What works: Security and IT practices that are here to stay
1. Focus on security fundamentals first
Whether you are working from home or not, one thing that shouldn’t change is basic security hygiene. Make sure you are prioritizing confidentiality, integrity and availability. Otherwise any additional security and IT efforts won’t have a foundation to grow off of. In addition, ensure your IT and security teams are working cross-functionally; a siloed team will not be able to strengthen these fundamentals.
2. Test VPN capacity
VPN capacity is a large concern for IT and security teams, especially when their previous architecture only supported a fraction of the organization working from home. After many tests and modifications, you have probably found the balance between full-tunnel and split-tunnel VPN that best fits your organization. But as the workforce starts to de-mobilize, this testing will continue. Some employees will continue to work remotely and we may never return to a time where the majority of the workforce is connected to the corporate network.
3. Continue security education and awareness for the entire organization
External attackers did not sympathize with the global pandemic in 2020. In fact, they exploited it, stooping to an all-time low with an onslaught of phishing attacks, new malware and credential stuffing. It’s important for the entire organization to understand how they can help prevent these attacks, as well as other security breaches, especially when your team has enough on their plate already. Consistent chat communications and email reminders can go a long way for your organization’s ongoing security awareness and training program – and it’s a practice that is important to maintain regardless of where employees work.
4. Ensure visibility to your data
Let’s talk about data management and monitoring. Does it require you to identify and tag what’s important? Is it driven by policies? Do you know what’s going on when employees are not connecting to VPN? These are a few of the questions that are important to answer. When you combine the adoption of new collaboration software with employees who do most of their job while disconnected from the VPN, it doesn’t take long for a highly-classified document to move to an undetected location. Policy- and network-based security tools have inherent limitations. When approaching data security, it’s essential to plan for visibility into security vulnerabilities and into the riskiest behavior regardless of where and how employees are working. Collaboration tools should spur innovation, not cause a security headache.
Lessons learned: Examining the failures
1. Physical asset management
This was a huge challenge—how does the IT team keep track of every piece of hardware that was relocated to work from home? How do you get loaner computers to employees who need one? For some companies, it was the first time they needed to have a virtual help desk. The best way to work through it? Document as much as you can, and understand that it may not work out perfectly.
2. Business continuity plans
While many scientists (and even Bill Gates) may have been warning about a pandemic for years, organizations were unprepared. Rather than being dusted off, business continuity plans were assembled in a matter of days, and executives were making really tough decisions to questions that they never imagined needing to answer. At this time, they were wishing they had taken action sooner. A business continuity plan should be strategic, well thought out and prepared in advance. This is a document that needs to be updated periodically moving forward.
The biggest challenge: Keeping a people-first mindset
In the end, technology is just the enabler for remote work. Having a people-first focus is the best first step for embracing change in your security and IT practices. Engage with your remote workers over non-related work topics—they aren’t spending those few extra minutes chatting at the help desk or joining midday coffee runs. Support your employees as people first. Otherwise, you aren’t benefiting your company.