Securing Your Remote Workforce
The Security Paradigm Shift
“The general who wins the battle makes many calculations in his temple before the battle is fought. The general who loses makes but few calculations beforehand.” – Sun Tzu
“There are not more than five musical notes, yet the combinations of these five give rise to more melodies than can ever be heard. There are not more than five primary colours, yet in combination they produce more hues than can ever been seen. There are not more than five cardinal tastes, yet combinations of them yield more flavours than can ever be tasted.” – Sun Tzu
We are entering a very different business world at the moment, one which has been thrust upon most of us far quicker than we planned for and will by all accounts last a lot longer than many of us think. Reading the news at the moment is pretty grim, especially if you read the business news, and unfortunately I think it’s going to get a lot worse before it gets any better, but one thing is sure about the business world for the next year or so at least – it’s going to change, dramatically.
Furthermore, we are seeing a huge increase in cybercrime, phishing attacks have increased, data thefts are rife and only recently it has come to light that EasyJet has had a massive security breach at a time that they are already experiencing significant losses in revenue – not a great time for them, but it outlines the serious threat that businesses of all sizes are facing.
All the hurried preparations to get employees working remotely has led to a number of holes in corporate security, and in some cases completely broken their security models. Banking institutions, R&D, pharmaceuticals, fintech, etc., the list goes on of organisations that have had to break their traditional security baselines just to survive. In many cases, businesses have been enacting BCP plans that have never been fully tested and, in some cases, never fully defined. We are in a very difficult situation and, for many organisations, the whole security baselines will have to be completely re-written to support remote working. So what can we do?
Historically, many large organisations had large offices in sought after locations where all their employees could work together, interacting directly with one another and working in close teams to complete their tasks. We are facing a reality of long term remote working, partially due to the risks of the current pandemic, but also because it’s finally dawned on the business world that it is cheaper to have remote workers. There are plenty of benefits all round for remote working: work life balance, reduction in travel costs, the ability to go and clear one’s head without having to ask etc. are all being hailed in the media as clear benefits and to be honest, I think in the main they are absolutely right.
For all the benefits of remote working, a significant question needs to be, what should you be doing about securing your remote workforce?
Furthermore, we have seen a significant rise in the use of cloud service, managed telephony and a number of other solutions as a service. Many of these solutions were quickly procured; with the crisis of the pandemic threatening the very existence of many companies, there has been a significant level of expenditure in this area. For the moment, many companies have used a band aid to get their organisations functioning from isolation; once things have eased these organisations will need to refine their remote working solutions to suit a more long term situation.
How to secure your remote workforce
We need a security paradigm shift. Security professionals around the industry will have to change traditional views and build a new way of delivering quality information security to a diversely spread out employee base. Endpoints, for example, have shifted dramatically out to people’s homes, bringing home networks and other devices using those networks potentially in scope. We need to carefully re-evaluate what we need to do – it’s not just about securing, we must also start thinking carefully about validation and consistent security for technical infrastructure.
For securing your remote workforce, we need at least multifactor authentication but we also need to consider that one of those factors needs to validate who the individual actually is. Biometrics and ongoing behavioural based authentication should be very strongly considered as the norm now; multi-factors such as user/password combinations and token/soft token-based secondary factors are fantastic, but biometrics is far more reliable for ensuring that the identity of the individual authentication through the nonrepudiation that biometric technology can give. Another possibility is behavioural analysis. There are some very interesting solutions that learn how people interact with systems and provide ongoing authentication. This is still a very niche area but it could be a fantastic option to ensure consistent validation for users during and after authentication.
Another example is beefing up the endpoint security, not only to look out for malicious code operating on the laptop itself but also IDS / IPS software that can detect localised attacks and often underused local firewall solutions to regulate communications, as well as file integrity software. There is a wealth of security options to protect endpoints, though quite often these are commonly and woefully under-utilised before now. There are a number of additional items to consider such as tracking and remote wiping technologies for laptops, DLP solutions, cloud based solutions, etc. The list of options is almost endless to ensure that remote working can be done securely.
Finally, we also have remote desktop solutions. If securely undertaken, an organisation can provide remote desktops for staff that are home based. This was popular many years ago with Citrix, and to be fair it’s never really gone away, but it’s more underutilised today than it probably should be. Obviously it’s not going to be suitable for everyone; there are always going to be specialised high end users with high end requirements, such as software developers, CGI rendering and similar such roles and activities that will need more powerful and versatile solutions, but most employees not in such specialised roles can just as easily use some form of remote desktop.
Considerations when securing your remote workforce
Securing any environment is possible. There are numerous technologies, user awareness training packages and policies and supporting procedures that can be built to facilitate almost any environment. But whatever security route you go down, it is wise to consider the following for securing your remote workforce:
Security is there to protect the business
Security is there to protect the business and its critical assets, and every business has critical assets and workflows that allow it to work efficiently and effectively to work toward the company’s vision. Build your security around that.
Build security around the company culture
Ensuring your security programme and baselines are in line with the company culture is as critical as knowing the assets and workflows. If your security programme does not actively support the culture and the values of the organisation, it will fail. The employees and management will reject it and refuse to comply, which will dramatically reduce the effectiveness of your security programme.
Never make security too onerous
Security is vital to any organisation but you need to be careful. If it’s overzealous and it hampers the day to day workings of the company, you’ll need to carefully rethink and look at other ways to secure your remote workforce. For example, making users have separate passwords for login and critical systems is a good way to secure systems from compromise, but then having to remember several user / password combinations is hard for anyone to handle. Maybe multifactor authentication is a better option…
Security is fluid
One of my favourite quotes is one from an interview with Bruce Lee:
“You must be shapeless, formless, like water. When you pour water in a cup, it becomes the cup. When you pour water in a bottle, it becomes the bottle. When you pour water in a teapot, it becomes the teapot. Water can drip and it can crash. Become like water, my friend.”Bruce Lee
Security should be like water, permeating every aspect of the environment it’s there to secure; it should be fluid and versatile, bending and shaping itself as required. But never forget security – like water – can be dangerous, it requires review and consideration, you need to work with it and try not to fight against it. Ask any civil engineer, architect or builder about how dangerous water can be. When it’s in the wrong place, water can be a serious issue. If you put security in the wrong place, it can erode confidence within the business and can cause great harm.
There are going to be a lot of security reviews and security programmes going through reviews and changes in the near future, once the Coronavirus lockdown has eased. Businesses large and small are looking very objectively at the feasibility of having a larger portion of staff working from home from now on, so the security paradigms that are currently followed will have to change dramatically to support the shift from predominantly centralised security to predominantly decentralised security.
There’s going to be a great deal of security technology and services being reviewed soon. It’s likely that many will need to be updated for the new situation, so make sure you carefully build your security baseline, ensure you have outlined objectives and undertaken your business assessments before going hell for leather procuring security products. Take time in the selection process to ensure that complimentary products that work well together are implemented to fit the business need. Watch out for vendor marketing too, test products thoroughly.
To all those security professionals out there, I say this. You have a really good opportunity here to fix some of the mistakes of the past and update entire security programmes within your organisations. This will be a rare opportunity to update everything, it’s exciting and should be enjoyed! But do so carefully, yes – this paradigm shift will need to be undertaken with a reasonable amount of speed, but exercise caution and thoroughly test and check your changes.
Whether you need short or long term solutions, contact us to discuss securing your remote workforce.