As I have written about in previous blogs, the concept of the Remote Workforce is not a new one. People have been working from home for a long time. Heck, even when I started working in Corporate right before the Y2K craze, people were WFH, but at that time, it was called “Telecommuting”.
But why WFH from home has caught the headlines all of this entire year is that in which the gravity upon in which it was thrusted upon us.
Many Cyber experts felt that a near 99% Remote Workforce would be possible probably in the next few years. Nobody thought that it would happen right here and right now. As COVID19 hit, many people at first wanted to go back into the office. But as people have now become accustomed to it, businesses across America are now starting to let their employees WFH for as long as they want.
And because of that, many entities are now shutting down their traditional brick and mortar presence and are opting to a have Virtual Office instead, so that they can use it on an as needed basis.
No doubt, there have been a whole host of security issues that have come along with the Remote Workforce, but businesses are starting to work to smoothen them out, as they start to realize that there is no rush to bring employees back.
But truth be told, the Remote Workforce as now spawned an entirely new trend, which is now referred to as the “Gig Economy”. This is where employees now work more on a contractual or freelance basis.
Because of this, businesses have to now take more stringent steps to protect their vital information and data that are accessed on a daily basis. Because everything is now pretty much virtual, it makes it even that much harder to clearly discern who is actually accessing this data, and which ones are at a high risk of being stolen.
Here are some quick tips to help you protect your all-important company information and data:
*Stress the importance of protecting it from the beginning:
Many companies are now starting to take Security Awareness Training somewhat more seriously. They are starting to realize that the earlier it starts, the better. For that matter, the HR department at many entities are now starting to have new hires to start this process right on their very first day. But apart from that, you should also take this opportunity to explain to your new employees the consequences they face if they leave their current position and take any sort of information/data with them. Now obviously you do not want to scare them the very first day so that they will quit out of fear, but you need to drive home the point that despite that they are working remotely, they are still being watched and the shared resources that they are accessing. If you can make this kind of impact on the very first day, that will further make the employee think twice before they share anything maliciously. Also, have them sign legal documents reiterating all of this as well, so that if anything does happen, it will be enforceable in a court of law.
*Define what is acceptable use:
With WFH, the temptation to use personal devices for conducting work related matters becomes very strong. Part of the reason for this is that when the WFH trend started back in March or so of this year, many companies were scrambling in trying to issue company devices that had all of the required security stuff installed onto them. But this went unfulfilled, and because of that, many employees were left in the lurch and started to use their own devices. But now, many companies have started to realize the tangible benefits of deploying their entire IT and Network Infrastructures into the Cloud, such as that of Microsoft Azure and the AWS. With this, Virtual Machines (VMs) and Virtual Desktops (VDs) can be created, giving the remote employees the same look and feel of their workstation back in the office. Now, employees can access whatever they need from wherever they may at in a much more secure and safe fashion. But despite this, employees still need to be reminded of what is deemed to be acceptable usage and not. For example, they should not be permitted to use a company Cloud Platform to create a storage space for their own personal uses. Also, they should not use their work Email address to communicate with other non-employees (such as friends and family). It is important to keep reminding of them of this. This is even more important if and when they decide to download their own software apps to conduct job related tasks. This is a huge no-no, and you must keep reminding them that if they want to go down this route, then they need to have prior approval from the IT Security Team.
*Make sure you keep track of all activities:
This simply means that you are logging and watching on a real time basis what is being accessed and when in your IT and Network Infrastructures. While this may at first seem to be a daunting task, it does not have to be. For example, both the AWS and Microsoft Azure Platforms offer a whole host of tools that you can use to do this. Or you can tunnel all of these features into a single platform known as a Security Information and Event Manager (aka “SIEM”). This will allow for your IT Security Team to see all activity from within a single dashboard, and literally cut off any kind of suspicious behavior the moment that it does happen.
*Terminate everything once an employee leaves:
Simply out, once an employee leaves for whatever reason, immediately shut off all of their rights, permissions, and passwords. It may sound rather extreme, but you need to do this literally the very second that their work duties have ended. Then, the employee should be given some sort of exit interview that reminds them that if they have kept any kind of confidential information and data, now is the time to return it without any questions being asked, or they could face serious legal consequences down the road.
My Thoughts On This
Well, there you have it, some quick tips you can use pretty quickly. Remember in the end, it is ultimately your responsibility (as the CIO or CISO) to safeguard your confidential information and data.
You cannot take anything for granted in today’s virtual environment, especially if you are dealing with contractual or freelance workers. To this end, many companies have started to institute the Zero Trust Framework, in which literally nobody is trusted, even your longest lasting employees.
Everybody must go through at least three or more layers of authentication before they can be granted access to the shared resources that they need. Also, maintaining a good posture on controlling your information and data will yield one more huge benefit:
This will lead to making sure that you come into compliance with the likes of both the GDPR and the CCPA, and not facing an audit and huge financial penalties.
Finally, remember that you are not alone in this process. You can always hire a Managed Security Services Provider (“MSSP”) to get you moved over to the AWS or Microsoft Azure so that you can start to take advantage of their robust security tools and suites.