Director of Product Richard Beeston explores how to get the most visibility and control over your distributed and evolving workforce
The uncertainty around what the future of the workplace will look like creates a significant challenge for IT teams in every industry because they need to be prepared for the unknown. But where there’s change, there is opportunity.
Organisations everywhere will need more control and better insights than ever before to ensure a secure connection for employees wherever they are located. The pandemic-induced working from home trend is expected to last for quite some time, and realistically, there will be no “big bang” where every worker returns to the office at once. Instead, employees will likely come in on staggered shifts, or on alternate days, to limit the number of people in the office at once. Additionally, organisations will need to prepare for a return to homeworking should another outbreak occur.
In a post-COVID environment, the network will be one of the most strategic technology a company has, as it connects workers and devices to applications, other networks and devices, and Internet of Things (IoT) endpoints. We know that the “new normal” is built on even more distributed connectivity, and this requires even greater levels of network control, assurance and insights.
So, what’s the answer?
It should begin with an assessment of the current network to see if it meets new requirements. This means taking a new look at IT hardware, security, services, and total visibility and control of a vastly distributed workforce from a centralised management system. It’s about being able to provide systems and services that enable the ‘work from anywhere’ requirement.
The challenge lies in the fact that most legacy networks are not designed for a world where many workers are accessing corporate resources from the outside. As we see more data, coming from more places, more connected devices, and more cloud-based applications, we deem cloud-driven networking technologies as a fundamental part of this shift in normal practice.
Secure cloud network management
Despite a widespread shift to cloud-based solutions in recent times, we understand security is an ongoing concern. With the frequency and sophistication of cybersecurity attacks on the increase as cybercriminals capitalise on the pandemic, the best cloud networking providers must keep up with the very latest in security standards and in order to stay steps ahead.
That’s where ExtremeCloud™ IQ can help. ExtremeCloud™ IQ is a machine learning (ML) and artificial intelligence (AI) driven cloud management solution, built on a 4th generation cloud platform. It’s the industry’s only ISO27001 certified cloud, supporting both GDPR and CCPA protections, ensuring the highest levels of regulation, compliance, and data privacy. Organisations can rest assured that their customer, employee, and business data is always protected with ExtremeCloud IQ™.
Integrated with Extreme’s end-to-end enterprise networking technology, ExtremeCloud™ IQ assists in collecting data to build, secure, and maintain agile and distributed work environments. Additionally, its RestFUL APIs enables network administrators to take advantage of third-party applications or scripts to provide additional insights.
Contact tracing enablement
As more workers return to the office, organisations must consider ways to track their employees to help prevent the spread of COVID-19 among their workforce. With a cloud solution in place such as ExtremeCloud™ IQ, organisations can enable contact tracing within buildings by delivering useful connectivity and identity data to the appropriate apps. Administrators can easily track where users connected, where they roamed within the facility, and what other devices were connected in those areas at the same time, then feed that data to third-party applications that support contact tracing.
ExtremeCloud™ IQ can also assist in occupancy management for facilities, human resources, and legal teams tasked with reducing risk reduction via safe social distancing. Administrators can see which areas are most visited and which devices have the most users across various points in the day. The collected data allows third-party applications to alert on excessive levels of occupancy, the volume of traffic over time, no-go zones, violations of directional flows, or notify staff when areas require additional cleaning, for example. ExtremeCloud™ IQ is also the only cloud-based platform that has unlimited data storage so that administrators can go back over a very long history to determine patterns such as seasonal traffic.
IoT monitoring and robotics automation
ExtremeCloud™ IQ offers secure wired and wireless connectivity and simple, safe device onboarding and management. It can assist with connecting IoT sensors and automation tools, and scale-up agile work environments wherever those are needed, as well as pop-up locations, employee’s homes, or additional smaller workplace locations to reduce mass occupancy in a single space. It also helps to manage remote operations for unmanned manufacturing facilities that are using robotics assistance to minimise staff exposure.
Where do we go from here?
The COVID-19 pandemic has highlighted the importance of a strong, secure and versatile network. The new normal will be built on data and the ability to use machine learning (ML) and AI technologies to deliver the insights required for businesses to not only reopen, but to monitor the environment in order to continually protect employees and visitors.
Together, Daisy and Extreme Networks offer the ability to effortlessly and securely connect and support your organisation, your network, and your people with cloud networking, helping you transition your businesses and thrive in a changed world. ExtremeCloud™ IQ creates the ideal conditions for your business to flourish, now and in the future.
Want to find out more about the benefits of cloud-driven networking? Why not attend Virtual Extreme Connect 2020 on 16-17 September. With more than 50 different online IT strategy sessions, technology deep dives, and workshops over the two days, simply pick and choose the content most relevant to you. Register for free today here.
Head of Public Sector Sales Andy Riley applauds the NHS’s use of technology at the height of the COVID-19 pandemic.
There are moments in life when either something you’ve waited for or something you’ve predicted actually manifests without you realising. Distracted as we all are by the chaos a certain virus has left in its midst, it’s important to point out when those moments happen – especially when they are moments who provide us with some hope. Continue reading “The IT in Teams”
We put David Davies, Business Continuity and IT Resilience Consultant, under the spotlight to answer questions on IT resilience.
IT resilience is not just about achieving ‘always-on’ systems, it’s also about being able to recover quickly and effectively when things go wrong – and it’s a central element of organisational resilience. In this recorded interview, David shares his insight into achieving IT resilience – what challenges need to be overcome, what pitfalls need to be avoided and lots of useful tips to help you get it right.
