster planning and business continuity, it's never based on the fact that there's a global pandemic and, effectively, a global shutdown. It's always based around the fact that there are isolated outages,” Durbin said. “So you might not be able to operate in Wall Street, but don't worry, because we've got a back-up facility over the river in New Jersey, or we have an operation down in Florida.”

Now, those rules have changed and it’s time to rethink security plans, deployment of data in the cloud, and what risks organizations can justifiably feel prepared to handle.

New Threats Emerging

Recently, ISF published its Threat Horizon 2020 report that looks at how the security landscape and emerging threats to organizations will change over the next several years. The study was compiled before COVID-19 became a pandemic, but Durbin believes that its lessons still hold true for those planning what the world will look like six months down the road (even if it’s not what was expected as the year started).

“For me, what COVID-19 has done is reinforce the fact that we need to be a little bit more rigorous, perhaps, in some of the definitions of our risk appetite and some of the validation of emerging threats,” Durbin says.

Those risks can range from the proper deployment and use of VPNs to allow remote access, to how to create new security policies for employees who need Zoom for video conferencing, to ensuring that supply chains are kept secure during uncertain times.

And many cyber security professionals and CISOs are asking for their companies to do more to ensure the best security policies are in place—and to support these changes. In April, the International Information System Security Certification Consortium (also known as (ISC)2) released a survey of 256 security professionals and found that about 80 percent of respondents indicate that their organizations view security as an essential function.

An even larger number (about 90 percent) report that their organizations are using best practices in securing their remote workforce. The survey does note, however, that about half of respondents believe their companies could do more to lock down remote workers’ processes and tech stacks.

The (ISC)2 study found that, while many new policies were rushed into place and have held so far, it’s now the job of CISOs and their staff to ensure that issues such as VPNs, collaboration tools and cloud service remain secure for as long as work-from-home exists.

As the study noted: “Another respondent says companies are rushing to implement VPN, remote access and collaboration tools without due diligence or taking security into account. Yet another said: ‘IT wants to relax security controls without due process and analysis, and the times we are in are exactly the WORST time to do that.’”

Think Training

Another concern for CISOs and their security teams is retraining employees to adjust to work-from-home now that they have settled in. With phishing campaigns and other attacks increasing at an alarming rate, newly remote workers need re-education when it comes to issues such as safe ways to login remotely, how to spot malicious messages and how best to access data that is stored in the cloud.

Lisa Plaggemier, chief strategy officer at MediaPro, which provides cyber security training and privacy education, notes that CISOs and their staff need to realize that employees will need to access data and services from locations that are nowhere near as secure as the corporate office. 

In providing support for these workers, however, security professionals can start working on ensuring that home offices are more secure even if it’s taking these situations on one at a time.

“IT is not ‘just’ tech support for workplace users anymore. You’re now providing home tech support and training, too,” Plaggemier told Dice. “Every time you interact with an end user, you have an opportunity for a ‘teachable moment’ with your employees and their families. When a user needs help with their home router, take a minute to ask them if they’ve changed the default password to a unique long password. When someone opens a ticket for help with a password reset, take the time to suggest they use a password manager. And if your organization hasn’t settled on a password manager for company use, now’s the time to do so.”   

Visit our COVID-19 Resource Center, which aims to provide the tech community with the best, most up-to-date information on the novel coronavirus.