Root Causes 103: Work-from-Home IT Impact Study

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  Today, we want to talk about the results of the new survey that Sectigo just published. We just announced on June 18, 2020, the results of a commissioned survey that we commissioned in order to investigate the impact of widespread work-from-home what we call lockdown on IT departments and their security and their other initiatives.

• 

  Jason Soroko

  Wow, Tim. Yeah. That’s a hot topic now. I am curious to know what’s in there. I can just imagine some of the issues that people have been having but, yeah, carry on. Let’s hear the results.

• 

  Tim Callan

  Yeah. So, this survey, obviously, this is where points in time really matter. So, this survey was in the field in late May and early June and that would be the timeframe when people were responding. Obviously, if you go and back to listen to the podcast six months from now, things may be very different. But I think it’s good to get a sense for what there is now and because this is so fresh, we hadn’t really seen any other research on these specific topics. So, you know, we wanted to find out as soon as we could in a timely fashion what people were saying. So, we asked several questions and we looked at a number of different things. Let’s talk about some of the big takeaways. So, one of the big takeaways is the late initiative. So, delays to other factors. So, you know, lockdown rolled around and we all had to go work from home and that meant IT departments had to ensure that was going to be a safe, secure capability. We talked about this in other podcasts. So, one of the things we wanted to ask is did this impact other initiatives inside of your company and the answer is yes. So, nearly 40% of IT professionals surveyed said that revenue generating initiatives were delayed for at least one month because they had to redeploy resources to take care of work from home.

• 

  Jason Soroko

  Wow. Forty percent (40%) is a lot especially because most businesses aren’t there for the fun of it. They are there for revenue generating activities. So, that’s a heck of an impact.

• 

  Tim Callan

  Yeah. And so, it wasn’t free, right, is the point. And a very similar thing, we also asked what about other cyber security initiatives. Things you would be doing to make yourself more secure and 44% of them reported in that case that they had to delay those for a month or more. So, not only there is the revenue generating we are gonna do this thing; we are gonna release it; it’s gonna bring in money; now that release got pushed back because we had to go work on something else but also, there is we were going to do this thing because we were worried. Right? We felt that there was a vulnerability and we wanted to make ourselves more secure and that got pushed back a month or more. Meaning that that vulnerability is still hanging out there in the world for some additional period where one or more enterprises might become victims to it.

• 

  Jason Soroko

  Ok. Yeah. I can see that. Security now is top of mind. You can see how in the past security might have been pushed aside but for security to have pushed aside even a little bit this time shows just how big of an impact this was.

• 

  Tim Callan

  Yeah, and you can see where it’s tough, right. Like you don’t really have much choice do you and the other thing you are working on is also a security thing. Right? So, it’s not even like they are deprioritizing security, it’s just that they suddenly have to shift to changing conditions and, in the meantime, that does leave a hole for that old attack that would have gone one, you know, that other attack has more opportunity to succeed. The attack window is longer essentially.

• 

  Jason Soroko

  That’s interesting when you consider this was a busy period for patching and, you know, reverse engineering of patching to take advantage of the in-the-moment capable attacks knowing that organizations are perhaps not jumping on them as quickly as they did. That’s a big benefit to the bad guys right now.

• 

  Tim Callan

  Yeah. So, we also wanted to find out like what were the productivity consequences, and this is where actually it’s quite good news. So, 49% of the IT professionals surveyed say that employee productivity increased with everybody being sent to work from home. And this jives with other things certainly that we’ve heard or read in various places that people are being saved their commute. That people are really focused on trying to do well right now. But 49% say it increased and only 16% feel that it decreased.

• 

  Jason Soroko

  Tim, my only comment to that, I’m a remote worker. I know that my productivity is very high working from home. I know for others it’s different but I think for a lot of people who never had the choice, who are now discovering what they can do at home without a commute, you know, and perhaps even without a lot of the commotion that happens within an office, the ability to focus – if you are able to attain that in your home environment – the ability to focus and get work done, I think for those of you who are new to it, congratulations for at least tasting it and it looks like the survey results shows that it’s been positive.

