With millions of people working from home (WFH), both short term and long term, it is likely many organizations will continue with a remote set up for the foreseeable future. Security teams need to rethink their strategies as a result, which requires shifting their efforts in new directions and designating new priorities.
But it isn’t just WFH that is changing the way organizations must now think about security. The pandemic itself is changing the rules of data privacy and the way we communicate and interact with each other — issues that need to be taken into consideration when addressing modifications to the security system.
In a recent virtual discussion, a panel of security leaders including Caroline Wong, Daniel Leslie, Ty Sbano, and Adam Healy, shared five strategies on how to best adjust for this new WFH reality and how security teams can better adapt their processes and programs to address the increased cyber risk.
1. Develop a WFH Strategy for Both Short-Term and Long-Term Scenarios
You can’t simply hand everyone a laptop and assume that security processes go on as normal. There will still be a need for physical security for both facilities and devices, so there will need to be a procedure in place for people who need to come to the office and want to take home equipment, for example. There also needs to be a plan in place for employees who may get laid off or quit during WFH situations, which addresses when to cut off access and how to retrieve corporate equipment.
In a WFH strategy, consider which of the four major business inputs — new policies and regulations; new business requirements; new technology solutions; new partnerships and services — will have the biggest short-term impacts first, and then the biggest long-term impact, and develop a security strategy that meets those issues quickly.
A long-term strategy will include how to bring people back to the office safely. Evaluation of physical security controls is necessary. If you have biometric access controls where employees have to touch the same surfaces, can you offer a new solution like a touch-free mobile app or a hardware token? And remember, no one knows what is going to happen next week, let alone months from now, so you need to stay prepared for whatever scenario presents itself.
2. Keep Communication Lines Open
Communication with the entire workforce is especially important right now. Clearly convey WFH security expectations, and ensure that relationships between leadership, IT, HR, and security are strong with frequent conversations. Everyone needs to be on the same page if a serious cyber incident does occur. It’s not only important to communicate in a transparent and understanding manner on both professional and personal levels.
3. Encourage the Continuation of Your Company Culture
Security should be a priority for everyone, but take time to connect with employees on a human level. While you should keep your security-related interactions professional and brief, be sure to take a moment to say hello and ask how things are going. Encourage social video chats that take place during regular office gatherings, such as happy hours, trivia nights, or lunch “together.” This is a tough time for all, so be sure to check in to see how everyone is doing and what you can do to help them stay focused, sane, and safe. What you want to be is an enabler for the organization during these tough times, looking out for the well-being of both the workforce and the corporate digital assets.
4. Adhere to Privacy and Big Data Procedures and Policies
Data privacy compliance laws cannot go ignored, so security procedures and policies surrounding HIPAA, GDPR, CCPA, PCI all must continue as normal. Efforts should be put in place so employees continue to respect compliance regulations.
However, the pandemic is changing some of the privacy rules in place, and countries around the world are adapting to new needs, such as the way data can be used. Emergency laws have been put into place to allow for tracking mobile phone data, for example, as well as a rollback of HIPAA regulations and Google’s introduction of a community movement map. This could end up changing or restructuring the data privacy laws that most of us have just implemented.
Employees also need access to complete their work while in a remote environment. This is where tools such as VPNs, authentication, and other tools can support remote first teams.
VPN, or Virtual Private Network, is a crucial tool for remote work. It creates a secure connection to another network over the Internet, allowing employees to access their company's network securely from a remote location. This ensures that sensitive data is safely transmitted and reduces the risk of data breaches.
Authentication tools are another essential for remote work. These tools verify the identity of users before granting access to the company's network. Two-factor or multi-factor authentication (2FA or MFA) are commonly used methods. They require users to provide two or more pieces of evidence (or factors) to prove their identity. This could be something they know (like a password), something they have (like a physical token or a smartphone), or something they are (like a fingerprint or other biometric data). This adds an extra layer of security, making it harder for unauthorized users to gain access. Learn more about this subject with adaptive authentication.
5. Focus on Building and Maintaining Trust
With everyone working remotely, now more than ever, trust is key. Trust in your leadership. Trust in your teams. Trust in your processes. Trust that things will change and that you will be ready to take them on. Most importantly, trust in that when an issue does inevitably arise, the matter will be handled honorably.
Trust, for security teams (or any team for that matter), is built and maintained by consistently delivering on commitments, managing expectations, and owning any shortcomings with transparency. Applying lessons learned and paving a way forward will prevent repeated mishaps in the future. The bottom line: For the workforce, from leadership on down, there needs to be confidence that the security programs, controls, and teams put in place can be trusted to empower the organization.