Co-Founder & CTO at SafeBreach. I’m a father, husband, hacker, open source enthusiast and entrepreneur.
The Covid-19 pandemic has been a catalyst for change in the modern workplace. According to 451 Research, nearly 80% of organizations surveyed now have remote work policies in place, and 67% believe those policies will be permanent. Those sentiments are reflected by high-profile Silicon Valley technology bellwethers like Twitter and Facebook, both of which announced permanent work-from-home policies shortly after work-from-home and shelter-in-place orders were issued by California Governor Gavin Newsom.
Both companies have said that their specific policies are evolving as they figure out the technology and administrative challenges, as well as the regulatory issues that may come into play for things like taxation and cross-border data movement. But the message is clear: We have entered a new era. It is now incumbent on business leaders to figure out what managing a remote workforce means for their organizations and to take appropriate action.
From a cybersecurity perspective, I see plenty of challenges ahead as operations shift from protecting assets that are mostly behind the firewall to one focused on keeping pace with and securing assets in a predominantly decentralized, heterogeneous IT environment. Changing posture from a network security strategy to an end-point security strategy is a fundamentally different approach to securing an enterprise with a majority work-from-home employee base. But it is a necessary one. There will be no shortage of data breaches in the months ahead because of the increase in organizations rushing to accommodate the work-from-home model without establishing that end-point strategy.
Then there is the matter of scale. Prior to the pandemic, allowing people to work remotely was more of an accommodation for a small number of employees whose roles necessitated them to be on the road or to provide a convenient means of being productive for others when circumstances kept them out of the office. Now, with the in-home office a permanent fixture for a majority of employees, it’s worth considering what it means when people who used to work behind the safety of your firewall are now well beyond your network’s perimeter, increasing the size and complexity of the environment you now need to protect.
A recent study found that the average U.S. household owns more than 10 internet-connected devices, typically using a shared network. That means for every employee you have who is now remote, you not only have to worry about the security of company-issued or sanctioned devices and VPNs, but also personal devices (e.g., computers, smartphones and mobile devices, gaming consoles, smart speakers, security cameras, exercise equipment, wearable devices, etc.), and a consumer-grade router, beyond the reach of your security program. Compromised, any one of them can be a vector for attack.
All of these devices and scenarios present a different challenge for maintaining a secure IT environment for as many in-home offices as your organization now finds itself supporting. Unlike traditional approaches to security, the bring-your-own-device ethic means a further loss of control as the ability for IT to image and manage the lifecycle maintenance of all the devices now being used to access the network will be greatly diminished.
What will not work from a security perspective is to allow the work-from-home model to create chaos for IT management and security. If your organization has decided to embrace work from home, it must own that decision and establish rigorous policies and processes to make sure each new satellite of the organization doesn’t disproportionately increase the risk to network and data security. That new program should be built on three pillars:
• Rigorous authentication of all users and devices accessing the network;
• Zero-trust posture that assumes nothing is safe until verified;
• Pervasive monitoring of all activity in your environment to detect threats and anomalies.
The U.S. Army recently announced a project intended to give some members of its intelligence community the ability to work remotely and still have access to the classified information needed to do their jobs. In announcing the project, the Army’s chief information officer, Lt. Gen. Bruce Crawford said, “It’s our job to decide how we’re going to enable them and, more importantly, how we’re going to secure it.”
That’s an important message to send to the organization. The challenges inherent with remaining productive while untethered from a traditional office setting are enough of a concern for employees who find themselves adjusting to working from home. Even though the organization must train each employee in operational security and awareness, any expectation that they must take primary responsibility for the technical security of their home office is unrealistic.
Instead, it is incumbent on an organization’s IT security team to undertake an objective inventory of the implications of work from home, asking questions such as:
• How many people will be working from home? Where will they be located? What can they tell you about their environment?
• What is their job description, and what does that mean for the type of information and bandwidth they’ll need? What regulations will come into play?
• Will the organization need to supply them with an industrial-grade router and other networking gear? Which employees and partners will they need to connect with?
• How much control over the employees’ home environment will IT need to request, and how must the organization adapt to these needs in order to scale its security program without burdening employees?
Owning the decision to join the work-from-home movement is not without its costs, and so there is one more question you need to ask yourself: How much do you value the security of your data, systems and devices that are now a part of your network?
There is always a price associated with security, and depending on the size of your organization and the type of data you have to manage, that price may be significant.