How to Achieve Security First for a Remote-First Workforce
One day in 2020, most office workers went home and stayed home, many of them for over two years now. Work from home (WFH) employees kept businesses running. Acceptance—often grudging–of WFH by C-suites, record-low unemployment, and fears of pandemic resurgences now mean that WFH will probably become work from anywhere (WFA) plus return to office (RTO) for the foreseeable future.
Yet, the success of WFH comes with increased cybersecurity risks:
- Employee-owned IT assets (hardware, networks, software) were allowed alongside the organization’s assets to enable suddenly remote workers to function. IT departments weren’t prepared for a flood of bring-your-own-device (BYOD) users accessing files, applications, and databases.
- Traditional cybersecurity assumed resources inside the organization’s network were “safe’” while those outside it were “dangerous,” and employed firewalls to defend a well-defined network perimeter. As massive numbers of users and assets moved outside this perimeter, the static model crumbled and needed immediate rethinking.
Those risks may seem daunting, especially given their sudden and simultaneous appearance. Let me reassure non-technical CxOs: The risks are real but not insurmountable given your support for policy, process, and technology upgrades.
See, the rise of cloud computing and network improvements over the last 20 years has made it clear to security researchers and vendors that these risks would emerge. So work was done and tools were created long before we started logging in from our kitchen tables.
Here are the three keys to modern cybersecurity:
- Reduce technical debt. Technical debt is all the updates that should have been made to your IT assets over the years but weren’t. Maybe IT was busy with new stuff, or budgets were tight… it doesn’t matter why. What matters is that attackers invest in better offensive weapons so defenders like you must keep up or become vulnerable. Be sure that obsolete hardware and software gets retired and that key IT assets are modern enough to detect and defend against today’s threats.
- Improve cyber hygiene. If you don’t shovel your sidewalks after a snowstorm, visitors to your office slip. If you don’t replace broken lightbulbs, worker efficiency suffers. It’s no different with IT assets; they require timely maintenance to avoid cybersecurity (and other) problems. Be sure IT has the resources to keep up with vendor patches and changes to your environment (acquisitions, new systems, geographic expansion).
- Implement Zero Trust security. Zero Trust ensures no user gets more access than they need to do their assigned job. It considers who needs access (payroll clerk accessing new product blueprints?), where (accessing blueprints from a country in which you don’t operate?), when (a wire transfer at 3 AM local time?), and from what (an employee’s personal laptop operating your nuke plant?). Zero Trust is simple in concept but requires C-suite support for adoption.
The future belongs to the nimble, so invest in remote worker productivity. But don’t neglect the three cybersecurity keys or you put your organization at risk.
About the author:
Wayne Sadin has had a 30-year IT career spanning logistics, financial services, energy, healthcare, manufacturing, direct-response marketing, construction, consulting, and technology. He’s been CIO, CTO, CDO, advisor to CEOs/Boards, Angel Investor, and Independent Director at firms ranging from start-ups to multinationals. Contact Wayne at wayne_sadin@msn.com, on Twitter at www.twitter.com/waynesadin, and at LinkedIn at www.linkedin.com/in/waynesadin
This post is brought to you by Tanium and CIO Marketing Services. The views and opinions expressed herein are those of the author and do not necessarily represent the views and opinions of Tanium.