After the 2020 pandemic tipped our traditional way of work on its head, companies scrambled to support fully remote workers. But as the vaccine roll-out continues, many organizations are welcoming workers back to the office. However, that doesn’t mean all companies are planning to go back to exactly the same way things were before. Some companies, like Nationwide and VMware, have announced their decision to stay “remote first” for the long-term, while others are looking at flex solutions like 2 days in office and 3 days home -- or one week in office and the next week home. The implications for IT and ITSec departments is that they must prepare to support fully or partially remote workers well into the future.
3 Focuses for Security Operations in the Era of Remote & Hybrid Work
What does support for a hybrid workforce look like for security operations? To ensure that corporate assets are protected and not exposed to excessive risk, SecOps teams will need to focus on three areas for remote and hybrid-remote workers: physical, digital, and human.
1. Physical: As the days of always (or mostly) in the office wane, security teams face an expanded attack surface. Now, every work-from-home (WFH) or work-from-anywhere (WFA) employee’s home, or even local coffee shop, can be an extension of the corporate network. And though this has increasingly been the case with mobile and mostly remote workers pre-COVID, the big change now is the sheer scale of employees working remotely.
In the next wave, look at extending in-office physical policies out to the next wave of the “anywhere office.” For example, if you’re a “clean desk” company that requires employees to lock up laptops and turn off monitors when they step away, expand those policies to the “anywhere office” too. Though all employees may not have access to a locked cabinet at home, they probably can shut down their laptops and put them away in a drawer. Similarly, provide guidelines on how to keep critical hardware, like cable modems and Wi-Fi mesh routers, out of harm’s way from curious cats and capering kids. And for companies that can afford it, consider going one step further and purchasing hardware for remote workers to ensure that they’re using corporate approved vendors and versions.
2. Digital: Keeping data safe for remote-first workers intersects with digital transformation and the ongoing shift to cloud. Identity-centric security supports both people and machines -- and getting it right is critical as 80% of data breaches are connected to compromised credentials, according to Forrester Research.
Scoping access for identities via focused, need-to-know roles is a necessary first step. A recent Forrester Consulting survey commissioned by BeyondTrust, found that 60% of respondents believe they will have “to treat more employees as privileged users due to remote access infrastructure” in the next two years. Where possible, minimize proliferation of privileges and ensure that unneeded access is culled when no longer required. Where privileged users (again both human and machine) can’t be avoided, keep it controlled through a PIM (privileged identity management) tool that supports elements like server privilege management, credential rotation, just-in-time (JIT) access control, and granular audit capabilities.
Other areas for remote work digital security include hygiene and configurations on home devices and training users how to securely set up their home networks. Some remote-first companies who supply equipment (e.g. laptops) to employees may also look at developing “push button” setup scripts for home employees, or shipping equipment pre-configured to company standards.
3. Human: Last, but certainly not least, is the human element. MIT neuroscientists discovered that when rodents are put under chronic stress, they choose higher risk paths. This can happen with humans too. Working from home can mean a reduction in commuter stress, but an increase in ambient home stress from children, partners, and pets. Not to mention the stress of jumping from meeting link to meeting link and having to look at oneself in video meetings. A stressed workforce may be tired and more likely to forget safety protocols, such as checking links before clicking or downloading software.
Training that worked in an office context may need to evolve or become more frequent in this next wave of work. Also, management style and culture can do a lot to alleviate stressors: for instance meetings can be set at 25 or 50 minutes to give people a bit of breathing room so they don’t have to multi-task all their emails during calls.
Next Steps in Preparing to Securely Address the Remote-First Workforce
No matter where your company lands on the next wave of work spectrum, creating a plan for addressing the physical, digital, and human elements will keep data safe and people sane. For a further exploration on this security topic, check out my on-demand webinar: Privileges & Pajamas: The Security Impact of Remote Working. And for related reading, check out this blog from Morey Haber, BeyondTrust CTO & CISO, on how the attacker’s path of least resistance is shifting and how you can adapt.
Diana Kelley, CTO, Executive Mentor, Research Analyst, Security Keynote Speaker
Diana Kelley’s security career spans over 30 years. She is Co-Founder and CTO of SecurityCurve and donates much of her time to volunteer work in the cybersecurity community, including serving on the ACM Ethics & Plagiarism Committee, as CTO and Board member at Sightline Security, Board member and Inclusion Working Group champion at WiCyS, Cybersecurity Committee Advisor at CompTIA, and RSAC US Program Committee.
Diana produces the #MyCyberWhy series, hosts BrightTALK’s The Security Balancing Act, and is a Principal Consulting Analyst with TechVision Research and a member of The Analyst Syndicate.
She was the Cybersecurity Field CTO for Microsoft, Global Executive Security Advisor at IBM Security, GM at Symantec, VP at Burton Group (now Gartner), and a Manager at KPMG.
She is a sought after keynote speaker, the co-author of the book Cryptographic Libraries for Developers, has been a lecturer at Boston College's Masters program in cybersecurity, the EWF 2020 Executive of the Year, and one of Cybersecurity Ventures 100 Fascinating Females Fighting Cybercrime.