Traditionally, disaster recovery has focused mostly on the protection and recovery of data (still critical) – but data alone can’t keep the business operating without productive staff – a harsh lesson we learned over the past few years. As we look ahead to 2023 it’s important to ensure our strategy embraces ‘people continuity’ as an essential aspect of business continuity. While the term has been discussed in context with disruptive events, to some extent with a heavy emphasis on HR, the day-to-day mechanics of people working securely in the remote/hybrid environment also need to be considered in planning a complete 2023 continuity strategy.
People continuity takes on two important dynamics:
- Providing up-to-date technology in the workspace environment as a driving factor in retaining employees, notably Gen Z workers
- Procuring the cloud workspace and enabling employees to continue working without interference, should a disruptive event occur.
Going into 2023, many enterprises have proven remarkable resilience in moving from on-premises workloads to remote virtual desktops. Now is a good time to further review and refine certain elements that can improve a secure, productive workspace. Notable ones include endpoint management and security; use case-specific access control; employee education, interactivity, and offboarding.
Endpoint Management and Security
Perhaps the better term going forward should be ‘hybrid continuity.’ Even if enterprise data is resilient in the event of a disaster, business continuity requires that business data is easy to access and use by the employees that need it to remain productive – from anywhere. That means having a secure, well-managed compute environment down to the endpoint level – the point at which people may be working on multiple devices, at multiple locations.
A scary reality is that an endpoint device can be the most vulnerable point in the network, and the opportunities for malware entering via phishing, infected web applications, or inadequately encrypted files are quite plentiful. Verizon estimates 30% of breaches are caused by internal actors. Across all categories — including external, organized groups, internal — web applications were involved in 43% of breaches, stolen and used credentials 37%, and phishing, 22%, according to Verizon.
Protecting data and productivity at the endpoint device level, where the user can introduce a potentially damaging threat, must be top of mind for 2023.
An operating system that can provide secure access to virtual desktop infrastructure (VDI), desktop-as-a-service (DaaS) and cloud-delivered workspaces provides a critical line of defense at the endpoint. If an employee is using their own computer, for example, and working from home, separating business data from their hardware, and storing the data in the cloud also helps reduce the attack surface.
Should an OS become infected, an effective continuity strategy includes having an external USB drive that the user can deploy to separate themselves from the native OS, yet still access their needed business applications.
To further help mitigate risk, start 2023 with a thorough vulnerability assessment, checking for OS vulnerabilities, making sure patching is efficient and up to date and scanning for malware. Don’t forget the monthly “Patch Tuesday” vulnerability reports from Microsoft and Adobe. They may vary in severity, but they provide another line of defense in identifying threats, including OS risk. Secondly, simulating an attack, known as penetration testing, is another useful OS security evaluation. The information gathered can present opportunities for improving OS security. Lastly, a reminder to be up to date on inventory of software assets, following the axiom that IT can’t patch or secure assets it doesn’t know exists in the enterprise.
Use-Case Specific Access Control
An effective, secure OS should hum in the background while employees and contractors work. Access control is a different animal. IT system admin and managers are always treading the line between people wanting more access to more applications and, in the interest of data security, having to limit access to work-essential files and applications. People continuity here means not only making access secure but monitoring employee responsibilities to sync access with their application needs.
An interesting example of access violation is the March 15, 2022, HubSpot incident. According to HubSpot “a bad actor conducted a social engineering attack against a HubSpot employee that captured the employee’s credentials and persuaded the employee to provide the necessary multi-factor authentication.” The result was exported contact data and user data from customer accounts using an internal tool known as just-in-time-access.
The HubSpot actor had several days to play around in the internal system before HubSpot became aware of the incident. It’s a teachable moment for all: regularly conducting vulnerability assessments, requiring multi-factor authentication (MFA) and constantly updating access controls to match workloads with employee or contractor assignments is a good foundation for data security. HubSpot did have MFA in place but unfortunately the employee was duped into giving up that information.
It’s smart to review the Center for Internet Security (CIS) Critical Security Controls as a reminder of the controls and practices to implement and or improve for 2023. The organization is adamant that MFA must be used for all privileged or administrator accounts and recommends avoiding the one-time SMS codes or push alerts so prevalent now. Instead, it recommends privileged access management tools (PAM) be used for more security. MFA is also recommended for remote work network access. The Center strongly endorses the practice of establishing user roles and managing access precisely to that role. If these roles are established, they not only support a clear management of data and applications for a particular person but help contain the threat of an incident or breach. People continuity is supported through productive, controlled access, and less chance of disruption.
Hybrid Work Culture
Companies are upping their investments in digital experience technology and collaboration tools. In the hybrid/remote work culture, virtual collaboration tools will be the best method of engaging remote workers in security training and conversations about best practices at the workspace. Since employee engagement is a common concern given the hybrid environment, using familiar collaboration tools will pose the least stress and time commitment.
Email and web browser security is a prime concern in the hybrid work culture. Regular training on phishing, protecting user credentials and endpoint device safety, and publishing reminders of new threats as well as using collaboration tools – all are essential to continuity.
Given the fluidity of workforces over the last few years another important aspect is offboarding. We oftentimes think about the value of rapid employee onboarding, and that is very valuable, but rapid offboarding is critical to an organization’s security posture. The Cash App breach caused by a former employee continues to make news. Two customers are suing Block and its subsidiary Cash App for failing to protect their data, leading to charges in their accounts they did not make. The breach occurred in December 2021 when the ex-employee still had access to customers’ confidential, personal investment data. Lesson learned: enterprises of any size need to ensure critical data and application access ends the instant an employee or contractor terminates the relationship.
Bringing Continuity for All
To empower people to work from anywhere, and have continuity when a disruptive event occurs, organizations can look ahead to 2023 and gauge their security strength with this checklist:
- Separating business data from hardware devices and storing the data in the cloud helps reduce the chance of data breach at the endpoint.
- This separation enables a user to access data via a secure OS and have the flexibility of location and device.
- Considering a lean, lightweight endpoint device operating system that is read-only and modular helps reduce the attack surface.
- Stringent access controls, including mandatory MFA, are imperative to preventing unauthorized access and a breach.
- Employee engagement, via collaboration tools to encourage best security practices, will lower the risk of stolen credentials and malware.
- Offboarding diligence prevents ex-employees contributing to a costly breach.
Consider these practices as a good start in ensuring 2023 is a people and business continuity success story.
The following article was written by Dan O’Farrell, VP of Product Marketing with IGEL, and first published in Disaster Recovery Journal.