Listen to the podcast here, or read on for the article
Can you give us a brief overview of IT resilience?
If you think of an organisation’s IT systems such as email, databases and website, IT resilience is all about keeping those IT systems up and running, ideally without failures or interruptions. The ideal state is to never fail, but you also need to have the tried and tested technology in place to recover from IT failure if it does happen.
As an example, let’s say you have a primary data centre which runs all of your email and other business systems. If that fails, and it’s paired with a mirror image at data centre B, this should carry on running your systems seamlessly, if your primary data centre failed.
If both your primary data centre and your mirror image data centre B fail, your IT systems can be recovered from backups at data centre C – a more traditional recovery service.
An IT system that never fails is the ideal scenario but would come with a significant price tag that makes such a solution prohibitive for the majority of organisations. This is why it is important to do a business impact analysis (BIA) to understand exactly what level of downtime your organisation can tolerate, and then look to invest in a solution that delivers that level of resilience.
And it’s not just about buying and installing new technology. It begins with a willingness to understand the organisation and invest in improvement, so this needs support at board level, as part of an overall organisational resilience strategy.
Key Resilience Challenges:
What are the key challenges in IT resilience and how can businesses address them?
The IT resilience capability of many organisations has vastly improved over the last 20 years due to many factors. Disk storage and networking is comparatively much cheaper, which enables movement and storage of large amounts of data, and makes it more affordable to design for duplication of components and networking. Virtualisation technology has made IT systems and data more fluid across the IT estate it is housed in, rather than being stuck on single servers, and therefore much more resilient to equipment failure. Replication and recovery software is much more sophisticated now.
This is all really good news but it presents some key challenges:
IT departments can trust the technology so much they stop planning for failure
This means they stop investing the time and effort into arrangements and knowledge for what to do if there’s a serious IT failure and it needs to be recovered from backups.
IT departments can get overly focused on the threat of physical failure
Cyberattack presents a different kind of threat. Going back to our earlier example, if a data centre has a second data centre with a mirror copy of the data, a virus or data corruption is mirrored as well, so the data in both data centres is compromised. The organisation needs to rely on backups stored at the third data centre, and crucially, these need to go back in time far enough, to before the virus or corruption occurred.
Does the IT department fully understand their IT environment?
They’ll need to during an IT failure, to know how to recover it.
Does the IT department fully understand the resilience and recovery of IT systems provided by suppliers?
Understanding what your suppliers are taking responsibility for and where the responsibility lies with you, for example cloud service providers.
What about resilience in the cloud?
Cloud’s a fantastic thing for performance, agility, and to improve the delivery of IT systems and reduce costs and so on, but ultimately it’s not a standard, or a rubber stamp – it’s a marketing term for remote data centres. I’ve witnessed a worrying complacency among organisations moving to the cloud, that, “it’s the cloud, it will work!” The reality is that you need to investigate what you are buying and know what’s in the contract with your cloud provider. What would they do in a recovery situation for example, what resilience do they have in place? How would they back up data and recover it – and have they tested it? It’s important to observe tests if you can; at least ask them for test results, policy information and to see their incident management plan. Cloud providers may focus entirely on day-to-day projects, technology uptime and incidents, and not think about “bigger picture” technology outages, such as a complete data centre or site failure – it’s important to identify this mind-set (if it exists at the provider).
How can businesses better understand their current IT environment, considering constant changes in the sector?
Continual technology improvements mean that IT environments are in a constant state of change to try and keep up. For the IT leadership team, it can feel like they’re forever pushing a piano up the stairs while being expected to play a tune! Each time you make it to the next floor, you realise there are more steps to climb.
Imagine you plan to upgrade to a brand new IT environment and network, but by the time you implement it, it’s not brand new anymore, and there are better options out there. This is frustrating for the IT leadership team, but it also means there’s a whole world of work to be done by the IT department to keep pace with change. Hardware upgrades, software upgrades, security patches, new IT servers and services coming online, old ones being retired. While you have the strategic view of where IT needs to go to take the business forward, there’s also so much maintenance work to be done to keep it running.
It’s a bit like living in a house from a horror film where the rooms and hallways and doors keep rearranging themselves. You can draw a map, but you have to keep redrawing it over and over again. It’s really difficult for IT departments to keep a detailed view of the whole IT estate and how it integrates, but it’s also really important to understand this and keep this up to date.
If you’re responsible for IT in some way in your organisation, whether an analyst, manager or CIO, you should ask yourself, “If it failed now, do I know what I need to do to recover it all and restart it?” If you think you’ll need to start with a whiteboard and sticky notes trying to figure it out at the time, that’s bad news. Instead, be aware that a lot of preparation can be done in advance:
Be prepared for resilience:
What are the IT systems and the services they deliver?
What are the servers and hardware?
What are the recovery interdependencies?
What involvement is needed from various IT and end-user teams to recover and validate IT systems?
Answering these questions will help you see where investment is needed to improve resilience.
Resilience and IT project management
Any significant IT change in your organisation will most likely be done through an IT project, such as significant IT system upgrades or new IT services. But, there are key IT resilience pitfalls that can happen with IT project management and it’s important to look out for these, as once the project is completed, it’s unlikely that the operational budget will have the capacity to fix it.
