With Canada’s Chief Public Health Officer urging Canadians to avoid gatherings of 50 people or more to limit the spread of COVID-19, IT leaders without pandemic business continuity plans — or who have discovered their plans are out of date — are rushing to put together remote access capability so employees not already doing so can work from home.
One sign: On Monday service at Microsoft’s Teams was briefly sporadic, perhaps reflecting increased use from remote workers.
Another: Over the weekend, the staff at remote desktop service provider Citrix had to work long hours to meet customer demand.
“Demand is absolutely through the roof,” Ed Rodriguez, vice-president and general manager of Citrix Canada, said in an interview Monday. He didn’t cite specific numbers.
Visit our COVID-19 landing page for more information:
“About 10 days ago worldwide Citrix saw a very significant uptake in queries [about products and services], followed by customers asking for quotes. Then seven days ago that accelerated into lots of demand by customers. Many are taking initiatives [now] to make sure work from home is capable on the infrastructure side and then rolled out.
“I think a lot of the go-live for work from home projects is actually today [Monday]. Quite a number of organizations across Canada have gone full-fledged work from home [now].”
That doesn’t mean it’s too late for organizations that have not already prepared for remote work. But they may find it harder to get time with consultants to help ensure they have secure and effective connectivity. Often software-as-a-service offerings for remote desktop access and collaboration tools will be the fastest option.
Some firms “are scurrying now to figure it out and are leaning on subject matter experts to help them get through this as soon as possible,” said Rodriguez. That includes assessing what needs to be done, any changes to the technology stack that may be needed and processes that may have to be altered or invented to make remote work as productive as office work was before.
“We probably went from 20 per cent of organizations in Canada two weeks ago thinking and starting to really prepare,” Rodriguez estimates, “to 50 per cent last week. Now, 75 to 80 per cent are starting to make those plans a reality. The last 20 ought to start making those plans now.”
The longer those firms wait the harder it will be for them, he added.
Like Citrix, BlackBerry is among the vendors reporting a sudden leap in demand for remote solutions. Alex Willis, the company’s vice-president of global sales, said in an interview this morning there’s been a big spike in sales recently for BlackBerry Digital Workplace. It’s a $99 a user a year managed bundle that includes BlackBerry Desktop (extends corporate data to remote PCs for email, calendar and secure browsing), an antimalware from its recent acquisition of Cylance and integration with a product Awingu, a web-based front end to a virtual desktop infrastructure. No VPN is needed, he added.
Digital Workplace was launched early last month to meet the general demand for remote desktop solutions, Willis said. But shortly afterwards when COVID-19 turned into a pandemic sales lept. He didn’t give specific numbers.
All IT needs to do is provide a link to home users to download Digital Workplace. Willis said download, install and activation can take five minutes.
Last week Gartner analysts told IT World Canada that organizations heavily using cloud applications will find it easier to have staff shift to work from home, as long as enterprise security isn’t put at risk from home computers with vulnerabilities.
For CIOs/CISOs who are only starting to think of what to do, Tony Anscombe, chief security evangelist for antivirus provider ESET offers this advice. Broadly speaking there are three categories of office workers, he said in an interview:
- Staff who regularly work remotely (presumably with company-owned or controlled laptops whose devices have to be secure. They’re no problem because these devices live outside the network already. They may already have full-time data encryption, a VPN and multi-factor authentication, and no IT work is needed;
- Staff who are “semi-mobile,” meaning they use laptops in several locations within the office. IT may need to take extra precautions now that those devices will connect from outside the corporate network;
- Those who only use a desktop or laptop computer at one location in the office. These people will be the most risk to the organization because their home computers — or office PCs they are allowed to take home — have to be protected.
IT may have to install a VPN if access back to a data centre is needed, and mandatory full-disk protection — if possible — may also be needed to protect corporate data, in case it’s stolen. In addition, a solution for scanning and auditing new devices for vulnerabilities if they have to connect back to a data centre would also be useful.
If a VPN is needed, the CISO will have to ensure it is capable of multi-factor authentication through an app (like Google Authenticator or Authy) and not a text message, which can be intercepted.
Other suggestions are turning off Windows remote desktop protocol if possible and the ability to plug in USB keys, which could transmit infections to the corporate network, and remind employees to log off when their computers aren’t in use to prevent family members from using them to download something that could infect the network.
Remind employees who will work remotely of the need to work as safely from home as they do in the office. That means being aware of malicious email and text messages — particularly those offering COVID-19 “information.”
Finally, Anscombe says that because the crisis may last weeks remote employees may slowly forget the discipline of working from the office, so he suggests managers be told to start with a team call every morning. “Understand what everybody’s going to be doing that day, because once you lose social action it may be challenging to self-motivate.”
Making sure home computers that will be used for remote connectivity are safe — meaning they have been patched and scanned for viruses is crucial. In some cases, CIOs/CISOs will have to add scanning capability through software-as-a-service mobile/enterprise device management solutions such as SOTI, IBM MAAS360, MobileIron, BlackBerry and others.
Ken Ammon, chief strategy officer of OPAQ, a security-as-a-service provider, said recently his firm blocked a PC of a new user who worked for a European software developer. The customer had sent staff to work from home due to the pandemic, but when this user tried to connect to the corporate network for the first time OPAQ discovered the computer was “completely infected.” The user couldn’t go further until the machine was cleansed.
He worries that the computers of many home users also have many vulnerabilities that CISOs aren’t prepared to detect. He also wonders if new VPN users working from home will understand the need to turn it off when not accessing the corporate network or corporate cloud services. “I find it unlikely that the average user in this short time frame is going to grab that level of training and knowledge to navigate a VPN.”
The other problem, Ammon said, is that for compliance purposes some organizations need applications that constantly monitor user devices. That’s fine when the device is corporately-owned. However, if IT has users install an application on a home computer for remote workers for the same purpose some users may balk at, in effect, being monitored all the time. Those users need to be trained in turning off the application when the computer is used for personal surfing and turned back on when it’s used for accessing corporate assets.