As the concept of remote work becomes a long-term reality for many, one of the most profound repercussions will be the cybersecurity and risk challenges facing businesses in this new reality.
While the extraordinary transition to work from home (WFH) was critical for business continuity, and unlocked innovative new ways to operate, it’s also given fraudsters a vast array of opportunities to steal confidential data and disrupt operations. In today’s data-driven economy, remote workforces that don’t have comprehensive security in place will become prime targets for cybercriminals to exploit any number of vulnerabilities, from unpatched devices to those without access governance controls.
Over the past few months, we’ve all learned a great deal (that might be the understatement of the decade!), and with the gift of time and hindsight, businesses must now find the time and urgency to address those potential risks within their remote workforce.
Below is a 10-point plan to help you assess the state of your remote work environment and strengthen the overall security profile to help minimize future workforce disruptions.
1. Remote environments are harder to secure. To equip remote workers with the tools needed to connect online, some companies may have deployed outdated hardware and software to use. This is a hacker’s dream. Often, those solutions lack modern security controls and capabilities.
As helpful as virtual environments have proven to be, they simply lack the basic physical verification that traditional environments provide. Another challenge is unknown, unmanaged endpoints. In cybersecurity parlance, the proliferation of new devices means the attack surface has grown dramatically larger. As we’ll discuss later, these are all reasons why a “zero trust” policy is required for remote work to become more secure.
2. The massive turnover of people and expertise. As employees are furloughed or laid off, their responsibilities are shifted to others who may have little or no experience in that area. Separately, the regular in-and-out of contractors only exacerbates a dangerous situation. If WFH becomes our norm, then businesses need to address the “mover and leaver” situation. Job-hopping is more prevalent today, and that trend and will continue into the future. So, the “talent churn” means companies must impart necessary cybersecurity training and hygiene during onboarding and offboarding.
3. Thoughtful access governance is essential. It’s enough of a challenge to get access governance right when everyone’s in a centralized facility. In a remote work setting, it becomes extremely difficult. “For work from home to succeed, companies need to have good governance policies in place for user access and for evaluating secure access policies and authentication methods,” says Tony Karam, Risk and Security Strategist at RSA. “A big part of that is making sure you recertify rights and entitlements more frequently so that you can keep up with this evolving or revolving-door workplace. You need automated governance for this dynamic workforce. If a company’s doing work from home—and every company is—then they need to be regularly doing security reviews, recertifications, and then modernizing their identity management and access management capabilities,” advocates Karam.
4. Unfamiliar new technology and vulnerable old technology. Those working remotely have often had to figure out on their own how to use a wide array of new platforms, applications and technologies with little or no training. In many cases, the urgency to keep up with the demands of the job will push security concerns to the side. Even among workers with the very best of intentions, the rapid rollout of video conferencing tools, collaboration tools and new cloud applications is widening the workforce knowledge gap and increasing the odds that someone will accidentally do something that puts his/her company at greater risk.
5. Regulatory requirements will follow. GDPR and the California Consumer Protection Act (CCPA) will become models that others seek to replicate. The combination of a global recession and the disruption caused by the ongoing health crisis could well lead to sweeping federal regulations along the lines of the financial regulations put in place after the 2008 financial crisis. The challenge for businesses becomes two-fold: comply with stringent new regulations and overlook the new and potentially more serious challenges still on the horizon.
6. Getting familiar with automation. All the challenges mentioned above take on additional levels of complexity as people interact with more automation. What’s the right balance between human and technology, and how should privacy and security gaps be addressed? “Sometimes we forget that the workforce these days—and certainly in the very near future—comes in two forms: the carbon-based humans, and then the growing workforce of machines, robotic process automation, AI and bots,” says Karam. “A lot of companies are telling us that they’re really looking to accelerate their use of automation and robotics to build in more resilience in the face of all this workforce disruption. That’s all fine and can be beneficial, but only if companies figure out the best ways to manage all those human-machine interactions.”
7. Back at the office, big challenges around data privacy. When people return to the office full-time, or when WFH warriors visit the office once a week, how do companies handle the personal data that’s generated as temperature or health checks are completed and movements around the office are monitored? What level of physical data will be gathered? Who gathers it? How is it used and secured? How are the privacy rights of employees spelled out and guaranteed? These are all pressing questions organizations need to address quickly as part of this new normal.
8. Hybrid computing and data privacy. You’ve got on-premises systems handling HR and insurance data, a public-cloud service managing applications, and a private-cloud system handling compensation and performance management apps. How do you keep all that safe and secure across wildly different architectures? In the face of the relentless change and disruption happening everywhere, many companies are embracing a “zero trust” mentality. These companies are beginning to assume that at least one or more of more of those mismatched systems has indeed been compromised—and that stringent modern security policies are needed to protect sensitive data.
9. The journey to the cloud is accelerated. Already on a fast track due to digital transformation initiatives, the journey to the cloud will be accelerated as businesses look to build resiliency in the new normal. The cloud offers many benefits, but most businesses don’t yet have a full grasp on the security and risk implications. This could lead to expanded use of private clouds rather than pushing everything toward public clouds. In addition, as companies take steps to break down the data silos in their organizations, and as the cloud becomes more widely used, companies will have to develop new security policies that take into account the different security requirements for cloud architectures versus on-premises architectures. Compounding the cloud challenge, service providers like AWS, Google and Microsoft are constantly introducing new capabilities. This requires businesses to stay abreast of innovation and determine how to implement it for users. It’s a lot of intense and complex work, to be sure, but it is essential for securing this journey.
10. What you can do today.
- Bring on the right skills to help the business weave AI-powered analytics into its security environment.
- Give up on the “one size fits all” approach to security. Embrace models that are agile, modern and highly adaptable to changing conditions and requirements.
- Establish a “zero-trust” mindset.
- Shift your focus from prevention to detection.
- Get your security operations, risk management and IT teams on the same page, and sharing insights.
- Use security analytics to give you insights that help prevent disasters.
This post was sponsored by RSA, but the opinions do not necessarily represent RSA's positions or strategies.
Bob Evans writes about digital business, innovation and strategy as the founder and editor of Cloud Wars. Follow him on Twitter at @bobevansIT.