Avoid these pitfalls:
Has IT resilience or ITDR testing been allocated in the budget?
If not, this needs to be escalated to C-level
Is ITDR testing limited to an isolated test of the IT service only, not an integrated test?
If yes, this needs to be escalated to C-level
Is the project team asking for your sign-off (i.e. it is not self-certifying)?
You should give the team a process to self-certify – your involvement is needed to make sure the proper process is being followed, but don’t let them sidestep responsibility
Are there promises to fix things in the “phase 2” that hasn’t been planned yet?
Phase 2 may not happen! – This needs to be escalated to C-level
Are business continuity and IT continuity staff involved in strategic decision making?
Don’t just involve them as an afterthought
Can you give us an overview of the shifting culture of IT usage and how it applies to a business’ expectations of IT resilience?
I’m old enough to remember that in the 1970s and 80s, when computers first made their way into our homes, there was still some sense of wonder and respect attached to them and what they could do.
However, it seems that over time, the better IT gets and the closer it is to our daily lives, the less impressed we are with it, and the more we expect it to do everything for us with minimal effort.
In our personal lives, we’re now all end users, whether it’s of smartphones, gaming consoles, or tablets. I think that as end-users we’ve become a bit spoilt, and expect IT to just work with little thought or effort on our part.
The problem comes when IT professionals take that mentality into work and apply it to the cloud computing IT services that they use, which may be absolutely core to the organisation.
It’s really important for organisations to not just expect cloud computing to work, and to keep questioning and keep challenging.
Read the contract to check exactly what the cloud provider is delivering
Make sure you understand the interconnectivity between cloud and all of your other IT systems
Make sure you know how your cloud provider manages backup and recovery of the IT systems
Find out if failover and recovery processes have been thoroughly tested
If no one in your organisation understands the detail and substance of the resilience of your cloud IT services, what’s going to happen if that goes wrong? Are you blindly trusting your cloud provider?
Remember that cloud is a marketing term, it isn’t itself a quality standard. A supplier might be doing an element of cloud badly, or not be doing enough for IT resilience in their cloud environment – so don’t take the cloud for granted!
Take a step back and think about resilience, not just from a technology perspective but also a wider perspective as part of your organisational resilience
Involve continuity professionals in strategic decisions, for example when considering new platforms and technologies
Consider: what if something serious happened right now, how would the business recover from it?
Be open and transparent about resilience across IT environments, projects and the business
Don’t trust “reliable” technology to the extent you don’t plan for backup and recovery (including physical, virtual and cloud solutions)!
To achieve resilience you need to manage change effectively – keep your “map” updated
About David Davies
David Davies is an award-winning Business Resilience and IT Resilience Consultant at Daisy Corporate Services. He has worked in IT resilience and recovery for more than 20 years, starting in a technical role at IBM looking after data backups and testing disaster recovery on very large enterprise systems. David moved on to project management of disaster recovery testing, then left IBM to work in business continuity consultancy over the last 14 years. In that time, David has worked with more than 150 organisations as a resilience consultant, some medium-sized but the vast majority being enterprise-sized organisations.
Wherever you are in your cloud journey, this hybrid cloud ultimate guide helps you and your fellow decision-makers address your business challenges, and get the most out of your cloud infrastructure. We’ve provided structured, jargon-free pros and cons for different hybrid approaches, along with stats, facts and insights designed to chime with the priorities of key executives, from CEO and CFO to sales and operations directors and beyond. Continue reading “Hybrid Cloud: The Ultimate Guide for Decision Makers [Blog]”
In June 2020, Larato surveyed UK mid-market enterprises, to establish how these businesses handled the challenges of operating in a COVID-19 world. The survey captured the views of over 100 mid-market leaders – CEO, CFO, CIO, CTO, Head of IT – across all sectors in companies employing up to 5,000 people.
Immediately following the lockdown in the UK, most companies were primarily focussed on how best to efficiently retain an instantly dispersed workforce and what cost savings and operational changes could be made to ensure the survival of their business. The challenge was how to implement new working practices whilst ensuring critical business functions continued both uninterrupted and securely. Many organisations did not have sufficiently agile business continuity plans that could be implemented within the extraordinary timescales required. The speed at which lockdown took place uncovered inflexibilities in existing systems and ruthlessly highlighted infrastructure that was not up to date enough to cope with the requirements suddenly asked of them.
Predictably, many organisations had to act quickly to provide interim solutions for their employees to transition from working in an office environment to working from home. Some companies found that even dealing with the fundamental basics like sourcing laptops and business-grade broadband was extremely demanding, due to the global shortage of devices and lack of available connections from service providers. In the early stages of the pandemic, just staying operational took precedence, and the normal business considerations of system scalability, functional longevity and security were forced lower down the priority list for many enterprises. Temporary compromises were made and recorded so that they could be revisited and adjusted as necessary.
For organisations working in regulated industries such as defence or health and social care, how sensitive information is stored, managed, and accessed is highly-controlled. Even in the unregulated sectors, GDPR and data security is taken with the utmost seriousness.
We found that security was the single biggest technology challenge most organisations struggled with when lockdown was enforced: 53% of respondents rated it as their top IT challenge. Furthermore, 74% said that their customers are now more, or much more, concerned about cybersecurity and data protection than they were pre-pandemic.
