The Prime Minister announced the lockdown yesterday evening. The country is, from this morning, on the most restrictive peacetime regulation of movement and gathering since the period of the Second World War rationing. The customer-portfolio operations have been adjusting since the WHO declaration on the 11th of March and the company has, in increments, been transitioning to fully-remote working since the 16th. The transition is functional. The strategic and operational implications of the lockdown for the customer-organisation programmes and for the company itself are going to take the rest of the year to fully work through.
The team. Hedgehog has, since the Bath office opened in 2018, had a hybrid model with London-based services-and-leadership functions and Bath-based engineering. The two-office model has produced operational habits (synchronous standups, video conferencing for cross-office meetings, asynchronous tooling in Slack and Jira) that translate to fully-remote operation more readily than a single-office model would. The team is, as of this week, fully-remote with both offices closed for the duration. The specific pieces of work that require physical presence (customer-facing engagements, certain SOC-side hardware-handling tasks) are being deferred or restructured.
The customer-portfolio operational picture. Browne Jacobson is operating with the substantial fraction of partners and staff working from home; the firm-side IT has been expanding remote-access capacity at substantial pace through the past two weeks. Towry's trading operations are continuing with the floor-side functions in skeleton form and the rest working from home; the regulatory accommodations from the FCA on remote trading have been issued and are operational. Northcott's operations include 24/7 functions that require specific physical presence (the operations centre that supports their customer-side global-mobility and security services); they are operating on a reduced-staffing rotation with strict separation between cohorts. The manufacturer is the most affected on the operational side — production-floor operations in some sites are continuing with restricted-access protocols, others have been temporarily idled, and the OT-side cyber posture in this environment has been the subject of substantial board attention this week. The financial-services firm is operating fully-remote with no operational disruption. The retailer's e-commerce operations are at substantially elevated demand, and the supply-chain-side cyber posture is under pressure from the unprecedented operational tempo.
The wider customer-organisation cyber-posture concerns. First, the rapid expansion of remote-access infrastructure (VPN concentrators, virtual desktop infrastructure, cloud-based collaboration tools) has produced an attack-surface expansion that the customer-organisation security teams are working to keep up with. The pen-testing engagement queue is reshaping toward emergency assessments of newly-deployed remote-access infrastructure. Second, the home-office-environment cyber posture (employees' personal home networks, personal devices being used in professional contexts, shared-house working environments) is materially different from the corporate-office posture and the customer-organisation security awareness and operational controls are adapting. Third, the threat actors are, on early evidence, opportunistically targeting COVID-themed phishing, COVID-themed credential-harvesting, and COVID-themed scam infrastructure at substantial scale. The detection content updates have been continuous through March.
For the EmilyAI deployment, the customer-side operational change has produced a noticeable shift in the alert-classification distribution. The post-lockdown pattern includes more remote-access-anomaly alerts (people working from home are connecting from new IP ranges, at unusual hours, on devices that the asset-inventory has not previously seen), more failed-authentication alerts on remote-access infrastructure (some legitimate, some indicating credential-stuffing attempts), and a different mix of email-borne threat indicators (the COVID-themed phishing pattern is producing structurally different alert content than the pre-lockdown baseline). The model is adapting on its weekly retraining cycle but the rate of adaptation has been slower than the rate of customer-organisation change, and we are running additional training cycles through Q2 to keep up.
The personal note. The lockdown is operationally significant but the family situation is fine; the wife and I are both working from home, the children's schools have transitioned to online learning, the practical day-to-day is awkward but manageable. The neighbourhood is observing the lockdown carefully and the local-community response (the WhatsApp group for the street has organised shopping for the older neighbours, the local pub is doing takeaway) has been heartening. The civic-cohesion measure is, in our small geographic sample, working.
The customer-portfolio work continues. The blog will continue. The longer-term strategic implications of the lockdown for security work — the structural shift toward remote-as-default, the cloud-native-acceleration that the lockdown is forcing, the regulatory and economic environment that will emerge in the recovery period — are subjects I will return to as the picture firms up. The next several months are going to teach the security industry a great deal about what operational resilience actually means, and the customer-organisation conversations will reflect that learning.