For Consultants and Clients, the Work-From-Home Shift Unearths New Cybersecurity Challenges

Companies like Square and Shopify are high-tech businesses that were both born as highly mobile, digital-first ventures, so the ability to shift to a remote workforce was essentially baked into their DNA. Consulting, on the other hand, is the original road warrior business, requiring heavy client face time, on-site visits, and frequent jet setting, where it wasn't uncommon for consultants to travel 200 days a year or more.

The shift to a mobile workforce for consulting firms carries unique challenges and unique risks, particularly around cybersecurity, as consultants often deal with highly sensitive client data, which now must be kept safe outside the confines of highly secure office networks. Consulting recently spoke to some experts in the cybersecurity space about how companies are navigating this seismic workplace shift.

New Challenges Around Remote Collaboration

As a highly collaborative industry, one initial hurdle to ensure continuity of service involved beefing up communications capabilities for consultants who could no longer be on-site with clients. Even a fundamental change like this took some quick thinking and mindset shifting.

"We've seen a lot of change in the landscape due to COVID. The first is how we deliver services. Consultants are used to working remotely – they're on client sites, in airports, working from home, etc. Now we have to get used to clients being remote. We no longer spend days at client sites. Interviews, meetings, and progress reviews are done via GoToMeeting, Zoom, Webex, or any other of the options out there. Documents are securely shared with clients over the web. We've had to learn how to replace the human-to-human connection with remote connection," says Bob Post, Managing Principal for cyber risk management consultancy Coalfire.

Keeping confidential client data safe in this virtual collaboration environment has been another major area of concern, moving from VPNs and other hyper-protected office network security to a work-from-home environment.

"For many of our clients, work must be accomplished on their protected networks and we are provided technology to ensure we have that capability. For certain clients who do not allow connectivity outside of their buildings, mainly classified work, our teams must be on the client site. We are very fortunate that for [Guidehouse] it was a very easy transition since we already live in a virtual, cloud environment. We have the benefit that we can work from anywhere provided we have connectivity. For cybersecurity consulting companies that are not so fortunate, they find themselves dealing with the same security concerns as much of the world," says Marianne Bailey, Advanced Solutions Cybersecurity practice lead for Guidehouse and former Senior Cybersecurity Executive for the National Security Agency (NSA).

A "Rapid Expansion of the Attack Surface" 

Work conducted in an office or on a client site is typically done using highly controlled networks and equipment to keep confidential information from getting into the wrong hands. With so many consultants serving clients from home, much of that control has been surrendered. 

"The whole working from home environment has been a challenge. One phrase frequently heard is 'rapid expansion of the attack surface'. All of a sudden, data and processes that were neatly contained within a corporate environment are now being used in areas and on devices over which the organization has little control," says Post.

"Staff who have always worked in an office now must deal with things like securely connecting to corporate networks, securing their devices, and even securely disposing of sensitive printed material. How many people have business grade shredders at home?"

Another obvious concern is training employees in the new software and hardware many companies are providing to ease the transition. Would-be cyber criminals only need to successfully exploit one vulnerability to steal valuable proprietary data, which could result in immeasurable damage to a company's reputation. In order to keep the home office environment secure, employees have to know what they're doing.

"The rapid implementation of global restrictions has caught many off-guard. Routine operations such as workplace meetings, collaboration, and daily tasks have been forcibly transitioned to more digital avenues," Bailey says.

"Many companies may not have performed adequate training educating their users on best cyber practices. Typically, it will take large organizations many months, if not years to move to a modern architecture. This requires technology pilots, staged implementation, lots of testing of both functionality and security, and significant employee training.  For companies who were not already on this virtual path, this rapid move to working virtually permitted little time to perform these steps in a calculated and thorough manner."

Current Conditions Are a Boom Time for Cybersecurity Consultants

Consulting is an industry that tends to thrive in challenging environments, and the ongoing shift to working from home and the obstacles it brings has increased the demand for experts in the space as organizations look to lock operations down. 

"Demands shift with priorities. When everyone is scrambling to protect the remote workforce, projects that were once deemed critical all of a sudden fall into the "discretionary" category.  With the initial surge to address a newly remote workforce done, clients now want to examine whether or not the technologies and processes that were put in place are working as expected and how they can be optimized," says Post.

"As we face this new work environment, the other rising issue is interacting with customers. Specifically, making customers feel secure in the knowledge their sensitive data is protected as they move to a digital environment is a critical factor in clients protecting their revenue streams. Securing those transactions and interactions will be key to future growth."

The rapid shift to work-from-home has also been a challenge for clients, who have had to devise entirely new security strategies and protocols to avoid service interruptions and thwart cyber attacks in a much more target-rich environment. This has also led to an increase in demand for outside cybersecurity experts.

"As one would expect, the demand for cybersecurity consulting services has seen a direct increase to provide services from high-level advisory to technical security engineering to tactical 'cybersecurity as a service' work," says Bailey.

"Clients now more than ever are understanding the importance of controlling access to their environment and data, ensuring they implement adequate security architectures, have strong identity and access management procedures and [that] their employees are trained and understand company policies and cybersecurity human threats. With the requirement to develop and maintain a comprehensive cybersecurity program, consultants in all areas of cybersecurity are in high demand to fill gaps in expertise for their clients."

The history of the coronavirus pandemic is still being written, and the consulting industry is still living it out in real time. The sudden industry-wide move to remote work has been difficult on many fronts, and nobody knows how long this "new normal" will last, or if it's here to stay. However, consulting firms are resilient by design, and well-seasoned in navigating change and overcoming obstacles. The industry's renewed commitment to safeguarding client data and ensuring secure communications in an unprecedented environment is a testament to that heritage.