The enterprises we surveyed indicated a real desire to change their relationships with IT suppliers. CEOs specified a desire to work more with external partners because they recognise that distributed workforces need more remote support and are exposed to more cybersecurity threats. Delivering resilient, robust, high-performance IT has become significantly more complicated.
Enterprises know they need to look to partners for state-of-the-art cybersecurity expertise to counter the reported boom in the cybercrime economy, which is an existential threat to those companies affected, explaining why 65% of those questioned believe that the cyber risk to their organisation has increased, or significantly increased, due to the pandemic.
Above all other needs, these enterprises want their technology suppliers to deliver responsive and reliable support, tailored to their specific requirements. 94% reported technology as important or critical to the future of their organisations and 20% have introduced new security technologies during the pandemic which they intend to continue using in the future. 40% confirmed that their IT investment will increase next year.
Overall, the survey showed that organisations are now looking at how they can restructure and what technology can do for them. Because of COVID-19 and the new technologies that they have had to implement, many are on a learning curve about just how much this new way of working can help them improve their productivity and decrease their operational costs. For example, the collaborative working tool of choice throughout lockdown, Microsoft Teams, when configured to protect against data loss and used with Direct Routing, provides not only enhanced security, but significant and commercially-compelling cost savings, with the ability to dynamically flex to match the size of a distributed workforce.
Looking to the future, flexibility will be at the core of a successful business. Less fixed office space, easily-adaptable cost models and a reduced dependence on a small number of customers and markets all feature as lessons learned by our respondents. With the strong possibility of further lockdowns as the virus threatens to return, using an outsourced workforce and supplier model could prove highly-beneficial in uncertain and disruptive times.
Russell Williams, Principal Consultant in Daisy’s Business Continuity Management team, asks the industry some difficult questions…
As business continuity and resilience professionals we find ourselves in unprecedented times. Both the landscape of the organisations we work with, and the communities we live in have potentially changed forever.
I, like a number of my professional network, have been asking questions like, ‘Where do we go from here?’ and, ‘What do people need us to be now’? The answers to which are not always readily understood or forthcoming because we don’t yet know what our post-Covid world is going to look like. We still have some way to go before we level off at the fabled ‘new normal’.
Wherever we find ourselves, and whatever challenges are presented to us, I believe there are some fundamentals that we should not forget or do away with, but neither should we be afraid to move with the times.
They are good practices for a reason
More than ever, the methods we use as a discipline are relevant. Now is the time to use our tried and tested techniques, whether that is the Business Continuity Institute’s ‘Good Practice Guidelines’, or the Disaster Recovery Institute International’s ‘Professional Practices’, to take stock of where we find ourselves now, and make sure we are best placed to meet the new challenges we face. These processes and techniques are good, or best practices for a very good reason.
There is, and always should be, a dialogue around moving with the times. The ongoing debate amongst our ranks about the usefulness of the business impact analysis (BIA) is a prime example of this, and both sides of the ‘argument’ get quite heated about it – to paraphrase Shakespeare “To BIA or Not to BIA, that is the question”. I would argue that your BIA is a great tool to understand your criticalities, dependencies, risks, and objectives – all of which are likely to have shifted. What better way is there to understand how your business has changed, and how your business continuity and resilience programmes may need to be adapted as a result? Unfortunately however, some of our ranks will overcomplicate BIA, placing an unnecessary burden on their stakeholders and themselves, to which I would say make it as simple as possible; capture what you need and nothing more in order to achieve the objectives you set out.
Let’s not forget that our industry bodies, the BCI and DRII have been around for 26 and 32 years respectively, and the processes, guidance, and standards that they have helped create and develop mean something. They have been built up by professionals from around the world using years of expertise and experience, and shaped and reshaped as a result an ever-changing landscape of threats and real life events, whether that be 9/11, SARS, The Asian Tsunami, The Fukushima Nuclear disaster or thousands of smaller-scale events that happen all over the world every day. You do not have to follow these guides or standards blindly or slavishly but adapt and apply them to your new circumstances. They will still work.
Tried and tested vs new solutions
We have all seen a massive surge to move to solutions that enable our workforce to work flexibly – predominantly from home. This has undoubtedly changed many people’s working lives forever, largely for the better. Over recent years we have also seen a widespread shift to cloud-based solutions. These shifts, whether they be over a longer period or, as was the case recently, sometimes overnight, present their own set of challenges and risks. As advisors and subject matter experts we should be working with our stakeholders to understand what this means to them, from both a day-to-day working situation, but also as solutions that are used for recovery. One worrying move is the trend to throw away solutions like workplace recovery, and I argue that this is a decision that we should take cautiously. Some organisations have now decided that they can do away with these solutions entirely, and with the consequent savings get themselves a pat on the back from their finance team. But when you take some time to look at the risks involved in replacing these solutions with a 100% working from home strategy, things don’t always add up. There are many roles that can’t or shouldn’t be undertaken from a largely uncontrolled environment like someone’s home. Security, compliance, health and safety, physical and mental well-being could all be issues when implementing work from home policies. In some cases, I believe a hybrid of the new and the traditional is the right approach, new tech like smart homeworking solutions to address the new challenges, and traditional solutions such as workplace recovery to provide a deeper resilience.
Another example where tech could help is software. As a business continuity or resilience professional, managing a programme where people are now more dispersed than ever is going to be a challenge, so having a tool to manage that effectively from the centre could prove extremely beneficial.
