March 2020 amidst the spread of Covid-19 and the UK government imposing the first "lockdown", marked the most significant challenge to IT departments within organisations across the country. Remote access services became the foundation for a monumental re-engineering of working practices, with many cases entire workforces changing into a "work from home" β an arrangement that has continued to persist for nearly an entire year.
If ever there were any tongue-in-cheek interpretations of WFH, these were quickly dispelled as IT functions received the challenge to enable organisations to work in this new context en masse.
It is worth pointing out the significance of this challenge, as most organisations size their resources to support from say about 20% of the workforce accessing IT resources remotely. This scaling up of resource requirements and lots of other associated implications, and the achievement of it, is a testament to the significance of IT within the UK economy. Indeed, this is a motivator of the BCS VitalWorker scheme that was launched over the summer of 2020 [3].
But now that we have seen many organisations in the IT sector address the remote working requirement, can we take a longer-term view of what the information security function (and indeed many office-based functions) of the future might be like? According to a poll mentioned in the Independent, 7 out of 10 organisations surveyed were considering a change to rules and regulations considering how staff have reacted to Covid-19 [1]. 57 per cent of "business owners were already looking at adapting many of their usual practices moving forward" [1]. I have seen through my professional network that some organisations have already started taking action to reduce real estate footprint, e.g. by not renewing leases, instead offering staff passes to office space across the country so they can access meeting rooms and office space on an as required basis.
The business opportunity presented by WFH "at scale" is obvious. Organisations can scale back often expensive resources, prime real estate, the associated running costs, and change their organisational working practices to assume WFH is the default for many.
In the information security space, this presents some interesting ideas. Can a Security Operations Centre run on an entirely remote basis? Can your information security risk team be run remotely? In many cases this is entirely possible with additional benefits. Itβs also worth mentioning that much of the home working technology we take for granted in 2020 has only been made possible by innovations by IT professionals and the contributions made by cyber security professionals over many years prior.
There are some sub-surface considerations. In the WFH mode, information security and IT functions could potentially benefit in several ways:
For an information security function, many of the day to day activities translate entirely to WFH. This offers the potential for a job market being created that is entirely dynamic and flexible, with the possibility of addressing inequalities between geographical regions in the UK. It will not matter so much whether a person lives in vicinity to a workplace if the potential were realised. This is especially important in light of the scarcity of resources, particularly in cyber security. There may also opportunities within a WFH environment to improve diversity in the workforce, for example an employee base that spans the regions of the UK and perhaps represent the customer outlook more accurately.
But there are also new challenges that also must be considered. The impact of sometimes solitary working needs to be fully understood. While technology allows for communication between employees online using video and audio, and other tools are available, it is too early to say how this affects the working dynamic on a large scale.
The information security implications of home working extend beyond the feasibility of transferring information security teams to the same way of working. These implications include:
The risk implications of moving information and technology into the home environment. Many of the physical and logical controls around the workplace are evidently not applicable in the home. A wide range of interlocking security controls apply in modern workplaces. The change in risk profile is not as substantial as it might first appear, as business critical information will continue to reside in data centres or Cloud infrastructure as before, but it is worthy of consideration particularly around unauthorised access/availability risk.
The effect of a more blended way of working in the home environment. This includes the use of networking infrastructure, albeit limited in extent, that is shared by personal ICT and corporate. In well-configured corporate ICT this risk should be minimal and no different to mobile use, for instance at conferences or hotels. But risk will remain around contention and the availability of connectivity.
The changing information security implications of home working for a workforce and how this translates into the work and workload of an information security team. Inevitably this will produce a more diverse range of queries, interests and requirements, and information security teams will require greater resources and lateral thinking capacity to accommodate them. This will likely lead to a greater resource requirement for information security teams to support home working employees.
The BYOD opportunities presented to companies by personal ICT systems, and their potential to access corporate infrastructure through VPNs, remote desktops, and similar. This has always been an interest in industry IT strategies, for example in the use of personal mobile devices, but brings with it implications when used as a routine access method and desktop working environment.
Many businesses will see some of this as an opportunity. The cost of networking infrastructure in the home is borne by the home worker, which relieves employers of the installation and maintenance implications. The opportunity to use personal ICT equipment could add further cost savings into the mix. However, some aspects will require further analysis and strengthened security controls may be appropriate.
There are also personal factors in the WFH mode that can have a significant bearing on whether an employee can realistically work from home on a permanent basis. These factors relate to the "duty of care" interests of employers and mean WFH is not a viable prospect for all employees, and where accommodation must be made. In any WFH scheme, thinking beyond the flatscreen display and laptop will be critical. This also includes "lone working" and the risk management requirements that entails.
