Remote Work Considerations in the COVID-19 Age
The spread of the COVID-19 pandemic is forcing many organizations to suddenly task their employees with working from home, giving them greater data security responsibility with less direct oversight. In most instances, these remote work programs were rapidly launched without the luxury of traditional lengthy design and testing processes. However, this situation now offers enterprise risk managers the opportunity to strengthen those programs against a series of new vulnerabilities and threats unique to the remote workplace.
These threats can come in different forms, such as phishing attacks that prey on fear and confusion about the virus. Targeted attacks can exploit the lowered security defenses of home networks to access privileged government, corporate, and academic networks to steal intellectual property (IP), personally identifiable information (PII), and sensitive reputational data.
Moving forward, remote work will be a bigger part of professional life, with more employees working at least partially from home. This requires enterprise risk managers to address the evolving vulnerabilities and threats unique to that environment on a much broader scale.
When initially assessing the security effectiveness of recently deployed remote work programs, the following areas should be examined.
Governance is the defensive building block upon which all security measures rest. Without proper governance, there is no defensive bedrock for countering attacks.
With more cyber breaches resulting from inadvertent action than any other single cause, the dissemination of clear policies and procedures is paramount. Remote work policies should address sensitive data protection management, including—but not limited to—classification, encryption, retention, storage, and suspicious approaches; the personal or organizational usage of device management, as well as remote access to devices; and the ways the organization will provide cybersecurity training, conduct audits, monitor data usage, and enforce accountability.
Given that many employees are experiencing remote work for the first time during the COVID-19 age, they need well-constructed and well-communicated governance to guide them. Newcomers to the remote work environment need to understand what is expected of them and what they can expect from the organization.
That same good governance helps organizations reinforce cybersecurity awareness training programs, network and user auditing procedures, and security policy accountability.
Unintentional Insider Risk
As noted above, this is the most prevalent form of an insider attack, occurring when employees who lack malicious intent become a threat through negligence, or are socially engineered by outside malicious actors into facilitating access to data or a network.
Normally, this type of threat is most pronounced in easily distracted employees—specifically those who are flighty, disorganized, scatterbrained, or otherwise unfocused. More usually focused employees are made potentially vulnerable to these attacks when they are stressed, strained, or subject to new distractions like a personal or professional crisis. These factors tend to exacerbate the susceptibility of typically focused employees to this threat.
In the midst of the COVID-19 pandemic, enterprise risk managers need to pay attention to unintentional insider threats. Especially now, there is no shortage of distracting events or stressors that can trigger an emotional shift in employees who are potentially working with crisis anxiety and family members confined to the home. Early warning signs of this vulnerability are particularly challenging to detect in a remote workplace, as valuable insights gained from on-site interpersonal observations and engagements now limited or nonexistent.
One common indicator is decreased engagement or withdrawal from phone and email interaction with colleagues, managers, and clients. This may reflect a growing preoccupation with matters besides work that may warrant involvement and assistance from management. Such early engagement may serve to prevent a security breach.
In terms of preventing security incidents and increasing productivity, there is no substitute for knowing your employees. Understanding your employees and applying that knowledge is even more important in the remote workplace.
In the COVID-19 period, effectively engaging employees is particularly important for reasons of morale, unity, and health—both physical and mental. A good rule of thumb is to revert to the same principles in place before collaborative technology existed, notably keeping contact at the same level as in the office and treating each employee as an individual. Invest in technology that supports video conferencing, host all-hands meetings each week, and schedule personal chats with each employee on at least a weekly basis. Establish a set of “core hours” each day when everyone will be available and allow employees to work their other hours at times that fit within their personal crisis management schedules.
Without a doubt, the formal structure of the traditional office workplace served to reinforce an organization’s data security policies and procedures. Specifically, employees processed, handled, stored, and shared data within an established regimen and through a network, workstation, and peripherals that were monitored and controlled by on-site IT staff.
The remote workplace and cloud infrastructures have diminished much of that structure, with sensitive data stored and accessed by increasing numbers of employees, partners, and customers. While there is much to say about data protection considerations for remote workers, an important first step is using secure applications, locking down identities, and monitoring how identities use applications.
When developing a new remote work program, a primary consideration is determining what content and capabilities are needed by the workforce. Communication and collaboration capabilities are likely first, followed by the intranet web pages, administrative reporting, and other required content.
Risk managers should also consider ways to shift their focus from protecting the network to protecting the data itself by creating a zero trust environment. In this environment, emails and files are encrypted before they leave the sender’s computer and only decrypted (with multi-factor authentication) when they reach the destination, keeping data protected wherever it is accessed, transmitted, used, or stored. Additionally, employee engagement with the data is monitored in real-time with each device, applications, and network used to identify behavior anomalous to that user’s established profile.
Data protection is made easier when an organization controls the computers, phones, storage devices, and networks where the data is at rest and in motion. While this control is best implemented by issuing and restricting work to devices owned and maintained by the organization, this is expensive and sometimes still insufficient.
With employees at home and without on-site IT resources, there is a tendency to cut corners and neglect policies and procedures to save time and effort. A good example is forwarding sensitive data to a personal device or account so that it can more easily be edited or printed. However, by doing so, that information then rests unprotected on a personal device and outside the control of the organization—maybe even the employee.
While many organizations choose to implement or expand virtual private network (VPN) solutions for remote work, the viability and success of this choice is dependent upon the security of the involved devices, the bandwidth at internet access points and the capacity of the existing network infrastructure. In the current crisis environment, Internet access points and VPN concentrators can be saturated from increased global web browsing and application demand.
Also, VPN solutions generally lack the ability to control information access and facilitate detailed endpoint audits. With no ability to monitor unmanaged devices, organizations can be unaware of the occurrence of a breach. While endpoint security solutions can be deployed, the associated workload of licensing, deploying, and managing myriad security layers may be prohibitive, especially in a crisis situation when solutions need to be rolled out quickly. In the end, devices and data remain at risk due to direct connection to untrusted networks.
One way to mitigate this risk is by using a web isolation solution that uses a cloud-based browser ‘instance.’ These solutions isolate the remote work session or sensitive data from the end user’s device or browser. They also can restrict certain functions, such as copy, paste, printing, and file uploading or downloading, which mitigates vulnerabilities from key insider threats. Finally, these solutions can enable detailed user auditing. The end result is a safer and more secure remote workplace.
Undoubtedly, the COVID-19 crisis will permanently and significantly increase the number of people working remotely across the globe, correlating with significant increases in remote work risk. Organizations that use the current period to refine their remote work policies and procedures will position themselves for future success. One recommendation for refining programs is using the Observing, Orienting, Deciding, and Acting in a recurrent cycle, also known as the OODA Loop.
The OODA Loop, developed by U.S. Air Force Colonel John Boyd, was created to facilitate effective decision-making within uncertain and chaotic environments. By continuously implementing the cycle, an organization can outpace an opponent’s decision-making and gain the upper hand. Specific to insider threat programs, organizations can refine their remote work security program observation and orientation by having an experienced red team employ the attacker mentality to pinpoint vulnerabilities professional attackers would exploit. Armed with this knowledge, effective decisions and actions will follow.
With two decades of recruiting foreign sources and penetrating intelligence targets for the CIA, Val LeTellier has a deep understanding of how insiders are created, managed, protected, and discovered. He leads the ASIS Defense & Intelligence Council’s Insider Threat Working Group and is a member of the INSA Insider Threat Subcommittee.