Whichever solutions you chose, make sure it meets your requirements and is not just a knee-jerk reaction. Don’t be afraid to move forward with new tech, but do not throw away tried and tested recovery solutions either – they still have a place, it might just be a different place.
Make hay while the sun shines
If we can’t make a case for business continuity and resilience now, we never will. During the last few months, many organisations found themselves wanting, so are going to want to do better. Others really saw the benefit of the time and effort they put into their planning because it gave them a platform from which to start, and while they will have undoubtedly had to adapt to the circumstances they found themselves in (in the face of ever-changing and conflicting advice), they had a head start. There has never been a greater understanding of the benefits of what we do, or the pitfalls arising from not doing it, so we should use that to ensure that we better prepare our businesses, our clients, and most importantly our communities and the public bodies that support them, for whatever comes next.
Where are we now?
Perhaps the question to ask ourselves at the moment is not, “Where do we go from here?” but instead, “Where are we now?” As we have seen, we are not yet aware of what the “new normal” will be, but we have some indications which are already helping to shape our approach to future planning, and we are learning more every day. And in the meantime, however unpleasant recent times have been, we should capitalise upon the focus COVID-19 has brought us and leverage the lessons we have all learned to further strengthen our position as a strategic function in the future and in a stronger position that when we started.
WiFi: Why a connection shared can be a problem halved.
In its 2020 strategy, The University and Colleges Admissions Service (UCAS) outlined, unsurprisingly, that “digital advances are changing the ways students want to explore their options and engage with universities and colleges”.
But 2020, as we all know, has turned many strategies on their heads and for the education sector it’s now the universities and colleges who have had to change the way they engage with their students. But, institutions could, and will, use crisis situations to sharpen strategies as thoughts are already turning to the outbreak’s longer-term implications for beyond the 2020-21 academic year.
The lesson here is that it’s now not the most technologically advanced colleges or campuses that will outrun the competition, it will be the most caring – and it’s time we stopped treating those two things separately.
Rewind only 10 years and lectures up and down the country were being delivered via PowerPoint – or something like it – to students avidly taking notes in good old fashioned notebooks. While over in the halls of residence, students were connecting one laptop to a LAN cable – things have changed fast, so yes, the need for fast, secure and reliable WiFi within the education environment is unprecedented. But what’s the real cost?
Futureproofing campuses by installing hyper-fast Internet connectivity will only take success so far. Yes, it means course content can be delivered – from anywhere – via Teams, yes it means student support or bursary allowances can be processed quickly, and yes, it does mean greater collaboration between faculty staff, students, support, and administrative departments. But what good is this when there is still potential to fail students?
University life is one of the biggest transitions our young adults are going to make. The distance from home, the sudden fending for one’s self, the shift from being financially dependent to financially responsible can in some cases be too heavy a pressure on someone not yet 20. So care – as well as connectivity – must be rule of thumb. And if we start with the latter, the former will follow.
Gone are the days of the one student, one laptop trend. This generation is coming from homes where they’ve had the luxury of private networks allowing unlimited streaming of multiple devices without lag or falter. These students want an always-on, home-from-home experience the second they unlock their dorms. Give them that, and you’re getting them off to the best start. You’re providing access to course materials, social media, Skype for ringing home, campus intranet and all on-site support services from student unions to accommodations services and financial aid.
Beyond that, you’re developing infrastructure with care at its core. Once in place, there are myriad ways of enhancing that network so that it can start interpreting data; start noticing patterns between dwindling attendance to concentrated location hotspots to help identify students – at any point in their further or higher education career – who may not otherwise be speaking up and may otherwise fall under the radar…
So you see networks really are important. Digitally transform one with tech, and you develop another with care.
Richard Beeston is Product Director at Daisy Corporate Services.
We answer some of the most frequently asked questions about SD-WAN
The buzz around SD-WAN has been around for a while. But with COVID-19 driving many UK businesses to evaluate and improve network agility, there are still understandably a lot of questions about the technology. Whether your company already uses SD-WAN or you are just starting your journey, here we answer some of the common questions that customers ask when they are considering SD-WAN to help inform your decisions when choosing the best-fit solution for you.
Got a question that is not listed here? Then please get in touch and our expert team will be happy to provide a personal response.
With much of the UK’s workforce now working from home, businesses must ensure they provide a secure, efficient remote working environment. Unsurprisingly, many home Internet connections are struggling to cope with the increase in bandwidth demand as well as provide the same watertight levels of security that an office network offers.
Working as an extension of your company network, SD-WAN maintains network security while maximising the performance and availability of business-critical applications, with homeworkers connected to the wide area network (WAN) via a secure overlay. This means staff can always depend on the applications they need to do their jobs – regardless of where they are working from – and employers can enjoy peace of mind knowing productivity and security are fully optimised. Oh, and families enjoy minimal disruption to their home connection!
As well as providing a better overall experience, SD-WAN can help businesses operate safely as they start to reopen offices, shops and branches. Whether you have one site or one thousand, you can deploy and configure network and security settings for every site with minimal effort or time spent. Additionally, SD-WAN gives you visibility and control of your networks, devices, users and traffic, helping you respond to changing demands and plan your business’ evolution. With the help of SD-WAN, businesses can rest assured that they can deliver a safe and secure post-pandemic environment, and deal with unexpected events or situations in the future.