The digital divide, a term common in the late 1990s and early 2000s, is also highly relevant when we look at moving IT and information security functions to a remote working mode. This term refers to the gap between demographics and regions in terms of their access to modern ICT technology and those that do not have access. A simple example could be the availability of Fibre broadband technology, but it is more broader and encompasses all information and communications technology. Could we see WFH contracts of the future require that an employee to achieve a minimum broadband speed wherever they choose to live? This could be a possibility. In a sense a WFH arrangement is at the mercy of the national communications infrastructure, offered by the likes of BT and Virgin Media. This interactive map tool from the FT makes it clear how much this can vary in practice.
At a micro-level the performance of individual home connectivity solutions will be fundamental to employee performance. Here employees invariably use consumer residential-grade connectivity, which has neither the Service Level Agreements (SLAs) one would expect to see (either explicitly or implicity) in corporate environments, or underlying technology infrastructure that supports resilient communications. Home workers have one route out of their property for Internet connectivity, that has to transit a significant number of dependencies before reaching resilient IP-based infrastructure, in turn then transiting Internet backbones back into the corporate environment. This has considerably more complexity than most in-office network access. A study by EY showed that 26% of users reported inconsistent broadband had caused difficulties when working from home, and also noted the implications of Covid-19 on support services within communications providers [5].
We've started to see interest in resilient communications being addressed by communications providers. While the UK VDSL and VDSL2+ broadband infrastructure is the obvious port of call for home working connectivity, the advances in cellular technology has been astonishing since the introduction of 3G (UMTS) in the UK in 2003. This was then followed by HSPA offering up to 7.2Mbits/second and then up to 21 Mbits/sec with HSPA+. Long Term Evolution (aka 4G) and then LTE-Advanced have recently transformed both the throughput and latency of Internet communications. This has highlighted the viability of 3G and 4G as a bearer for Internet access, which is now common in rural environments. Crucially, the arrival of hybrid 4G/VDSL routers offer the prospect of resilient connectivity that seamlessly switches to LTE carriers when broadband becomes unavailable (for example, BT's 4G Assure service). This has made the potential of relatively resilient home connectivity apparent.
Aside from the technological resilience of the communications service, we also have implications at Layer 3 as a result of mixing residential and corporate packet forwarding. Corporate applications, particularly VOIP and video conferencing (aka "inelastic applications"), are less tolerant to packet drops, delay, jitter, and out-of-order delivery than applications like web browsing and email (aka "elastic applications"). The most widely adopted strategy - over-provisioning - may not be viable in some cases, suggesting a role for Quality of Service. Evidence to date suggests broadband providers are unwilling to introduce support for QoS. This contrasts with corporate networks where the potential for end-to-end QoS is clear. There is potential within the home environment to achieve some level of QoS, such as using Wi-Fi Multimedia (WMM) (802.11e) that provides traffic prioritisation for Voice, Video, Best Effort and Background transfers, or router-specific QoS capabilities, but this is dependent on user expertise to identify settings and configure appropriately.
Coupled with innovations in home connectivity, the wider implication for businesses may lie within business process engineering - ensuring businesses processes are themselves resilient to personnel being unavailable due to connectivity issues.
We should also be mindful of the physical environment home workers operate from. There has also been some interesting discussion about house builders taking into account home working in new build projects such as creating communal work spaces [2], and it will be interesting to see how this unfolds both for existing housing stock in the UK and new builds.
What has struck me in 2020 is how different this situation would have been were this to have taken place in the mid-1990s, when the emergence of ADSL was in its infancy and many were using 56K modems (or indeed less!) to connect to the Internet. The convergence of a wide variety of technology, systems, and requirements, on Internet protocols and solutions has also been a significant enabler this year β think VOIP, audio and video conferencing, etc. combined with vast reductions in the cost of transacting business in the form of calling rates and Internet access.
It is early days as we review the implications of Covid-19 on future working practices. There have been considerable successes β witness the adoption of Microsoft Teams and Zoom for instance. But we need to understand more about the broader implications of fundamentally changing working practices, considering more than technology. There is also an important role that is already being fulfilled by our national and international professional associations, such as BCS [4].
Covid-19 while obviously awful in its direct impact could potentially bring about indirect changes to way IT and information security operates across the UK economy. The consequence of bringing many workforces entirely into a WFH mode will crystallise minds as to what this could mean in terms of the future workplace and how this could benefit organisations and the wider UK economy.
[1] https://www.independent.co.uk/news/business/news/working-home-cheap-save-office-business-boss-a9542781.html
[2] https://www.buyassociation.co.uk/2020/05/21/construction-new-developments-focus-on-home-working-after-coronavirus/
[3] https://www.bcs.org/more/about-us/press-office/press-releases/bcs-campaign-recognises-the-vital-role-of-it-workers-in-our-national-life/
[4] https://www.bcs.org/
[5] https://www.ey.com/en_uk/tmt/broadband-quality-and-resilience-a-key-consumer-concern-during-covid-19
November 21, 2020