Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

6/17/2020
11:55 AM
100%
0%

Collaboration Undermined When Security Teams Work Remotely, Some Argue

Knowledge workers are perfectly suited for remote work, but the benefits of collaboration - and the requirements of proving identity - make fully remote security teams problematic.

As pandemic-related stay-at-home orders phase out and many companies decide whether to bring employees — and how many — back to the office, some cybersecurity experts are warning that extended remote-work arrangements are not necessarily a good idea for security teams.

While security professionals worry that remote work has undermined the security of their users' systems, the arrangement has also impacted the way their groups work as well, argues Corey Thomas, CEO and chairman of security firm Rapid7. Security teams that work from home are less effective at communicating and sharing skills and have to give up the security benefits of physical-presence requirements to access certain systems, he says.

"Working remotely during the pandemic has taught cybersecurity professionals to stretch their skill sets and exercise new levels of creativity, but it hasn't fully replaced the benefits of working together under the same roof," Thomas says. "As businesses prepare to reopen with new safety guidelines, they should embrace plans that incorporate not only the flexibility of remote work but the valuable experience that can be gained through on-site communication."

Thomas is not the only one to caution companies from embracing remote security teams. Software security firm BitDefender points out that some security efforts require on-site workers to access systems, such as controlling product updates, updating signatures, and installing patches. Other companies may have intellectual property documents that they do not want exposed to the Internet or high-security systems that have classified information.

Physical presence remains a good security measure, and large companies — especially those with their own data centers — will not be able to have an entire work-from-home security group, says Liviu Arsene, global cybersecurity researcher at BitDefender. 

"Some services just cannot be managed remotely for security reasons," Arsene says. "So you have to make a business decision as to whether you want to have security services that you can expose online."

Not everyone agrees, of course. Some companies — especially smaller ones — are embracing the movement to virtual companies based on cloud infrastructure to the furthest possible extent. Cobalt, for example, which offers pen testing as a service, plans to move its company completely virtual — joining others, such as developer-services firm GitLab — in creating a company based on a far-flung group of workers. 

High-tech workers are well-suited to distributed work arrangements, says Caroline Wong, chief strategy officer at the company. 

"Teams these days, they know how to collaborate asynchronously, and the vast majority of security incidents are not 'wake up in the middle of the night and scramble to deal with it' types of events," she says.

Many companies had already changed their security arrangements because of the pandemic-prompted remote work. Almost a third of companies have made changes to employees' security training to bolster security at the endpoint, according to survey conducted by BitDefender and published today. One in six firms are requiring that only company-owned devices be used for remote work. And about a third of companies have moved to 24/7 IT support for workers. 

Overall, more than a quarter of companies expect more employees to work from home on a permanent basis, the survey shows. Facing a permanent change in how they do work has caused many companies to tighten up their work-from-home security arrangements. 

"I have some friends that worked from home," Arsene says. "After the pandemic hit, they made changes. They completely forbid the use of work computers to do anything else but work. They started sending a lot more materials to employees."

Many companies may not have a choice but to allow security professionals to work from home. With cybersecurity skills in high demand and the supply of workers reportedly tight, businesses may have to be flexible to attract the right type of talent, says Cobalt's Wong.

"There is a skills shortage, and it remains very real," she says. "So the likelihood of getting all your security people in the same region is small. But if you look beyond that when hiring a security team, having a remote workforce gives you the ability to have workers in different time zones and pull from a much larger pool."

For Cobalt, the move to remote work will become permanent. The company will likely move away from a central office arrangement and instead focus on bringing together people for collaborative work sessions, Wong says.

"We are never going to have offices against the way that we use to," she says. "But we will have social events. We will get together — the entire company — twice a year, when it is safe to do so. What we use to call an office, we will instead have a creative hub, and you will not need to be there eight hours every week day, but once a week or once a month."

BitDefender sees that as a viable option but will continue to keep security people — and some others — coming into the office. 

"If your business model allows remote work, then maybe move to some sort of shared-office arrangement," Arsene says. "While not every one can do it, we are going to be seeing some shifts over all, even in security."

Related Content:

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25288
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitra...
CVE-2020-25781
PUBLISHED: 2020-09-30
An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.
CVE-2020-25830
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bug_actiongroup_page.php.
CVE-2020-26159
PUBLISHED: 2020-09-30
In Oniguruma 6.9.5_rev1, an attacker able to supply a regular expression for compilation may be able to overflow a buffer by one byte in concat_opt_exact_str in src/regcomp.c .
CVE-2020-6654
PUBLISHED: 2020-09-30
A DLL Hijacking vulnerability in Eaton's 9000x Programming and Configuration Software v 2.0.38 and prior allows an attacker to execute arbitrary code by replacing the required DLLs with malicious DLLs when the software try to load vci11un6.DLL and cinpl.DLL.