• 

  Tim Callan

  Yeah. Right back at you. I agree. I also have been a work-from-home, remote worker for a long time and it works very well for me. I do see that it’s not for everybody, but it does work well for a lot of people. And so, interestingly, we wanted to know if this was just sort of the IT professionals with their own blinders on asking this so we segmented out C-level executives who should have a broader sense of what’s going on in their organization and for them that number actually went up. So, 63% of the C-level IT executives felt that productivity was up inside their organizations, and they’d have better visibility on that. And so, you know, maybe not surprisingly, based on that, 60% of respondents believe that remote work will increase somewhat or significantly compared to what they had before the COVID-19 lockdowns took place. So, you know, these people are saying yes, you know, I think productivity increased and I think we will just keep right on doing it.

• 

  Jason Soroko

  That is interesting, Tim. So, work-from-home technologies, it won’t be a flash in the pan. This is probably going to be a trend. If people are noticing that work-from-home is a positive thing then the technologies that are associated should have a bit of a boom for a while.

• 

  Tim Callan

  Yeah. So, now another one is you and I have talked a lot about Zoom. Right? It’s been all over the news. So, you and I talked in terms of end-to-end encryption and video conferencing phishing and video conferencing and Zoom bombing has been all over the news. It is not actually the top concern for the IT security professionals. When we ask how does broadscale remote work increase your concerns for your own organization’s security, the top responders were - - the top responses were for phishing and other malicious email and insecure home wi-fi. So, when you ask the IT security professional what they worry about, they are not really worried about their video conferencing being hacked or people sneaking in. That’s what they are really worried about. They are worried about their employees sitting at home getting phished and they are worrying about insecure home networks that are giving them vulnerabilities.

• 

  Jason Soroko

  Well, that also makes sense, and I don’t know how many Starbucks are open right now or people hanging out at public wi-fi but, typically, when I think of those things that, to me, is the most obvious. I would be worried if I had a large workforce working from those kinds of access points.

• 

  Tim Callan

  Right. Or somebody’s home wi-fi, right? They just go down; they just drive down to Best Buy and they buy whatever box has the lowest price tag on it and come home and plug it into the wall and it just works, and they never touch anything with it. They don’t think about the security. They don’t even know how to change the security settings. And you can imagine that being a little bit of a scary device.

• 

  Jason Soroko

  Yes. Especially when we’ve heard a lot about wi-fi routers that perhaps are still out there that cannot be updated or will never be updated and default username and passwords.

• 

  Tim Callan

  And seven years later, it’s still sitting there.

• 

  Jason Soroko

  Yeah.

• 

  Tim Callan

  Exactly. Exactly right. So, that is worrying our IT professionals and I would say rightly so. I think that’s a valid thing to be a little concerned about. So, that was good news.

  Now, a little bit of the not-so-good news. So, we investigated the various ways that they are authenticating user identities as they come in and certainly some of that was good 56% of them are using certificates by way of example. Twenty-six percent (26%) say there are using biometrics. So, that would be a couple things. Right? That could be a fingerprint reader on a laptop or that could be like a keystroke biometric, but it also includes a bunch of methods that you and I know to be weak including just good old fashioned username and password, which is being used by 65% of organizations and hardware tokens, which is being used by 50% of organizations. So, what do you think of that, Jay?

• 

  Jason Soroko

  Awe, geez, Tim. This is one where, you know, from a technology standpoint, you are either one of two people. I think. There’s a lot of people who are almost like cultists around specific technologies and that’s fun. It’s fine for some people. For me, it’s just a tool to get a job done most of the time. But when it comes to authentication, I really am a believer in getting things done the right way. The movement towards password lists, I don’t think we can get there fast enough. The days of the hard tokens, Tim, is something that you and have talked about on previous podcasts. You know, the pain. I personally read, you know, perhaps most of the information I have on this topic is more anecdotal because I was following a lot of threads on the internet about administrators who were trying to quickly get people up and running and productive from home and get authenticating measures out. The amount of pain there was to dropship tokens to people was unbelievable and you can even see some of the corporate announcements from these companies who have these hardware devices trying to show, oh, well, we will ship it ship this way and well ship it - - you know, the flexibility in shipping was something that they knew they were failing on. I mean, my goodness, the fact that we still even must be talking about that, Tim, is unbelievable.

• 

  Tim Callan

  Yeah. Yeah.

• 

  Jason Soroko

  So, I really feel that there was an enormous amount of pain in terms of quickly provisioning employees with an authenticator.

