Information Security in Remote Working Environments
As companies extend commitments to remote workforces, cybersecurity teams need to use a three-dimensional approach to increase cyber defenses and create business value in the new normal.
As companies bring on board new technologies, each one potentially addressing an emerging threat, they also add more corresponding people and processes. As this continues, the interactions between technology, processes, and people pile up, and the level of complexity increases geometrically. At some point, this complexity overwhelms the cybersecurity infrastructure and obscures emerging threats - until, weighed down by legacy systems, the business finds itself less agile than cybercriminals, and an attack occurs. In response, the business seeks out the technological patch for that specific threat, and the cycle repeats. This perspective presents a comprehensive three-dimensional approach (people, process and technology) to increasing cyber defences during this disruptive and high-risk period.
For each dimension, we shall look at the positive outcome from remote working, the risk statement and the mitigation plan.
Positive Outcome:
Remote working allows for more flexible work schedules that accommodate different work styles and life situations.
Risk/Issue Statement:
Increasingly preoccupied by greater personal and financial stress at home, employees are more vulnerable to cyberthreats and “social engineering” cyberattacks designed to trick them into revealing sensitive information. As homebound employees become less vigilant in their cyber hygiene, the volume of successful attacks that result from human error may further increase.
Mitigation plan:
Even the best technology will fail or become obsolete in the face of ever more sophisticated hacks. The billions spent on cybersecurity technology have not, and will not, solve the problem. Strong protocols and procedures are imperative but cannot account for every scenario as things are changing too quickly; we need to tap organizational practices as a key additional line of defense.
The following TATA (Transparency, Accountability, Teamwork, Attitude) framework is proposed:
Transparency
The organization should not only make its cybersecurity policies easily known to all but the reasons for following them should also be transparent to everyone. The organization should conduct regular training around cyber-hygiene and company security procedures. A separate security handbook to be provided to all new and existing employees explaining the security policies and best practices.Accountability
Employees hold themselves and others accountable. They operate within authorized security policies and use the company tools as intended. The organization should provide managed devices to everyone for remote work with safe remote practices like restricted remote printing, USB ports not available, prohibited sharing of company devices with family members etc.Teamwork
Employees are trained to understand that cyber-hygiene is part of something larger than themselves and must work together to be effective. Organization can be split into cross-functional security teams that can connect with each other anytime and support each other in understanding the risks better and make better choices. Such teams can conduct security drills from time to time (just like fire security drills) testing firewalls, VPNs, privileged accesses etc. and one in each team can be made the ‘Cybersecurity Marshal’ which can further foster the culture of cybersecurity in the organization. Employee communication from such measures can also help in early threat detection.Attitude
Employees are trained to anticipate problems, so they become alert to unusual conditions. Develop a questioning attitude among employees when it comes to information. Employees check URLs prior to clicking on links and are suspicious of requests for personally identifiable information. Users understand how easily passwords can be compromised and the risk of unauthorized access. So, everyone uses unique strong passwords and password vaults and supports periodic password changes.
Positive Outcome:
Remote working has led to new ways of doing business and allowed security teams to pivot from routine tasks and focus on long term security goals. Cybersecurity can be turned into a powerful business enabler and strategic advantage for the company.
Risk/Issue Statement:
Few business processes are designed to support extensive work from home, so most lack the right embedded controls. Moreover, employees have limited bandwidth to apply and uphold new security demands. Make-shift arrangements by cyber teams to secure remote working may leave many security gaps leading to serious attacks.
