It has been more than two years since COVID-19 emerged. Over the course of the pandemic, most organizations across the United States have had to rethink long-established business processes and make a host of information technology changes to support them.
The numerous lessons learned in IT and cybersecurity during COVID-19 while they did their best to adjust to the new normal can help others face not only disruptive events but also day-to-day challenges.
Download
DoD Contractor’s Guide to CMMC 2.0 Compliance
Lesson 1: Organizations Must Prepare for Worst-Case Scenarios
Before the SARS-CoV-2 virus spread from China to virtually all countries around the globe, many small and medium-sized businesses (SMBs) were comfortably following familiar routines, seldom considering their potential disruption.
When the same SMBs were forced to close the doors to their offices and tell their employees to start working from their homes, they often found themselves woefully unprepared.
The issues they faced included everything from not being able to provide employees with work laptops to not knowing how to establish secure remote connections to not being familiar with modern business communication platforms like Microsoft Teams.
While the pandemic may be in its endgame phase now, the risk of unexpected disruption caused by anything from natural disasters to cybercrime to acts of terrorism remains just as high as ever.
That’s why every business should carefully assess risks and prepare detailed responses to them. Remember that recovery plans are not enough. You also need to have continuity plans.
The difference is that recovery plans focus only on restoring data access and IT infrastructure after a disaster, but they don’t cover what happens after data access and IT infrastructure are restored, which is where business continuity plans come in.
Business continuity is largely proactive, and its goal is to ensure that all mission-critical business processes and procedures remain available during and after a disaster. Together, business continuity and disaster recovery protect organizations against financial loss, reputation damage, sanctions, breach of contract, missed market opportunities, and more.
Lesson 2: IT Flexibility and Agility Are Critically Important
Organizations can’t completely prepare for every future scenario they may possibly encounter. But that doesn’t mean that the negative impact of unprecedented events like the COVID-19 pandemic can’t be greatly reduced.
By striving for IT flexibility and agility, organizations can much better roll with the punches by dynamically adjusting their information technology infrastructure based on their current needs.
The importance of IT flexibility and agility can be illustrated by comparing the ability to respond to a pandemic-scale event of two organizations whose IT infrastructures are located at the opposite ends of the flexibility and agility scale.
Let’s imagine that organization A relies entirely on an in-house IT infrastructure that’s designed from scratch to meet its unique needs. To build the infrastructure, the organization had to make a massive upfront investment because IT equipment doesn’t come cheap—and neither does the expertise required to maintain it. Organization B, on the other hand, has a hybrid IT infrastructure, relying on multiple cloud vendors and limited in-house IT capabilities.
Because organization A has already spent a large amount of money to gain a very specific set of IT capabilities that can’t be easily modified to reflect a new business reality, its ability to respond to it appropriately will always be hindered by its lack of IT flexibility and agility.
Organization B is in a much better position in this regard because cloud services provide a built-in buffer thanks to their scalable, pay-as-you-go nature that makes it possible to quickly and painlessly adjusts to any new demands.
Lesson 3: Business Tools and Information Should Be Securely Accessible from Anywhere
In business, one should never put all eggs in one basket. And one should certainly not make the basket accessible from just one place.
Unfortunately, that’s what many organizations were doing before the outbreak of the COVID-19 pandemic, storing all business information and the tools used to process it on local computers and servers organized into enterprise networks accessible only to those who were physically present inside the office building where the networks were located.
When the same office buildings were forced to temporarily lock their doors to curb the spread of the deadly virus, the employees who used to gather inside of them suddenly found themselves unable to access the resources they needed to do their work.
Although another wave of harsh lockdown measures is unlikely, there are still many other reasons that may prevent employees from being able to access business tools and information that exist solely on local computers that are not readily accessible from anywhere.
To avoid ending up in this unfortunate situation, organizations can take two different approaches, and they can take them both at the same time.
The first approach revolves around the creation of the so-called virtual private network (VPN) to extend a private network across the internet, enabling employees to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. The second approach takes advantage of cloud computing and the inherent location independence of cloud services.
Each of these two approaches has its pros and cons, but organizations that become cloud-first typically report fewer IT-related headaches than those that mix and match an on-premise data center with a public cloud.
Lesson 4: The Threat Landscape is Constantly Changing
Since the first known case of COVID-19 was identified in Wuhan, China, in December 2019, the SARS-CoV-2 virus has mutated many times, resulting in the emergence of multiple major variants.
Some of the new variants, such as Omicron, have turned out to be rather capable of overcoming the protection provided by COVID-19 vaccines, forcing governments to adjust their strategies and scientists to work on targeted vaccines.
What’s interesting and important to remember is that the digital threats that emerged in parallel with the SARS-CoV-2 virus have also evolved significantly over the past two years, making previously effective cybersecurity strategies obsolete.
Take, for example, phishing. Early COVID-19-related phishing attempts took advantage of the confusion surrounding lockdown measures, vaccine registration, and other trending topics. It didn’t take a long time for the FBI, Europol, and others to start raising awareness of these threats. Cybercriminals responded by changing their tactics and moving to more targeted attacks.
“Proofpoint observed COVID-19 themes impacting education institutions throughout the pandemic, but consistent, targeted credential theft campaigns using such lures targeting universities began in October 2021,” states a report from cybersecurity group Proofpoint. “Following the announcement of the new Omicron variant in late November, the threat actors began leveraging the new variant in credential theft campaigns.”
The lesson here is that the threat landscape is constantly changing, so organizations can’t afford to rely on yesterday’s cybersecurity strategies and solutions. Instead, they must constantly update them to keep them relevant and effective.
Lesson 5: Traditional Perimeter-Based Network Defense is Obsolete
Traditional perimeter-based network defense operates with one core assumption: all activity that originates from inside the network can be trusted, while all activity that comes from the outside is potentially malicious.
This assumption made sense in the early days of network security, when employees worked on stationary computers located inside the same office.
The pandemic has made traditional perimeter-based network defense obsolete by forcing employees to work from various remote locations, often using both personal and work devices.
Required to collaborate and access organizational resources from anywhere, have gotten used to using SaaS applications for business-critical workloads, further blurring the already hazy defense perimeter.
Ensuring sufficient protection of this new shifting defense perimeter requires organizations to rethink their approach to cybersecurity, and the zero trust architecture (ZTA) model has emerged as a popular solution.
The main concept behind ZTA is that no one should be trusted by default. Instead, all connections, regardless of whether they come in or outside the organization’s network, are verified before allowed to access protected resources.
When implemented correctly, ZTA provides a highly secure alternative to the castle-and-moat approach to cybersecurity, and its benefits include not only enhanced security but also improved compliance, greater visibility, and better user experience.
Summary for COVID IT Lessons
The SARS-CoV-2 virus has been with us for more than two years now, and its impact on most aspects of our modern lives has been profound.
When it comes to information technology and its use for business, we’ve learned that the ability to respond to unexpected situations, and having a flexible and agile information technology infrastructure makes everything much easier, which is where cloud computing comes in. We’ve also learned that the threat landscape is changing so rapidly that traditional perimeter-based network defense is now obsolete.
By keeping in mind these important lessons, organizations of all sizes can better prepare themselves for the next disruptive event and day-to-day challenges alike. Contact us for more information.