• 

  Tim Callan

  Yeah. Absolutely. Yes. Yes. You and I both shake our heads at that one.

  Alright. So, next thing that we talked about that we wanted to look into is what is the likelihood that coming away from this they would be motivated to take additional measures should I say to improve security and business continuity, and, in this case, it was pretty high. Right? Ninety-three percent (93%) of people surveyed said that they would have some kinds of initiatives that were gonna increase their security or their business continuity in the next 12 months and 59% of them felt that once their offices were reopened and people were back in the office that their overall level of security was going to be higher than it had been in pre-COVID-19. So, there definitely is a sense among survey respondents that they are looking at these, you know, looking at this as an opportunity or I would say maybe even it was required for them to improve their overall security and business continuity posture.

• 

  Jason Soroko

  Well, that’s a good thing. Taking advantage of opportunities within a crisis. That’s what I’m hearing from this. The fact that people are gonna make the investments to be better. They were forced to and that that investment will have a legacy. That’s a good thing.

• 

  Tim Callan

  And here, this is another interesting one. So, we looked at compliance and said what’s your level of confidence that you can be in full compliance with the industry and government standards that apply to you during remote work and only 29% of them said that they are completely confident that they are in compliance. So, there’s a big gap. Seventy-one percent (71%) who sort of either felt they weren’t or weren’t entirely sure that they were.

• 

  Jason Soroko

  Wow. Only a third thought they would be. That’s significant.

• 

  Tim Callan

  Or felt they knew they would be. The question - - the wording was “feel completely competent” – or “feel completely confident” rather. So, it wouldn’t have to be - - to answer no to that question, you wouldn’t have to say, oh I know we are out of compliance. You just have to say, I can’t tell you for sure that we comply. But still – that’s bad. Right?

• 

  Jason Soroko

  Wow. Yeah. And I guess compliance means different things to certain different people as well. I mean it’s a little bit wide open in terms of what compliance you think you might be under but nonetheless, if over two-thirds feel that they probably won’t be to compliance, that’s significant.

• 

  Tim Callan

  Yeah. That’s non-trivial. And you can see where that would happen, right? Because all of the sudden you’ve got this situation where you say, I don’t know what machine they’re on. I don’t know how they are accessing the internet. I don’t know what they are doing all day. I don’t know what their physical conditions are. I mean there are certain jobs where there are physical security compliance requirements. Now all the sudden you send those people to work from their homes. Well, nobody sits in a Tier 3 facility at home. Right?

• 

  Jason Soroko

  Yeah.

• 

  Tim Callan

  So, close the bedroom door and now it’s a Tier 2. Right? It doesn’t work that way. And so, I can see that being a very realistic problem and I can see people saying, well, look, they must work from home. There’s no getting around it. We are just going to have to deal with that and if someone comes and tries to fine us, we are gonna say, hey man, what are you gonna do?

• 

  Jason Soroko

  That’s a good point, Tim. You are making me think now.

• 

  Tim Callan

  Well, that’s good.

• 

  Jason Soroko

  I’m thinking of a HIPAA rule that’s basic. It just says that, you know, the screens that a nurse is working on cannot be easily visible to visitors. Just something as simple as that.

• 

  Tim Callan

  Right.

• 

  Jason Soroko

  Who knows what kind of corporate secrets might be sitting on a person’s home office desk.

• 

  Tim Callan

  Yeah. I’m sitting in my dining room with my laptop open because this is where I must work and anybody walking by on the sidewalk could look in the window and read what’s on my screen. Absolutely. These are real concerns and I think that’s what you are seeing reflected in that number.

• 

  Jason Soroko

  I think that’s exactly right, Tim. It’s interesting.

• 

  Tim Callan

  Yeah. So, those are a few of the highlights. Honestly, this is a big survey. We’ve got a whole whitepaper on it, and I don’t want to go through everything there is but if you come see us at Sectigo.com and go to the resources section and look under whitepapers, you’ll find it. It will be right up near the top and I’m encouraging everybody to come download it and see all the results of the survey for yourself.

• 

  Jason Soroko

  Thanks for reading that out, Tim. Very interesting stuff.

• 

  Tim Callan

  Thanks, Jay. Thanks, Listeners. This has been Root Causes.