A few short months ago, it appeared that most employees would return to offices (and an approximation of a pre-pandemic existence) by Fall 2021. Then the Delta variant of COVID-19 appeared, infections and hospitalizations increased, and many of the country’s biggest employers (Microsoft, Google and Amazon among them) pushed their return-to-offices plans back to January 2020—or perhaps indefinitely.
As the fears and concerns over the Delta variant continue, it seems that work-from-home and hybrid work (i.e., bringing workers back to the office at least one or two days a week on a staggered schedule) are here to stay, and more than likely to become a permanent arrangement for many companies.
This sea change also means those cybersecurity concerns that came with shifting workers remote in early 2020 are likely to remain, experts said.
To help illustrate this, Palo Alto Networks recently published a report that included responses from 3,000 technology executives, as well as networking, security and operations team workers, to gauge how a more permanent shift to hybrid and work-from-home will affect the security posture of companies both in the U.S. and around the world.
Sixty-one percent of those questioned for the survey said they are still struggling to provide proper remote security for their hybrid workforce, whether it’s all work-from-home or bouncing between remote locations and corporate offices. Another 51 percent puts cybersecurity on the top of the list for major concerns.
And these worries over security won’t end anytime soon. About two-thirds of those polled said that between 25 percent and 75 percent of their employees are still remote, with 44 percent indicating that half their workforce will remain remote over the next 12 months.
At the same time, a staggering 94 percent of organizations are still considering hybrid work as an option over the next 12 months, according to the survey.
“Recent health safety measures brought on by the Delta variant are forcing many organizations to rethink their long-term strategy for applications and security,” John Morgan, the CEO of security firm Confluera, told Dice. “Rather than shifting back their focus to the in-person office or a hybrid model, many organizations are looking to the work-from-home as a necessary long-term model they need to support.”
Security Concerns Grow
While enterprises large and small continue to make accommodations for workers to remain remote, cybersecurity remains a concern for both the IT teams that need to support this workforce and the security pros who need to anticipate how the threat landscape will change.
Another recent survey from HP Wolf Security, which used data from nearly 10,000 respondents both in the U.S. and around the world, found that 83 percent of IT teams believed home working has become a “ticking time bomb” for a network breach. At the same time, 91 percent of IT teams believed that organizations had compromised security for the sake of business continuity during the pandemic.
“The average time to detect and respond to threats, as well as the damages incurred, continue to increase,” Morgan said. “Many who responded to the [Palo Alto Networks] survey have attackers already in their network and applications unbeknownst to them. Unfortunately, many will not be aware of the attack until a breach is confirmed or a ransom note is found.”
While enterprises have numerous security positions open, and are willing to bolster their security staff, businesses need to rethink the skills they need to help secure the remote workforce. This includes those who understand how cloud services and apps are changing the security landscape.
“Organizations cannot scale their hiring to match the scale of what bad actors can do in automated cloud environments,” Morgan said. “Rather than simply working harder, they need to work smarter by leveraging the latest innovations designed to secure cloud services that enable organizations to maximize resources while providing the best user experiences. Training and hiring specifically for expertise with cloud services have become imperative to achieve these goals.”
Cloud and Security
This reliance on cloud apps and services means that securing SaaS and IaaS is now imperative to enterprises. “The variety of breaches and attack vectors over the past few years has demonstrated that bad actors are stepping up their game—and organizations need to do the same. It’s simply not enough to continue doing what’s always been done,” Brendan O’Connor, the CEO and co-founder of security firm AppOmni told Dice.
“We’re seeing increasing numbers of job postings for 'SaaS security engineers' and other cloud-based security roles, which is a great start. Cloud and SaaS security must be a priority and have an owner within each organization, not just be a project tacked on to the scope of an already overburdened security team,” O’Connor said. “SaaS security specialists are already highly in demand and will become even more so as companies shore up their SaaS security. But companies won’t be able to simply hire their way out of the problem. They need to rethink the way they approach security for the cloud.”
While investing in those with cloud skills can help protect remote workers, enterprises also need to rethink their overall cybersecurity posture as hybrid working models continue. This requires new security mindsets from security leaders and professionals, said Mohit Tiwari, the co-founder and CEO at Symmetry Systems.
“There are many new attack vectors into an enterprise due to remote work, COVID, and cloud migration—but what the attackers are coming for is the organization’s data,” Tiwari told Dice. “So this is a reason why organizations should start their cloud security from the data out. On-premises organizations set up a network and then protected the applications and then the identities. In contrast, the cloud offers a once-in-a-generation opportunity to root security in data. Organizations can build their cloud security posture starting with the data, and have entitlements to data flow out to identities and applications.”
Vishal Jain, the co-founder and CTO at Valtix, noted that hiring those who understand both cloud and security can address the concerns that appeared in both the Palo Alto Networks and HP studies.
“Enterprises need to understand security disciplines, but the implementation of these is very different in this new work environment,” Jain said. “Security folks who understand this understand that enterprise security solutions need to evolve to address security and operations challenges for this new environment. Security folks who understand that cloud security is different will adopt cloud-first solutions as opposed to solutions built for datacenters to secure both their users and their cloud applications.”