Organisations have accrued technical debt in the shift to remote work, and now they have to face the fallout

In a Computing websem, Javvad Malik of KnowBe4 said that companies that lowered security to continue operating in the pandemic must deal with the consequencies - sooner, rather than later

In the rapid move to remote working earlier this year, many organisations signed on for programmes and systems that were only intended as a quick fix, or compromised security altogether in the scramble to keep the business operating. Now, they're dealing with consequences.

That was the message Javvad Malik, Security Awareness Advocate at KnowBe4, shared in a recent websem, now available on-demand.

"Many organisations have accrued a lot of technical debt, for lack of a better term, to get people working remotely," said Malik. "They've enabled remote access to servers that they traditionally would never have given access to, or they might have relaxed some security rules. I heard of an organisation that actually dropped 2FA to allow all of their employees to easily connect into the office, because they didn't have enough resources to deploy 2FA to everyone, or train them up, or to deal with the number of tickets that would inevitably come in.

"There were lots of quick fixes put in place to enable remote working. What CIOs really need to be aware of is what the risks are that those fixes carry, and have a plan of how they're going to remediate that now and in the future, and what that looks like when there's a phased return to office."

Malik discussed how the first lockdown, which was announced and implemented very quickly, caught many organisations flat-footed. He said that compromising security to keep the business operating is not uncommon, but must eventually be faced and dealt with - sooner, rather than later.

"The first lockdown was rolled out quite suddenly. There was a phase when companies were caught unaware. For many of them there was so much uncertainity as to whether the business would even survive, or what furlough payments would look like or what help they would get; so I think the main driver there was a case of surviving this, and whether there would be a viable business at the end of it. We see it often, whenever there's a special scenario like that: cybersecurity controls are often lowered just to help get through that initial period. It's not something that's unheard of, but because this is going on for such a long time...we need to put in place plans to build up that security capability again."

Quick fixes like VPNs and lowering security standards only address the immediate problem. Going forward, Malik said, it is important for IT leaders to establish and maintain good lines of communication - with everyone.

"That's something that people miss when they're not in the office. You don't want them to hear about company news from their colleagues or by reading it online or from the corporate blog; you want open and clear lines of communication, so that the employee themselves know, hey, if I have a problem...how do I contact IT? Maybe remote working has changed how they log tickets or how they contact the helpdesk... As long as the employee knows who they can ask and how they can ask, and that they're going to get a response in a timely manner, that's far more important [now]."

To watch the whole websem, including Computing's research into cybersecurity in the pandemic, and some very insightful audience questions, click here.