Making endpoint devices available to users at home, sanitizing and securing devices remotely, updating security patches and Anti Virus signatures at endpoints, installing VPN for remote access and configuring additional monitoring use cases/rules around remote access workforce, were crucial for the success of operations continuity during the COVID pandemic
The new normal is not some novelty that will go away. The way things seem at the moment, we will have to adapt to the reality for a long time to come.
Julius Caesar is a play by William Shakespeare; in it, there is a famous phrase that is often quoted, "Beware of the Ides of March." Apparently, Caesar was warned about the Ides, which falls on March 15th, and he chose to dismiss it and lost his life.
The COVID crisis in our country surfaced visibly around the beginning of March and peaked during the mid of March which reminded me of Ides of March. This was the time again when initial signals of this pandemic lead to this new era Ides of March because immediately after COVID-19 outbreak came, the nation-wide lockdown. It was around the same time that we started preparing for the possible impact of the Coronavirus epidemic on business functions. Not everything was clear, but it was evident that we have to begin with crafting policies and tweaking processes to deal with the crisis.
Towards the end of January, we started following the news about the outbreak in Wuhan, China. In the month of February, we were clearly aware of what this can lead to because of the virus spread in China and a few other countries who witnessed the early impact of this pandemic. The realization was scary that every country on the planet was vulnerable, and this is not just another outbreak like SARS or MERS. The potential impact could not be predicted but sensing the threat of the spread, considering that no clinical remedy to arrest it was available, our preparations started at the beginning of March. The need for social/physical distancing for prevention of unaffected and isolation for those who were affected, gained the momentum for our preparations. Unlike Caesar, we did not dismiss the Shakespearean Ides of March and were fairly ready with our strategy by March 15th to face the big uncertainty that was going to unravel.
The Lockdown becomes a Reality
Yet, the scale and the impact were unimaginable. It was only on March 20th that we got the feelers about an impending lockdown. Prime Minister Narendra Modi had announced country-wide Janta Curfew on March 22nd, and it rang the bell in our mind that it could be a trial-run for a much bigger step that may have to be taken on a nation-wide scale.
Subsequent announcement lead to the commencement of a nation-wide lockdown from March 24th. Initially, it was meant to be a 21-day complete shutdown across the country. Even 21 days appeared to be the biggest ever peace-time shutdown that had been witnessed. We are now completing lockdown, close to six times that period. Barring certain services such as law enforcement and medical / health care, millions were confined to their homes with initial uncertainty of access to essential supplies. While, individuals faced the challenge, the companies too were not immune. While we were making preparations for the future considering certain timeframe in our hand, suddenly, the announcement of lockdown took away all the time we had budgeted for a smooth transition in lockdown. We had envisaged at least one week time after Junta Curfew, whereas the announcement came in just one day. We knew there would be implications, like remote working, social distancing. A percentage of the workforce, a significant one, would work from home. But, 100% of all staff will need to function from home for three weeks was never envisaged. That is the time when I first realized what would be the experience when the feeling of amusement and annoyance erupts at the same time.
The next two weeks were spent in a mad scramble. Our first big challenge was to deal with infrastructure issues. Thankfully, NSDL eGovernance has been at the forefront of IT adoption due to the business model of digital delivery for various G2C services facilitated by our company; thus, the challenge was appearing manageable in terms of process evolution and adoption. However, practical difficulties were very different. We had to figure out all the employees who did not have laptops with them and make arrangements for them. In reality, this was easier said than done. The companies that were providing laptops on a rental basis were suddenly inundated with requests. The demand far outstripped the supply, and the prices shot up manifold overnight. Even if one was willing to pay, the suppliers were dry on laptop stock. We had to hunt for vendors who had laptops available and make logistic arrangements for the delivery of the devices. The shortfall was covered by allowing people to use their own devices and internally the term got coined as UYOD as against the popular term BYOD. That was not the end of it as many were facing network challenges as well which in some places got addressed by allowing them to use their personal Wi-Fi or Mobile Hotspot, but only after ensuring robust access security. Certain situations, even that did not work as the service provider bandwidth/network signal was either weak or too much burdened as all were working from home and probably such huge surge of traffic was not envisaged in a residential area.