SD-WAN is a key tool in the networking industry’s arsenal because it builds on the premise of software-defined networking (SDN), which we’re seeing as prevalent in the industry today. SDN allows you to implement more intuitive-based policies and rules on the network, and when you extend this over the wide area network (WAN) it allows more meaningful access to cloud and software-as-a-service (SaaS) applications. As businesses rely more on cloud-based data and applications, and support a larger distributed workforce, networks need to adapt to this new reality. SD-WAN makes the network more flexible than ever before, keeping pace with new customer requirements and changing business conditions.
As an overlay to an existing network, SD-WAN is easy to implement. By overlay, we mean we don’t necessarily have to change all of the circuits and Internet connectivity, rather start running proof of concepts, putting SD-WAN technology in certain points of the network, and building out a journey with the customer on how they want to adopt SD-WAN technology throughout their entire estate.
SD-WAN enables employee productivity by providing certain sets of features. For example quality of service (QoS) around certain applications such as voice, where voice traffic is prioritised over Internet traffic or email access. This means the QoS on a voice call is retained at all costs over other traffic on the network. Additionally, primary circuits and secondary circuits can be used to direct traffic in certain ways. For instance, accounting information can be routed back to head office using the primary MPLS link, while using standard Internet access via FTTC for email and non-business critical applications. With the introduction of LTE technology into the SD-WAN portfolio, you can rely on 4G or 5G connectivity to keep your sites up and running in the event of a primary circuit failover, all of which means your employees can carry on working while your circuits are being looked after.
An ever-growing skills shortage means businesses can’t always allocate engineers to go on training courses which in turn stops them from adopting new technologies. As an alternative, they can use service providers like Daisy to complement and extend their existing IT capabilities, helping them adopt modern technologies like SD-WAN while they concentrate on the day-to-day running of their business. A Managed SD-WAN service helps bridge the skills gap over both the short and the long term, providing project-based professional and engineering resources, as well as support services around change management, incident management, and break-fix maintenance.
We asked Dr Lucy Green, UK technology industry expert with Larato, to share their expertise and research into how organisations responded to COVID-19 and the lessons that they have learnt during this extraordinary period.
In June 2020, Larato surveyed UK mid-market Enterprises, to establish how these businesses handled the challenge of equipping and managing an instantly dispersed workforce. The survey captured the views of more than 100 mid-market leaders – CEO, CFO, CIO, CTO, Head of IT – across all sectors in companies employing up to 5,000 people.
As expected, we found that COVID-19 stretched even the most robust business continuity plans when it forced organisations to adopt remote working at such an astonishing scale and pace. What might have taken years of planning and implementation had to be condensed into just a few weeks.
How businesses responded to the immediate dispersal of their workforce, will very likely impact their future competitive capability.
The research showed a 50-50 split of enterprises who were readily able to scale their homeworking capabilities and those who struggled. Of those who scaled more easily, almost one quarter reported that they had learned lessons in improving operational efficiencies, which they are using to develop their future strategies. Learning from their challenges and evolving.
47% of companies struggled to establish homeworking with 6% unable to access even the most basic technologies needed: the early days of lockdown saw a furious rush to procure laptops for staff, creating a global shortage. Others struggled with sub-optimal business continuity plans that failed to meet expectations – this was an issue for CEOs and the leadership teams of organisations.
Layer on to the issue around access basic technology provision that connectivity was a serious problem for most organisations and we begin to see the snowball effect that a lack of preparation begins to exhibit. Unstable domestic broadband connections, consumer-grade network equipment together with the exceptional demands of multi-user households, created record demands on Service Providers. 65% of enterprises sought to invest in business broadband for their remote workers, but the sourcing of this connectivity was problematic with 50% reporting that they couldn’t invest because the connections just weren’t available. Connectivity remains the key concern for sustained remote working.
Outside of hardware and connectivity, being able to communicate as an organisation also presents new challenges to UK organisations. Our survey showed that Microsoft Teams was the collaborative application of choice when it came to remote working:
63% of companies were using Microsoft Teams during the lockdown
46% were using it for the first time
65% intended to keep using Microsoft Teams post-lockdown
Data from our survey strongly indicates that remote working is here to stay:
53% of enterprises expect to keep 10-25% of their workforce at home for the next 12 months.
30% expect to keep between 25%-50% of their workers at home for the rest of 2020.
When asked how important technology is to the future success of their business, almost half cited that it is important, with the other half saying it is critical.
With that in mind also most 42 % of the companies that took part in this survey say they plan to increase their IT budgets for 2021 and 20% saying that the increase will be more than 5% year on year. This increase in budget to accommodate secure, flexible remote working is not just throwing money at a problem as most businesses are now seeing the advantages of working in the cloud, it won’t be long before many of them extend their entire unified communications structure there too.
If there is one single business benefit to be derived from this global pandemic, it is that enterprises that are still trading will now know their businesses inside out. COVID-19 has forced organisations to scrutinise and audit every facet of every department to identify where operational efficiency improved, and where business practises can be honed to ensure survival in a very uncertain commercial environment.
Smart CEOs know that this virus is not done yet, and with second and subsequent global waves of COVID-19 possible over the next year or more, they have to plan for the potential business disruption created by possible future lockdowns and staff furloughs.
These new tools and communications platforms, like Microsoft Teams, have powerful measurement capabilities that can accurately measure cost-effectiveness and productivity, even with a dispersed workforce. 90% said that they fully intend to measure both and to use this information to shape how their businesses operate in the future.
