I’m not claiming that this was a particularly insightful revelation. Sometimes, though, things that should be obvious only reveal themselves to us when we’re able to focus on a particular topic that normally gets brushed aside from our thoughts in the course of day-to-day crisis management. But having finally seen this truth, I couldn’t ignore it. I had arrived at my revelation by thinking about ransomware, but it’s not the only reason that a lack of backups could mean trouble. A lost or stolen laptop or a crashed hard drive are among the other potential threats. (We use Google Docs for file collaboration, but that’s not a substitute for backups.)
And PCs that don’t talk to the network on a regular basis have other problems besides a lack of backups. New domain policies don’t get pushed to those PCs, and we use group policy to enforce configuration policies, as well as Microsoft’s System Center Configuration Management (SCCM) to manage operating system and some third-party application patching. If the PC never connects to the network, SCCM is unable to properly inventory the system or provide metrics regarding compliance. And you just can’t rely on end users to properly patch applications such as Java, Flash and other risky Adobe applications. They forget, are lazy or don’t see such patching as a high priority.
What’s more, we can’t conduct periodic security scans of PCs that don’t connect to the network. I have a weekly Tenable Nessus job configured to scan the DHCP address range of PCs assigned to our corporate network. If a PC is not on the network, I have no visibility. Worse, PCs that don’t get scanned for long periods of time and become infected or compromised are a major threat when they finally connect to the network. That’s a good way to propagate malware on the network or give a bad actor access to the corporate network or even a conduit to our production network, where our intellectual property resides.
I was back in the office the next day, and my PC was backed up and scanned soon enough. But I know that many remote workers have no need to do the same anytime soon. I talked to the head of IT, who fully agrees with my concerns. We plan to deploy a robust endpoint-protection solution that doesn’t rely on being connected to the corporate network. We’re also looking at either architecting our current environment or choosing a cloud-based solution to manage PCs and security policies regardless of where the PC is located and will evaluate what it will take to remove administrative privileges while still affording users the ability to work wherever they happen to be.
Sign up for Computerworld eNewsletters.