Besides, there was the infra support and services challenge which required focused attention on the success of the strategy and scheme of Work From Home. Usually, whenever there is an issue with hardware or software on endpoint devices, the IT Infrastructure support team is always available within the office premises. End-users never did, therefore, few things like configuring certain system set-up of connecting to a different network etc. and suddenly they were burdened to do all that just with the help of some telephonic support. People were used to physical proximity for discussions and meetings, and now, everything was virtual. While we do not have official tickets opened, I am sure; few may have struggled with acclimatizing themselves with the Virtual platforms and efficiently jelling in the Concall / Bridge Call / Video call mode of operations. I can proudly say that my team members worked from early morning to late night, that too not for hours or a couple of days, but a couple of weeks (which were not five days but seven days weeks), for remotely configuring and enabling people to work from home and later they continued their long hours' support to ensure continuity of such working.
Getting Accustomed to the New Normal
The first two weeks after the lockdown was taxing and crazy both for the employees and the IT teams. People working from home were learning new things, and so were we. Despite all the efforts, close to 20% of the staff were unable to connect to the office ecosystem due to numerous reasons.
This was also the time when there was a lot of misleading and exaggerated news floating around. There were various projections about the WFH culture being vulnerable and posing the threat of cyber attack on the organization's critical infrastructure. Not many said "how" but, they said, "it will happen". This was in public media; the management was also concerned about all these reports, especially as almost all the employees were working remotely using whatever devices and network they had access to. The security threats might not be hype, but the psychological impact of the concerns around these security threats, caused to the people, was definitely hype till the time that management was explained of how we had identified and implemented appropriate controls to reasonably counter such security threats.
Personally, I was not much affected by this hype. Cybersecurity and data integrity are not some ad hoc subjects. Even before the wave of the pandemic, organizations across the board had to create a secure perimeter around the corporate assets. It wasn't necessitated by the outbreak but had always been the need of doing business securely in the digital world. Thanks to DRM (Disaster Recovery & Management) and BCP (Business Continuity Planning) as they offered a base level blueprint to address this situation and I am sure most of my fellow CIOs and CISOs were able to make the transition with less hassle. Indeed, there were some teething trouble, as now the onus of security had shifted to the discipline adhered by end-user, especially when they were allowed to use their own device. We had to sanitize (not literally) and securitize the devices, install firewalls, update security patches, install Anti-virus, disable unnecessary functions (ensuring that it does not impact the e-school of their kids or office work of their spouses because each household would have one family computer to be used by all), configure VPN access etc.. Fortunately, our employees were eager and enthusiastic, and we were successfully able to migrate the work-load on the home network. Also, critical enterprise applications and data are anyways ported on data centers that are professionally managed and operated. In short, the security infrastructure is already in place; only it needs to be bolstered in certain spaces.
Little wonder then by mid-April, all our employees were functioning from their homes without a hitch. All the doom and gloom scenarios did not really materialize, and that shows the network and security resilience. However, we remained alert 24 X 7 and not depend on the confidence, luck or the blessing of God.
Lessons from the Pandemic
So, what are the lessons that we have learnt? There are quite a few. One of the basic ones was that all the planning and strategizing that we do is not enough as something hidden will surface to challenge our preparation. Secondly never to underestimate the potential impact of any disaster, however small it appears to the eyes and the mind. For years, we had built scenario planning into our DRM & BCP, but never did we imagine a scenario like this where every IT set-up was working but no human resource could reach any of our offices across the country. The COVID pandemic has been tragic for the world, and pretty humbling for the enterprise IT & Security folks like myself. We had to learn and adapt many things quickly; even today, I am doing that. For instance, at NSDL eGovernance, I have already proposed to do away with desktops for good, all employees will get a laptop from now on which has been welcome not as an idea but as a strategy going forward. Here are some of the revelations that can be counted as a result of the pandemic:
- WFH is not only possible but also preferable in some instances due to productivity gains, opening up the possibility of better performance while enjoying flexibility and comfort or avoiding hectic travels
- Employees can work from anywhere; they don't need to be in the same location, opening up the possibility of hiring good and talented hands available anywhere in the country
- From Bring Your Own Device (BYOD) the world can shift, with some caution and care, to Use Your Own Device (UYOD)
- Office architecture needs to be reimagined. When people can work from any of the geographical locations, why would there be a need for fixed desks within the office? Whenever you come, wherever you sit in the office, you should be able to work.
In the end, the new normal is not some novelty that will go away. The way things seem at the moment, we will have to adapt to the reality for a long time to come. The way of working we were used to has already become history during our lifetime. We don't have to wait for the next generation to come, make changes and call our earlier way of working as primitive and history. Rather we will handover stabilized future way of working to them. Let us remember that the adaptation should not be from a negative/restricted mindset; we should embrace the opportunity and build our systems that are aimed at growth with positive/open mindset.
The author is EVP & CISO, NSDL e-Governance Infrastructure Limited