In response to the threat posed by the coronavirus pandemic, an increasing number of companies are urging employees to work from home. Despite the severity of the disruption caused by COVID-19, employees and even companies may find a silver lining, as remote work can have a number of benefits, including increased employee satisfaction and productivity. Although it’s far too early to tell, these benefits may serve to motivate organizations to make a more permanent transition to remote work. As employers figure out the role remote work will play in their organization, special attention will need to be given to how employers will ensure the security of both their workforce and their business-critical data. Security teams can help organizations navigate this transition by putting established security best practices into place. Below are three practices worth considering.
1. Make security part of your organizational culture
Whether or not an organization’s workforce is remote, building a culture of security is integral to strengthening an organization’s security posture. This starts with outlining clear security goals informed by both business and regulatory obligations, as well as your organization's commitment to stakeholders and any unique industry-related security threats. From there, security teams can develop data policies that inform stakeholders and employees of the processes and practices essential to an organization’s security. Beyond building a data policy, security teams will want to build understanding and support of these policies among employees. Like with your workplace conduct policies, this can be accomplished by including cybersecurity practices in your employee handbook and tying these practices to your organization’s overall vision and values. Cybersecurity training can also cement the types of security hygiene employees will need to exercise to successfully carry out their job.
2. Standardize the tools and processes your remote workforce will use
In our cloud security best practices post, we highlighted that consistency is one of the keys to cloud security. As remote work becomes normalized, this will only become more true. Improving your organization’s security posture will depend on your security team’s ability to create and enforce protocols for remote workers.
What are some of the considerations security teams will need to make?
Deciding between bring your own device (BYOD) schemes vs IT-issued equipment
One of the first considerations that’ll likely need to be made when adopting long-term remote work is whether employees will conduct their work on their own devices or company-owned machines. Each choice contains a tradeoff, but contrary to popular belief, BYOD programs don’t need to result in chaos and managing IT-issued devices doesn’t have to be taxing.
With regards to enterprise security, the major difference between BYOD schemes and arrangements where organizations have greater control over business equipment — like company owned personally enabled (COPE) and company owned business only (COBO) - is where a security team’s data visibility and policy enforcement capabilities may lie. For company owned devices, it’s far easier to install and manage security tools that provide insight at the network or endpoint level. While organizations using a BYOD scheme can mandate that employees authorize security management programs on their devices, enforcing compliance and ensuring proper installation of these programs might prove to be difficult. There still, however, exist security solutions perfectly suited for BYOD.
Besides cybersecurity, organizations and security teams will also need to concern themselves with the physical security of employee devices as well. What happens when a device is lost or stolen, for example? Organizations will need to understand what types of damage or misuse employees are responsible for preventing and outline these scenarios clearly in employee trainings and handbooks.
Managing an authorized list of resources and deciding how to secure them
Just as organizations will need to decide on the devices employees will use, they’ll also need to decide what resources employees can use, how access to these resources will be provisioned, and what types of security and authentication policies will be in place when employees access these resources. For instance, your company may choose to adopt Slack as a sanctioned SaaS productivity application and use a tool like Okta for provisioning access and enforcing multifactor authentication.
In an era of readily available SaaS tools, this type of sanctioned IT can be difficult to maintain, as data sprawl and shadow IT threaten organizations. Some of this tension can be addressed by outlining sanctioned IT resources during employee training or in other documentation. However, security teams should understand that managing IT resources is a give and take between security and productivity. Although shadow IT shouldn’t be unquestioningly embraced, security teams should be receptive to rather than dismissive of the root causes of shadow IT. This can be accomplished by having security teams create channels to quickly solicit feedback across the organization to determine and keep up with employee needs and pain points, and if possible, by having security teams work more closely with business leaders to assess departmental needs.
Determining which security tools you’ll provide to employees
Employee security hygiene is another critical aspect to secure remote work. Your organization may want to decide if implementing tools like password managers, encrypted chat programs, VPNs or other tools makes sense for your workforce. If you decide to make these available to your employees, you’ll need proper documentation and training to ensure that they make good use of them.
3. Properly enforce data policies across your workforce
For remote work, the vast majority of your workforce will likely be leveraging cloud tools to carry out their day-to-day tasks. In these environments, organizations will need to have the proper visibility to monitor the types of data being stored and transmitted. Data visibility will also be central to establishing the appropriate controls for your data.
The types of solutions your security team deploys will depend on the objectives of your information security program. For example, if your organization operates in a highly regulated space like health care or finance, a COBO device scheme combined with a mobile device management (MDM) solution might make sense as this will let you ensure devices are up to compliance standards. However, while something like a MDM or even a cloud access security broker (CASB) might provide you endpoint or network level visibility, your data policies may also require you to have visibility into cloud applications. Nightfall, for example, provides visibility and data policy automation at the application level, allowing businesses to enforce data policies regardless of what devices or networks their employees ultimately use. Understanding the security layers to which your policies should apply will allow you to make strategic use of the platforms best suited to protecting your data.