Mitigation plan:
Cyber teams should focus on integrating cybersecurity into organizational processes and reaffirming its value to frontline employees. When cybersecurity is integrated across organizational processes, it can be promoted within the organization as a competitive advantage that improves the quality of products and services, changing the perception of cybersecurity from an obstacle to be overcome to a business-enabling necessity. The following EARTH (Embed, Align, Report, Test, Helpdesk) framework is proposed:
Embed
Cybersecurity should also be embedded into every business process in the company like the software-development life cycle, business-impact analyses (BIA), and all other processes which involve data.Align
Remote working practices should be created in alignment with business needs. New norms should be shared with all employees as discussed in previous people section. Norms for small things like how to store physical documents at home, how to manage connections with third parties etc. should also be clearly mentioned.Report
Simple Reporting mechanisms should be built so that when cybersecurity incidents take place, employees must know how to report them. Cybersecurity leaders should build redundancy options into response protocols so that responses don’t stall if decision makers can’t be reached or normal escalation pathways are interrupted because people are working from home. Bug bounty programs can be created in certain situations too.Testing
The various remote working communication tools should be tested to know if they allow security teams to conduct incident-response and business-continuity plans. As new tools are added for remote working, they must be tested to strengthen security processes.Helpdesk
Organization should give increased support to employees to run remote- working tools securely in their systems. Security and IT help desks should add capacity to help employees run tools, setup VPNs, or multi-factor authentication etc. This increased capacity of helpdesk is needed to deal with securing the remote working at scale.
Positive Outcome:
Remote working has been possible only because of technology. It has allowed rapid digital transformation of many businesses and enabled millions of people to continue working without putting their health in danger. It’s stature has grown and will continue to advance quickly as more people around the world start using it. The world will continue to look at technology to help solve future challenges.
Risk/Issue Statement:
The rapid, widespread adoption of work-from-home tools has put considerable strain on security teams, which must safeguard these tools without making it hard or impossible for employees to work. Since the fiscal 2020 budgets had already been allocated before the pandemic, so to cover the cost of addressing the crisis, they had to put other projects on hold. In the near future too, the cost of securing the fundamentals could reduce budgets for more advanced threat-intelligence upgrades, behavioural analytics, and other tooling.
Mitigation plan:
Cybersecurity team should first extract maximum value from existing technology and prioritize cyber technology deployments in order to mitigate the risks from remote working:
Frequent Patching
Shortening patch cycles for systems, such as virtual private networks (VPNs), end-point protection, and cloud interfaces, that are essential for remote working will help companies eliminate vulnerabilities soon after their discovery. Patches that protect remote infrastructure deserve particular attention.
MFA
Employees working remotely should be required to use multifactor authentication (MFA) to access networks and critical applications. Its use should be scaled up even more across the organization.
Prevent Workarounds
IT and security teams should be prepared to transition, support, and protect business-critical shadow assets. They should also keep an eye out for new shadow-IT systems that employees use or create to ease working from home, to compensate for in-office capabilities they can’t access, or to get around obstacles.Virtualization
Cloud-based virtualized desktop solutions can make it easier for staff to work from home because many of them can be implemented more quickly than on-premises solutions. It should be combined with MFA.Identity & Access Management
With more employees working remotely, teams managing business-critical systems are revisiting who qualifies for privileged access. Privileged-access and identity- governance solutions can help here. It can also integrate with security-information and event-management tools and with advanced security analyticsAutomation:
Security teams can handle increased workloads by adding automated services such as security orchestration automation and response tooling rather than increasing staff or budgets.
Securing remote-working arrangements while protecting the integrity of networks is essential to ensure the continuity of operations during this disruptive time. The coming weeks and months are likely to bring more uncertainty. The cybersecurity teams will become full partners with business, risk, and IT stakeholders. In the new normal, cybersecurity leadership can not only protect organizations at scale but also make security, once and for all, an integral part of delivering business value.
References:
A new posture for cybersecurity in a networked world, March 2018, Mckinsey & Company
Cybersecurity tactics for the coronavirus pandemic, March 2020, Mckinsey & Company
Cybersecurity for a Remote Workforce, July 2020, MIT Sloan Management Review
The Unaddressed Gap in Cybersecurity: Human Performance, May 2020, MIT Sloan Management Review