Editor’s Question: How can business leaders securely manage employees working from home?

Editor’s Question: How can business leaders securely manage employees working from home?

Censornet’s recent report, Empowering the People: Critical Security Challenges of 2020, gathers insights from a survey of 300 cybersecurity professionals to explore the reality of security’s role during a global pandemic. A primary component of the report looks at the realities of the remote working culture and includes guidance from industry experts within Censornet for security teams trying to securely facilitate remote working and empower staff.

We hear from a number of industry experts who tell us how they think business leaders should be securely managing their remote staff members.

Rob Bolton, General Manger International of the Inside Threat Management Business Unit at Proofpoint: “Since the start of the pandemic, cybercriminals have wasted no time in capitalising on the change in employee behaviour and work environments. Fear tactics, fatigue and the lack of physical IT support have been leveraged to carry out more prevalent and sophisticated social engineering attacks. To add to this, remote working is becoming the new normal as 54% of businesses are working towards having a permanent work-from-home workforce, so the human factor involved in cybersecurity needs to be effectively and continually addressed.  

“Business leaders are trying to get to grips with monitoring employee behaviour, but it is a difficult task. The majority of their current knowledge and technology systems are predicated on the old workforce model in which their employees are in one physical location using the same network and IT teams having fixed technology and solutions they continuously use. However, ‘work-from-anywhere’ is the new reality, so wholly relying on the same technology to inform a business of the security risks it faces needs to be re-examined. 

“A key aspect of monitoring employee behaviour is ensuring insider threats are surveyed while employees are not under the watchful eye of a central IT system. Insider threats are inherently a human problem, and with the ‘work-from-anywhere’ new normal, employees’ work and home lives are becoming intertwined. Simple fatigue and carelessness can cause employees to make mistakes which are not inherently malicious acts, but often do not adhere to the best security standards – like moving files to a personal cloud sharing platform to get the job done.

“Leaders need to not only investigate what their employees are falling vulnerable to in this new remote working world, but also look at and care about changes in employee activities in relation to the systems and sensitive data they interact with. Employees should be one of the first factors considered because they are often the weakest link. Simple mistakes often made unknowingly while working from home can create vulnerabilities and put a business at risk.

“Monitoring and surveillance need to be tightened so that IT teams can gain a better understanding of how employee behaviour has changed and decipher which employees are most vulnerable to cyberthreats. In addition to this, IT teams should continue to closely engage with their workforce through regular remote training and open communication to truly understand their concerns and pitfalls. A modern people-centric approach is the right way forward for security teams. This provides the necessary context, the ‘who’, ‘what’, ‘when’, ‘where’ and ‘why’ of the incidents. Organisations should think less about the particular type or provider of the technology and instead consider how to get the right data in the hands of security staff much faster to allow them to do their jobs and select vendors through that lens.”

Eugenio Pace, CEO and Co-founder, Auth0:

Build trust with communication

“For people managers, the transition to remote work is a particularly interesting challenge. Leading a virtual team requires trust and a philosophy of work based on results, not ‘chair time’. Those bosses who have to control everything won’t succeed in this environment. In fact, it’s just the opposite. Managers must learn to trust their team and give them more freedom to work on their own terms, as long as they produce the intended results.

“The best tool for building trust is communication. Communicate with your employees frequently about strategy, objectives and organisational learning. Make sure your team understands their impact by connecting their goals to corporate objectives. When you work remotely, it’s easy to self-isolate and do your own thing. We need to constantly remind our teams we have the same goal.

“Now, more than ever, take time to have a conversation with your employees, share what you’re working on and be present should they have any issues or concerns. Trust is built with communication from the bottom up and the top down.

Be explicit about your culture

“When you work remotely, most of your interactions are transactional – and your decision-making process isn’t always clear to everyone. However, letting an informal culture develop on its own can lead to a lack of transparency, which breeds mistrust.

“Working remotely forces you to be explicit about the culture you want to create, and when communicated frequently, employees can use these values to guide their everyday work. Being explicit about your culture can also unite a geographically distributed and culturally diverse workforce. Whether your team works in London or Buenos Aires, you all have a code for how you behave. This is crucial for dealing with conflict productively and creating collaborative teams that respect each other.

Don’t discount security

“Security is a concern whenever you are accessing online systems but especially as people are logging into more services remotely. Your IT and security teams should already be setting up multi-factor authentication as the minimum standard. As you connect new apps, they should also be educating the business about the access third-party providers have to their data. As managers, we have a special role to play as evangelists. Are your teams completing their security awareness training? If your team is using a new technology for the first time, do they have a channel for asking questions? Security is everyone’s business and it starts with leadership.

“In this new reality, it’s still possible to have a distributed team that is productive, collaborative and happy. If you invest in building a culture of trust with your workers today, it will serve you well in the long-term.”

Aaron Zander, Head of IT at HackerOne: “HackerOne, employs a hybrid model where approximately a third of employees work from home all the time and another third work from home a few days a week. When the WHO announced that the COVID-19 was a worldwide pandemic, HackerOne took steps to implement a mandatory work-from-home policy globally. 