It may not have been planned, but by implementing an IT infrastructure to enable homeworking, many of these organisations now find themselves well-armed with a new set of business IT tools that offer more than just the ability to keep them trading. Maximising these tools and revisiting the part they play in your business continuity models is now more vital than ever before.
Nathan Allison, Head of Operational Security, Daisy Corporate Services, answers some timely questions around cybersecurity
Our current need to physically protect ourselves, others and our NHS, means that our mobility is limited to a life-changing extent. In this way, we can do less as individuals. As employees, however, many of us can do more than we ever could before, from the comfort of our own homes. With security experts predicting that COVID-19 presents the greatest ever cybersecurity threat, now is an excellent time for Nathan to share with you, his “frameworks first” approach to operational security…
Listen to the podcast here, or read on for the article
What is Operational Security?
The whole world of cybersecurity can be simplified into two main categories. Firstly, Information Security which is concerned with policy, standards, regulatory compliance and audits. Secondly, Operational Security which covers procedure and the governance of technical controls.
To make the distinction clear, I like to think of Information Security as the ‘why’, and Operational Security as the ‘how’. For example, the control might say you must implement a minimum password length. Operational Security might define Microsoft Active Directory password controls are implemented, and to what level – the technical how.
The main elements of Operational Security are:
Identification of critical information
Analysis of threats
Analysis of vulnerabilities
Assessment of cyber risks
Application of appropriate countermeasures
Control frameworks perhaps bridge the gap between Information Security and Operational Security.
How can working within a framework help with operational security?
Achieving compliance and perhaps certification of any given control framework is a method of demonstrating various things. It indicates that you behave in a given fashion, that you can provide a level of assurance that you can be trusted with handling data and information (pertaining to customers, suppliers, partners and staff for example) in a way that meets specific expectations. It’s the same as your local fish and chip shop displaying its Food Hygiene certificate so that customers can be assured that the parts of their business (that we can’t necessarily see) are up to the level that we are happy with as customers.
However, the overall aim doesn’t have to be to satisfy every objective within the framework (if you’re not mandated to do so, for example by industry regulation). Instead, perhaps the aim should be to use control frameworks to strengthen your security position, which can be done in a variety of ways. The highlight is that frameworks provide an excellent insight into what IT managers, cyber defenders and chief information security officers (CISOs) should be thinking about.
What frameworks do you recommend to help organisations keep safe and secure?
Unfortunately, there is no ‘one size fits all’. Differences in industry sector and size of business, and differences in the value and types of information within the organisation, will all require different levels of controls for protection. In general, these controls tend to be less well-considered for smaller organisations but utilising control frameworks is a great way to help improve your security posture, whatever your size.
There are many frameworks that you can certificate against, including ISO27000 as a broad business certification, and a perfect one for the UK is Cyber Essentials. This is a baseline control framework sponsored by the National Cyber Security Centre (NCSC), part of CESG (the information security arm of GCHQ). This is an excellent, straightforward, five-step programme that Daisy actively supports. We have that certificate ourselves and help many of our customers attain and move towards this.
Cyber Essentials Framework
I would encourage all UK business to look at Cyber Essentials and think about adopting their goals:
Help to guard against the most common cyber threats
Simple, actionable standards to reduce risk
Applicable to all organisations, regardless of size
Protecting against known attack vectors
Is this more relevant right now, with organisations having a greater reliance on a remote workforce?
Absolutely, yes. And it can be utilised by any size of business. The basic five principles are quite straightforward and it might be that businesses are doing these things already but have never thought of them in the context or terminology of a control framework. The value is in bringing these actions together as a single entity and matching them against compliance.
At a high level, there are five elements covered by Cyber Essentials:
Boundary firewalls and internet gateways
Your perimeter is the doors and windows of your house, you need to make sure that your perimeter is secure. Make sure the doors and windows of your house are only open in the way you require – so for the thief carrying out his survey, they will be the locked doors and closed windows requiring more effort to get around to gain access. Boundary firewalls and internet gateways determine who has permission to access your system from the internet and allows you to control where your users can go.
With today’s situation and an extended remote workforce, you need to be thinking about how your perimeter has changed.
This reduces the functionality of each computer or device to the minimum required for that user to operate. This will help prevent unauthorised actions being carried out. It also ensures each device discloses only the minimum information about themselves to internet. A scan can reveal opportunities for exploitation through insecure configuration.
In our current environment, this is about making sure that what you’re utilising is done safely. So for example make sure that the machinery your extended remote workforce has, is encrypted, because more data is at the edge of the organisation, than usual and so consideration about the security of the devices is obviously important.
It is important to restrict access to a minimum. This is to prevent a hacker being presented with a series of unlocked doors allowing him access to all the information he is looking for. Administrator rights are the Holy Grail for a hacker. Once he has possession of these he can effectively go everywhere and has full control. Administrator rights should be restricted for only administrator actions. Convenience sometimes results in many users having administrator rights and therefore creates opportunities for exploitation.
This is another key pillar of particular relevance now with increased remote working and it could be as simple as: do you have a password policy, what’s your minimum password length. Credential-stealing is the route of the majority of malware attacks so good password protection is essential.
It is important to protect your business from malicious software which will seek to access files on your system. Once their software can access, they can steal confidential information, damage files or even lock them and prevent you accessing them unless you pay a ransom. Malware protection helps to identify and prevent or remove any potential threats from malicious software.
