Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

6/17/2020
11:55 AM
100%
0%

Collaboration Undermined When Security Teams Work Remotely, Some Argue

Knowledge workers are perfectly suited for remote work, but the benefits of collaboration - and the requirements of proving identity - make fully remote security teams problematic.

As pandemic-related stay-at-home orders phase out and many companies decide whether to bring employees — and how many — back to the office, some cybersecurity experts are warning that extended remote-work arrangements are not necessarily a good idea for security teams.

While security professionals worry that remote work has undermined the security of their users' systems, the arrangement has also impacted the way their groups work as well, argues Corey Thomas, CEO and chairman of security firm Rapid7. Security teams that work from home are less effective at communicating and sharing skills and have to give up the security benefits of physical-presence requirements to access certain systems, he says.

"Working remotely during the pandemic has taught cybersecurity professionals to stretch their skill sets and exercise new levels of creativity, but it hasn't fully replaced the benefits of working together under the same roof," Thomas says. "As businesses prepare to reopen with new safety guidelines, they should embrace plans that incorporate not only the flexibility of remote work but the valuable experience that can be gained through on-site communication."

Thomas is not the only one to caution companies from embracing remote security teams. Software security firm BitDefender points out that some security efforts require on-site workers to access systems, such as controlling product updates, updating signatures, and installing patches. Other companies may have intellectual property documents that they do not want exposed to the Internet or high-security systems that have classified information.

Physical presence remains a good security measure, and large companies — especially those with their own data centers — will not be able to have an entire work-from-home security group, says Liviu Arsene, global cybersecurity researcher at BitDefender. 

"Some services just cannot be managed remotely for security reasons," Arsene says. "So you have to make a business decision as to whether you want to have security services that you can expose online."

Not everyone agrees, of course. Some companies — especially smaller ones — are embracing the movement to virtual companies based on cloud infrastructure to the furthest possible extent. Cobalt, for example, which offers pen testing as a service, plans to move its company completely virtual — joining others, such as developer-services firm GitLab — in creating a company based on a far-flung group of workers. 

High-tech workers are well-suited to distributed work arrangements, says Caroline Wong, chief strategy officer at the company. 

"Teams these days, they know how to collaborate asynchronously, and the vast majority of security incidents are not 'wake up in the middle of the night and scramble to deal with it' types of events," she says.

Many companies had already changed their security arrangements because of the pandemic-prompted remote work. Almost a third of companies have made changes to employees' security training to bolster security at the endpoint, according to survey conducted by BitDefender and published today. One in six firms are requiring that only company-owned devices be used for remote work. And about a third of companies have moved to 24/7 IT support for workers. 

Overall, more than a quarter of companies expect more employees to work from home on a permanent basis, the survey shows. Facing a permanent change in how they do work has caused many companies to tighten up their work-from-home security arrangements. 

"I have some friends that worked from home," Arsene says. "After the pandemic hit, they made changes. They completely forbid the use of work computers to do anything else but work. They started sending a lot more materials to employees."

Many companies may not have a choice but to allow security professionals to work from home. With cybersecurity skills in high demand and the supply of workers reportedly tight, businesses may have to be flexible to attract the right type of talent, says Cobalt's Wong.

"There is a skills shortage, and it remains very real," she says. "So the likelihood of getting all your security people in the same region is small. But if you look beyond that when hiring a security team, having a remote workforce gives you the ability to have workers in different time zones and pull from a much larger pool."

For Cobalt, the move to remote work will become permanent. The company will likely move away from a central office arrangement and instead focus on bringing together people for collaborative work sessions, Wong says.

"We are never going to have offices against the way that we use to," she says. "But we will have social events. We will get together — the entire company — twice a year, when it is safe to do so. What we use to call an office, we will instead have a creative hub, and you will not need to be there eight hours every week day, but once a week or once a month."

BitDefender sees that as a viable option but will continue to keep security people — and some others — coming into the office. 

"If your business model allows remote work, then maybe move to some sort of shared-office arrangement," Arsene says. "While not every one can do it, we are going to be seeing some shifts over all, even in security."

Related Content:

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-6287
PUBLISHED: 2020-07-14
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create a...
CVE-2020-6289
PUBLISHED: 2020-07-14
SAP Disclosure Management, version 10.1, had insufficient protection against Cross-Site Request Forgery, which could be used to trick user in to browsing malicious site.
CVE-2020-6290
PUBLISHED: 2020-07-14
SAP Disclosure Management, version 10.1, is vulnerable to Session Fixation attacks wherein the attacker tricks the user into using a specific session ID.
CVE-2020-6291
PUBLISHED: 2020-07-14
SAP Disclosure Management, version 10.1, session mechanism does not have expiration data set therefore allows unlimited access after authenticating once, leading to Insufficient Session Expiration
CVE-2020-6292
PUBLISHED: 2020-07-14
Logout mechanism in SAP Disclosure Management, version 10.1, does not invalidate one of the session cookies, leading to Insufficient Session Expiration.