IT execs face growing pressure to balance security with productivity

Information security executives must balance productivity and user experience against digital security interests, according to new research from Menlo Security examining the new normal in corporations across the U.S.

The survey of 200 IT decision makers shows 87% of those surveyed agreed security will need to better support user experience issues. As remote workers deal with a series of problems ranging from slow access speeds to poor connectivity to difficulty accessing resources, 80% of respondents say they will need to support a hybrid IT security model to foster work-life balance.

The report echoes earlier research that indicates the COVID-19 pandemic is forcing companies to rethink the balance between digital security concerns and employee productivity while ensuring work-life balance.

"So you have to to increase productivity and at the same time secure it, you can't trade off user experience for security anymore," Kowsik Guruswamy, CTO at Menlo Security said. "That model is broken."

Since the outbreak of COVID-19, remote work has exploded in the U.S., according to several data sources. In April, when the first wave of the COVID-19 pandemic was ravaging the northeast and most American businesses and schools into were in lockdown, about 51% of U.S. workers were remote, according to data from Gallup. By October, the percentage of remote workers fell to 33%, but another 25% of workers were still performing some work remotely.

Starting in mid-March at the beginning of the nationwide lockdown, millions of workers and schoolchildren operated from home. That first wave of closures led to a worldwide scramble for laptops and other computer hardware.

"One of my favorite stories I tell about the pandemic was at the start, I had a global insurance company, and on a typical day they had 500 remote employees," Rob Smith, research director at Gartner's Endpoint and Operations Security group. "They went from 500 to 50,000 overnight, and of the 50,000, half of them didn't have computers."

Millions of workers across the U.S. were grabbing any old computer they could find, older laptops or desktops, some scrambled to buy computers and others brought their desktop computers home from the office.

Those computers, in many cases, lacked adequate virus protection, firewalls and patching to comply with company policies.

"And so they've been part of a botnet for three years, you know, and so now this botnet computer is on somebody's network," Smith said. "And because it's on somebody's network the hacker says, 'hey it's Christmas.'"

Risks in remote locations

In general, employees face considerable risks while conducting work from remote locations, according to Menlo research. Two-thirds of IT professionals are facing email and web threats, and 40% are facing threats to cloud or IoT environments.

Future challenges are pending as 77% of IT professionals are saying they need to rethink their virtual private network and remote access strategy in the future and 82% expect to see new compliance rules in the future, according to the research.

One of the most urgent security versus performance challenges companies are facing is the capacity of a VPN to handle a fully remote workforce. VPN's were traditionally set up to handle maybe 10%-15% total traffic, for example providing secure network access to a limited number of remote employees and contractors.

"One of the first things that happened was suddenly when everybody went home, those VPN infrastructures started choking," Guruswamy said. "It just wasn't designed and scaled to meet that sort of demand."

When companies sent all of their workers home, they had to move to split tunneling, which is designed to ease the pressure on network capacity, but could leave some sensitive information more vulnerable.

The Menlo Labs report reflects trends seen in earlier research conducted during the pandemic. An October report by Hysolate, a firm that specializes in remote workplace security, shows CISO's are fighting a battle between maintaining strong enterprise security and enhancing worker productivity since stay-at-home orders began.

Fortune 2000 CISOs said legacy remote access solutions like virtual desktop infrastructure, desktop as a service or virtual private networks, are not quite meeting the needs of a fully remote workforce, according to research conducted with Team 8. Half of CISOs surveyed said corporate security policies are impacting productivity when they are forced to scale remote-first policies.

"Companies adopt a variety of approaches to secure corporate access for remote workers [that are] working on home networks and their personal devices," Tal Zamir, co-founder and CTO at Hysolate, said via email.

The isolated virtual desktop allows workers to separate corporate assets from risky personal web activity, but companies also need to compare the cost and overall user experience when using these options.

Well after the pandemic comes to an end, a large percentage of workers will continue to work from home, either full time or splitting time with the office, Smith said.

"I wish I could say there was a great magic bullet to make remote work easier," he said. "What companies need to do as soon as possible is move to the cloud of whatever (data) they can move to the cloud."