With a remote workforce, we need to make sure that the protections that we would offer our staff if they were working at their desks, are the same as we are offering them at home.
Cyber criminals often exploit widely known vulnerabilities in software or operating systems to gain access. These could be through poorly designed software which have known weaknesses. Updating software and operating systems will help to fix any of these known weaknesses. It is crucial to do this as quickly as possible to close down any opportunities which could be used to gain access.
We have all heard the horror stories of ransomware wiping out businesses and in the vast majority of cases, it could have been avoided, if systems were kept up to date, so patch management is absolutely essential. This is especially significant now because if we are in lockdown for months, there will be patching cycles for staff machines that will need to be considered and managed remotely.
If you’re considering this list and you work through the granular controls, you might find that without much effort, you’re not far away from compliance and it can provide, as a control framework, a priority list of how you should approach any gaps that you find.
You can self-certificate with Cyber Essentials – once you are satisfied that you reach the granular controls, or take a further step with Cyber Essentials Plus where an external auditor will verify that you meet the controls.
What’s the next big thing in Operational Security?
There is a live project, growing all the time, which constitutes a control framework of a slightly different fashion. It’s called Adversary Tactics, Techniques and Common Knowledge – abbreviated to the ATT&CK (pronounced; ‘Attack’) framework.
The ATT&CK framework is both a methodology and a programme that has been developed by the MITRE Corporation. You may know them from their common vulnerabilities and exposures (CVE) database and website, and the CVSS scoring system that has become the industry standard, providing cyber defenders a common understanding of the severity of vulnerabilities.
What is the ATT&CK framework?
The Head of Global Threat Hunting for one of the UK’s largest cybersecurity companies described ATT&CK framework as the ‘most significant development in cyber defence in a decade’.
Essentially, it’s a list of 12 dominoes, which are the stages that attackers must go through, to achieve their end game. For example, if the aim is stealing data from an organisation, there is a defined sequence of events that attackers must follow to get them to their end-goal. The first domino might be initial access, which might involve reconnaissance, probing, scanning the outside of your network. The next one might be access into your network, the next one, achieving privileged escalation, and so on. The attackers must take all of these steps in a specific order, so understanding this framework means that we are able to spot patterns.
To provide a database of the tools and techniques hackers use to attack, damage, and disrupt operations:
Break down and classify attacks in a consistent and clear way
Show the various stages of an attack
Present information so that it is globally understandable, between technical teams or different languages
Be relevant to organisations of many different sizes
Protect against known attack vectors
Leading technology vendors are developing solutions that plug into this with solutions such as intrusion detection, security information and event management (SEIM), next-generation firewalls. These solutions can reference ATT&CK framework and can spot the dominoes falling in sequence. This is a global breakthrough in being able to analyse attacks and facilitate quicker action to block them.
Information is the key to securing our information
Improving security is a driving goal for all of us. There are many businesses that are regulated to operate within guiding frameworks – but I would encourage all UK businesses to look at, consider and utilise the controls as lists to help you decide what you should be thinking about, and perhaps in what order. If making decisions about new technologies and things need renewing or upgrading, consider solutions that can utilise the ATT&CK framework.
Applying frameworks to a practical example, the adage of “we don’t know what we don’t know” comes down to a need for monitoring. We need to understand what we’ve got, so that we can best utilise these controls from the various frameworks. For example, if a control says maintain an asset register – which makes perfect sense as you need to know what you’ve got so that you can protect it – this may include a sensitive data asset register. In this instance, you should ask, “What is my gold, what are my crown jewels?” and perhaps pay special attention to monitoring that type of data. Relating this back to the five pillars of Cyber Essentials, the straightforward, granular controls can act as excellent prompts, a sequence and give us priorities in how we tackle the sea of data that we’re faced with. This in turn can help you define your policies.
Even if you are not mandated to operate within any security frameworks, it’s a really good idea to use them as a method of understanding what to know, what to track, what to prioritise
Review the controls you have in place currently, even if you hadn’t previously thought of them as belonging to a particular framework – it might be that you comply to the CE controls without actually knowing it, or can achieve certification with only a small amount of additional effort
Choose new technologies when you are renewing, replacing or upgrading your security elements, that are able to interact with the MITRE ATT&CK framework
Before you go…
What single thing would you recommend to help organisations with security right now?
Prior to the coronavirus outbreak, Daisy was seeing an increase in customer requests to help with laptops to facilitate a more flexible working strategy. Staff with laptops do introduce risk back into the core corporate network and enabling multifactor authentication is one of the easiest but most effective methods of securing remote workers. Use of multifactor authentication is ramping up but worryingly, it’s not ramping up at the same pace as perhaps the extended remote workforce has had to over the last two or three weeks. If you can enable two factor or multifactor authentication, you will significantly improve your security.
About Nathan Allison
Nathan is a Certified Information Security Manager (CISM) and has over twenty years’ industry experience, with more than sixteen of those focused on Internet and cyber security. At Daisy he manages the Operational Security team responsible for customer security, working at our Security Operations Centre (SOC) in Leeds.
In his early career, Nathan worked for Kingston Communications and moved into the Security Implementation team at Planet Online which subsequently became Energis, implementing and configuring the security aspects of enterprise, highly available, e-commerce and collaborative solutions.
Nathan has an in-depth understanding of networking and security technologies from major vendors and how these can be applied to address specific business requirements and compliance objectives including approaches based on risk-based cost-benefit analysis.
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.