Why Today’s Remote Workforce May Be Permanent

Malcolm Harkins is a member of the Cyber Resilience Think Tank, and a guest writer for Cyber Resilience Insights.

The new remote workforce has been well-documented as of late. For those who are fortunate enough to have the ability to set up their laptops safely at home, their companies must guarantee a high standard of security. And, for those companies who previously resisted remote work altogether, that reluctance has been replaced by the critical need for workers to quickly be remote and working perhaps in a shared location next to roommates or family members.

 At the moment, we’re seeing a massive shift in the following:

• A reduction in business travel. We saw the first inklings of this cutback when IBM Security declined to participate in RSA Conference in February. Then, the major healthcare IT conference HIMSS was canceled, as well as Black Hat Singapore, and other security events worldwide. Businesses soon followed suit by pulling back or canceling domestic and international travel.
• A struggling supply chain. Today’s modern, global supply chains are dependent and interconnected, which, in the time of a pandemic, can expose its many fragilities. So many companies, technology and otherwise, are dependent on Chinese manufacturing and shipping, meaning a slowdown in product availability to China’s export partners. Here in the U.S., critical medical supplies have been scarce (partially due to the global supply chain and partially due to a stretched healthcare system); the grocery supply chain has also been stretched thin.
• Increase in remote workers. The overnight growth of white-collar remote work has been well-documented. Leadership who resisted remote work and the technology that enables it has had to quickly switch gears, while those who have had work-from-home flexibility for years are experiencing slightly less of a shock to their daily lives, other than perhaps strained teleconferencing or network access point capacity.
• An augmented workforce. As the economy contracts and expands, as it has done often in recent weeks, companies are shedding workers, sometimes relying on gig workers or hourly employees. In fact, giant chains like Walmart and CVS Health, as well as Amazon, have announced thousands of new jobs to keep up with delivery needs during this period of social distancing. This is changing the U.S. economy – not always in a good way due to the lack of shared benefits given to gig workers – but it also means companies must accept a larger amount of risk.
• The limiting of telemedicine. Doctors’ offices and hospitals around the country have urged patients to stay home and avoid using resources that should be reserved for COVID-19 patients. But as demand for health and telemedicine services grows, capacity becomes slimmer.

Our society is moving fast to prioritize fighting this pandemic, in hopes of getting back to ‘normal’ as soon as possible. However, the nature of work – cybersecurity, too – were already on a path towards more technology, more automation, bigger attack surfaces, and lower human connections. After the Great Recession, we saw how businesses changed their control environments to match the new reality: the gig economy burst forth - TaskRabbit, Uber, Lyft, and Airbnb, just to name a few - automation became a bigger force to contend with, and threat actors around the world capitalized on these dynamics.

In other words, the following shifts in business were already going to take place. They’re just accelerated now, taking weeks and months instead of years or decades. The introduction of a global pandemic has meant a global shift on a scale not seen before, forcing a behavior change among billions of people almost immediately. I expect to see the following:

• More automation. Companies are already automating workflows and using automation to constantly tweak business processes to improve efficiency and effectiveness. Just like 2008’s Great Recession – SaaS was in its infancy – because of greater flexibility, lower capital costs, and a shift to operating expenses that could be dialed up or down depending on the business cycle, SaaS flourished. It’s now embedded in almost every organization, including those that had been steadfast in a traditional on-prem data center and application technology stack.
• More technology. If you work at a company that still gives you a desktop and a cubicle – or even an office – this will not continue. Laptops, tablets, and mobile devices will need to be added, and leaders will position them as being for ‘the mobile workforce.’ Cybersecurity will be a main focus for new devices and web applications, if workers are at home or at a shared workspace, where networks aren’t as secure as a corporate network. Initially, expect a greater reliance and education on the use of VPNs. Those organizations who use the pandemic as an opportunity to transform will consider alternative approaches to providing employees remote access – some will eliminate their VPN almost entirely as they shutdown their traditional networks and move everything into SaaS or a web app, accessible anytime, anywhere, from any device. They will also transform how they secure that web session end to end.
• Increased attack surfaces. With remote working and gig working at an all-time high, and a global health pandemic for threat actors to latch onto, cyber risk is also increased. Leaders and their employees often have a sense of loyalty to keep their company safe. Contract workers and thus gig workers may not feel that same sense of loyalty and mutual trust. In either case, if an employee or a gig worker feels as though they aren’t being taken care of appropriately, they may not care as much about protecting their employer, for example, by leaving a sensitive application open on a home machine with others around. Or they may have a sensitive call with others in the same room able to listen in on the conversation.
• Decreased people connection. Social distancing has already had an effect on how we view pandemics, and while remote work is so heavily relied upon, getting connections between office workers is going to require extra effort. As a manager you won’t be able to see and pick up on the subtle cues of issues happening at work or between employees, requiring managers to create the virtual equivalent of management by walking around.

The Bottom Line

The global coronavirus pandemic so far has been like an earthquake. We’re still in the initial shock phase, waiting for other shockwaves, perhaps chaos in our organizations, and uncertain recovery environment to take hold. In those periods after the initial shock, I have seen and expect further that budgets will be cut to shift to the new reality, forcing decisions to be made based on an economic buyer’s choice. In addition, I think there could be a die-off of some security players, particularly startups – ones that are a cool technical feature but don’t deliver real economic benefits. The legacy players – the dinosaurs – who are able to keep their customers beholden to dated architectures and locked-in systems maybe the ones who tactically benefit increasing their survival chances. But the security players who deliver real business outcomes – a measurable, sustained reduction in cyber risk, a lower total cost of control to the business, and improved business velocity -- will be the strongest of the security survivors, because they will have delivered to their customers real economic value when they needed it most.