A year ago, in the fall of 2019, Mike Zachman ran a security drill for his company, Zebra Technologies Corp.
Zachman, who as chief security officer oversees cybersecurity as well as product security and physical security, had focused the exercise on business continuity to determine how well the company’s plans would hold up.
He had organized similar events in the past, running through both a mock ransomware attack and a staged natural disaster that took out a data center. So, to further test his company, he came up with a new scenario for 2019: a theoretical pandemic, complete with office workers undergoing temperature checks.
Zachman assures that he’s not prescient but rather pragmatic: Global companies have had to deal with SARS and localized epidemics in the past, he says, so he saw testing his company’s response to a pandemic as a responsible move.
The exercise tested the company’s “3+2” strategy, which was designed to ensure that its disaster recovery, supply chain and workforce (the “3”) as well as its repair depots and distribution centers (the “2”) were resilient enough to handle the event.
“Having done that exercise, we found ourselves reasonably prepared when COVID hit. It was still challenging. It took a lot of people putting in a lot of energy to make sure we executed properly. But what we weren’t doing was running around, saying ‘What do we do?’” Zachman says.
The company had a command-and-control plan, and it had enough VPNs to support widespread remote work. Its workers had their devices with them, as the fall 2019 drill reinforced for them the need to take their laptops home at night to ensure business continuity should a sudden emergency arise.
However, Zebra still encountered a few shortcomings in its cybersecurity operations that needed to be fixed, Zachman says. It found, for example, that some of the configurations on its laptops didn’t offer adequate protection for long-term remote access gained through individual workers’ home internet networks. And it had less visibility into the at-home laptops’ network traffic, prompting Zebra to speed up its journey to a more mature zero trust environment.
As Zebra’s experience shows, the pandemic uncovered security shortcomings in even well-prepared organizations. The shortcomings run the gamut from minor to significant and, regardless of their size and nature, are keeping CISOs extra busy as they and their organizations move forward amid continued uncertainty and extended work-from-home scenarios.