A tight labor market, the globalization of technology, and many other factors continue to drive the trend toward workforces that are more mobile, embrace working from home, and that are in need of new solutions for cybersecurity.
According to Gartner, “by 2020, organizations that support a “choose-your-own-work-style” culture will boost employee retention rates by more than 10%.” Forbes has also posited that Financial Accounting Standards Board (FASB/IASB) accounting changes, which went into effect January 2019 in the US, impact every company leasing commercial real estate in a way that, as “cost-optimization strategy,” will induce businesses to increasingly hire remote workers and offer telecommuting options.
While remote work confers many benefits, the downside for information technology (IT) teams is that it does make IT security more complex. How can organizations ensure that their remote workers are empowered with the tools they need to be productive, without exposing the organization to inordinate cyber risk?
To that end, let’s consider three key challenges organizations face in enabling and protecting remote workforces, and then identify best practices for addressing these challenges.
- Secure Remote Access to Corporate Resources
- Bring Your Own Device (BYOD)
- Enforcing Consistent Cybersecurity Hygiene
Today, remote employees usually connect to corporate resources directly via a VPN or hosted via cloud resources. These employees are often behind their own home routers that employ technology like NAT to isolate the network. However, this creates a network routing problem for traditional IT management and security solutions.
Corporate cybersecurity solutions cannot resolve and route to remote employees to push updates or directly query systems. Thus, all remote devices must poll (initiate an outbound connection) into cybersecurity resources for updates, or to submit data. This often requires a persistent outbound connection to determine state—regardless of using a VPN or cloud resources—and can falter from trivial network anomalies commonly found in home-based wireless networks or cellular technology.
Additionally, discovery technology, pushing policy updates, etc. all become batch-driven as opposed to near real-time due to name resolution and routing limitations. Even remote support technologies require an agent with a persistent connection to facilitate screen sharing since a routable connection inbound to SSH, VNC, RDP, etc. is not normally possible for remote employees.
Thus, the top cybersecurity challenge for remote employees fixates on devices that are no longer routable, reachable, or resolvable from a traditional corporate network for analysis and support because they are, in fact, not on the traditional corporate network. This leads to a remote access security gap that can be initiated by IT resources, versus the end user.
Remote employees are generally enabled via one of two policies:
- Corporate-supplied information technology resources, or
- Bring your own device (BYOD).
While corporate-deployed resources can be robustly hardened and controlled, personal devices are often shared and not subjected to the same security scrutiny. Organizations struggle to manage end-user devices with mobile device management (MDM), or enterprise mobility management (EMM) solutions, and technology that can only isolate applications and user data on a device.
IT teams can simply not harden employ-owned devices and govern the device operations as tightly as a corporate deployed system. While BYOD is no longer a new concept, organizations still struggle to enable it without introducing unnecessary risk. The methodology your organization chooses is ultimately a balance between cost, risk, and usability, with neither of the above options a clear winner.
The third challenge for securing remote workers involves fundamental cybersecurity controls like vulnerability assessments, patch management, and anti-virus. Traditionally, all of these were performed using network scanners, agents, and services to execute various functions, and require connectivity to on-premise servers.
Cloud technologies have made these security basics easier to manage, but many organizations have not matured enough to embrace these technologies for remote employees. However, organizations empowering remote employees should consider the cloud for managing basic cybersecurity disciplines since connectivity issues are only getting worse with cellular and other mobile technologies that cannot maintain a persistent and routable connection. The cloud offers universal resources—outside of a traditional data center—to which remote devices can securely connect and embrace methodologies like geolocation and two-factor authentication, for additional layers of security.
Best Practices for Securing a Remote Workforce
IT teams that need to secure a remote workforce should keep an open mind toward the acceptance of new technologies, methodologies, and workflows to accomplish cybersecurity best practices. This includes using MDM/EMM solutions, leveraging the cloud, and monitoring data and workflows to prevent a breach.
IT teams should think outside the box regarding connectivity. We live in the age of cellular and broadband, and will see a bandwidth evolution with 5GB. The theft of massive quantities of data can occur in just minutes using wireless technology, and new techniques are needed to defend against these threats. This is not only from a remote employee copying the data from corporate resources, but also cyberthreat actors breaching a remote employee and leveraging them as a beachhead.
Therefore, IT teams need to understand their business models and account for the roles remote employees play, and the data and system risks they represent. With this firmly in mind, organizations can build a strategy that enables workforce productivity, while prudently managing cyber risks, with the right mix of modern security technology and practices.
BeyondTrust technology has been engineered to enable organizations to embrace security best practices for a remote workforce. To learn how BeyondTrust can help you address VPN-less secure remote access and privileged access management for your remote devices and mobile workforce, contact us today.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.
