I recently listened to this Podcast: Security when Workforce is Remote by a16z and I found key topics: Security, Sudden Shift, Business Planning, Engagement, and Business Transformation. These topics are top of mind to the transformational executive at this time as we navigate the “new normal” of changing operations.
What is the workforce situation for adults in the United States?
Denmark has polled their work-from-home employees and it is important to point out that many of them are struggling with their new normal as they try to navigate security, slow Internet speeds along with caring for children while working from home. How can we help these work-at-home employees to be successful while maintaining security?
Workforce Security in a Remote World
The world is facing a serious health crisis in the face of COVID-19, and the result is that our businesses are facing significant disruption. There is no denying we are living in unprecedented times and no-where is that more apparent than in our workplaces. Offices have been left deserted, the daily commute has ground to a halt, and spare rooms across the globe have been turned into workstations. But, while we are urging our workers to stay at home and stay safe, have we given the same level of thought to the safety of our data, our corporate networks, and our intellectual property?
Without having the right security measures in place, we open up our businesses to increased risk. Cybercrime and data breaches are already a significant business threat, but, in a time of increased vulnerability, both on a personal and organizational level, the threat is further heightened. Without securing our remote workers, we give cyber threat actors the opportunity to get hold of information, intelligence and internal systems.
As business owners, security professionals and employees, we all have a role to play in protecting both ourselves and our companies if we are to rise to the remote working challenge. And, while we are facing new realities amid the rapid shift to remote working, the solutions we put in place will help reduce our security risk both now and into the future as a new way of working emerges.
The Sudden Shift to Remote Working
Remote working is no new thing, and most organizations have a percentage of their workforce working remotely, whether in the field or from their homes. Catastrophic events have struck the corporate enterprise world before, the impact of 9/11, for example, saw a city become temporarily unavailable, with workers moved to disaster recovery sites and home offices. However, this is the first time we have seen a pandemic of such a scale where almost every company across the globe, along with its suppliers and customers, has rapidly shifted to remote working.
Organizations have risen to the challenge, quickly rolling out the tools that their employees need to do their daily jobs. The procurement and contracting process has had to speed up significantly with IT and legal working together to try to keep things moving. However, with a newly-relocated workforce and new tools and systems in place, many organizations haven’t had the opportunity to develop or test their work-from-home policies. And, even those that have, haven’t been able to do so en-mass.
While companies have been building upon ways of remote working for some time, it is the sheer number of people and companies involved along with the rapid speed of change that is the biggest challenge. And of course, where there is a challenge for some, there is an opportunity for others. While we are trying to rebuild our systems and processes, cybercriminals will be trying to capitalize on the vulnerabilities of organizations and individuals alike.
The Importance of Business Continuity Planning
Business continuity planning involves considering the worst possible scenarios that could happen to a business, whether it be a hacker, a natural disaster or, indeed, a global pandemic. For each scenario, the probability of occurrence, level of risk and potential impact is assessed. The idea is that by planning for the unexpected, organizations will be better placed to manage those risks and continue to run effectively. When it comes to security, business continuity planning consists of building a matrix of security controls and understanding how they translate to the various scenarios. When considering security, organizations need to consider:
- Confidentiality – more than just assessing the security risk of vendors and other third parties, businesses need to comprehensively review confidentiality. This will be different for a sales call and a board meeting, for example, and the tools being used must be fit for each purpose. Requirements will be different for every business, especially those that are strongly regulated.
- Integrity – businesses need to ensure they have the necessary controls in place to ensure business operations can continue and that data is protected. The sensitivity of data should match the features and capabilities of any tools that are used to manage it. Industrial-grade security may not always be necessary, but it is absolutely needed when transferring intellectual property.
- Availability – the current pandemic is an unprecedented situation where the whole world is relying heavily on cloud services and SaaS solutions. Any chosen service provider should be reviewed in terms of their ability to cope with demand.
While going from 20 to 90% remote workers isn’t something any of us saw coming, something of this nature was always a possibility. For those who haven’t engaged in business continuity planning, the global pandemic is going to be a considerable wake-up call.
Engaging Remote Workers in Security
When it comes to cybersecurity, whether working in an office or remotely, users are often the weakest link in any system. Unfortunately, there is often a tendency toward blaming users. In fact, training tests have been built setting users up to fail, with the aim of shaming them into behaving better. However, while this method will improve compliance, it can only take it so far. A far better approach is engaging users in security, deputizing employees and making them feel a part of security strategy.
To help reduce the increased risk that users bring when working remotely, if not already in place, organizations and employees should:
- Enable two-factor authentication – users should need two things to log in to a system remotely; one should be a known password and the other something like a hardware security key.
- Activate antivirus software – individuals should check that, if they are using their own computer to access a corporate network, it has up-to-date antivirus software enabled.
- Check systems and applications – all devices, operating systems and software applications should be up-to-date with the latest patches and versions.
- Connect to a VPN – a virtual private network (VPN), should be the default on office-supplied laptops, but subscriptions need to be valid. For those using home computers, a well-established VPN network should be encouraged.
Of course, this is just the start of a very long list of measures that can be implemented. However, one of the biggest steps is engaging users in security strategy and educating employees on best practices. By alerting your workforce to the risks, they will be much more cyber-aware and less likely to be the target of social engineering attacks.
The Bigger Security Transformation Picture
While we may be viewing the sudden shift to remote working as a temporary measure, it may well result in more permanent changes to our security systems. We are likely to see far greater adoption of zero-trust security models. In a remote world, organizations can’t afford to automatically trust anything, be it inside or outside its perimeters. Every call to an application or service on the network should be verified before granting access. We will also notice a shift from traditional hub-and-spoke, point to point architectures to a more distributed approach. Meanwhile, companies that wouldn’t usually adopt edge technologies will find themselves making the shift. And, as they do, entrepreneurs will capitalize on the adoption of technologies.
Ultimately, in the new world that is emerging, there will be a heightened focus on security. While capacity will be a short-term challenge, as service and cloud providers rise to meet demand, what we need to retain long-term is a security mindset. As we socially isolate, we all become more vulnerable to social engineering attacks. Now more than ever, as we work remotely to protect lives, we need to work together to protect our companies and our data.
Listen to the Podcast
All opinions & expressions are solely those of the author and not those of any other individual, institution or business.