“When employees find themselves in a mandatory work from home situation like the one we’re in today, it can be quite daunting for businesses, especially when you start to consider all the moving parts — including keeping yourself safe at home. 

“My top tip would be to make sure employees are doing their part. This includes good cyberhygiene, making sure they are set up with multi-factor authentication (MfA), using good password managers, and are instructed to disconnect from the corporate VPN when no longer in use, allowing the corporate IT infrastructure more room to breathe. Employees should make sure their home routers are up to date, secure with strong passwords and equipped with WPA2 security or higher. Encourage employees not to install new apps without approval from IT; to be mindful of sharing online meeting IDs and URLs on social media; and to be on the lookout for phishing scams that can be spread via text, email or social media.

“In working away from your operation centre, be mindful that there are pros and cons in times like we are facing today with COVID-19. On the plus side, no one is physically in your office or data centre to break anything. On the downside, no one is there to fix it either. If you can, ensure that you have a good on-call system and are able to stay within SLAs.

“Ensuring your VPN is secure is key. If you have to use a VPN or any other remote networking infrastructure as you need to spin up something ‘right now’, ensure the infrastructure you’re building is secure. Triple-check all of your network configurations, ACLs, firewall rules, etc. Without a doubt, in nine months from now, we’ll be looking at news stories about two impacts resulting from COVID-19.

“I’d also recommend gathering intelligence in real time on endpoints, sending that data to a centralised platform, and with that data sending various levels of alerts from casual notices to late-night pages, to the IT team. This data can be anything from new applications installed, use of USB devices, or potential malware binaries detected. Tools like traditional antivirus usually lag crucial days behind on payload detection and even then, the best bet isn’t removing the payload, but erasing or quarantining the device indefinitely.

“In a remote world, communication is everything. It is best to quickly jump on a call, just as quickly as you would go to someone’s desk in an office setting. Screen sharing or even tools like FaceTime can be used when you can’t see someone’s screen. Ask questions to help decipher what an end-user is seeing rather than making assumptions. Be patient and considerate but remember to be thorough about verifying user’s identities before resetting passwords or MFA or anything else.”

Gidi Cohen, Skybox Security CEO and Founder: “Not many predicted the rapid, radical changes that 2020 accelerated for the cybersecurity industry.

“Security leaders are now struggling to deal effectively and proactively with potential attacks that could significantly damage businesses and reputations. Compounding this, the world also has to contend with increasingly energised threat actors. Research from Skybox Security revealed that the creation of new ransomware samples increased by 72% over the first six months of 2020. Vulnerabilities in the mobile operating systems used by remote workers also increased by 50% over the same period. Threat actors can taste the blood in the water and know that enterprises remain vulnerable.

“Radical change requires radical action. To thrive in the new normal, leaders need to embrace transformation – not just with regards to digitisation, but within their security programmes. Transformation needs to begin with insight. The guesswork must be removed from security. Many security teams currently have limited visibility of their environment along with limited knowledge of how exposed assets are to threats. Enterprises need to gain critical insights that will enable them to mitigate the most exposed vulnerabilities first.  

Six steps to secure the distributed workforce:

  1. Evolve the tech stack – Prioritise solutions that deliver critical insights, integrate all data sources and provide visibility across all vulnerabilities and assets to secure across the distributed workforce.
  2. Gain full visibility – Establish a mature and tightly connected security posture management framework that spans planning, implementation and ongoing change management workflows.
  3. Eliminate silos – Unify vulnerability and policy management capabilities to aggregate more powerful datasets across tech stacks to remediate vulnerabilities faster.
  4. Make changes with context – Add prescriptive analytics to quickly map and remediate vulnerabilities while making rule changes that approve overall security.
  5. Introduce targeted automation – Strengthen security posture, help control increasingly complex infrastructure and efficiently meet key compliance requirements across any environment.
  6. Remediate based on risk exposure – Build capabilities to discover all vulnerabilities within the security environment and focus remediation on the most critical risks. 

“While the security issues exposed by the move to remote work aren’t new, the pandemic has brought them into sharp focus. There is an imperative to change. To protect their business, CISOs must focus on developing a holistic view of fragmented environments and legacy tech stacks. When they achieve this, enterprises will be able to improve security posture, limit opportunities for threat actors and increase their security programmes’ business value. And the security world will finally be able to sleep well at night.”

John Vladimir Slamecka, President – AT&T Europe, Middle East & Africa: It’s been almost nine months since employees swapped their office desks for the dining room table, and some form of remote working is now expected to become a permanent feature of our working lives. Whether you welcome that shift or not, it poses a huge challenge for cybersecurity experts who need to protect company data and the people that use it.

To better understand how companies were dealing with widespread remote working, AT&T Business surveyed 800 cybersecurity experts across the UK, France and Germany to find out how they were adjusting to the COVID-19 pandemic and the security technology they were putting in place to manage their employees at home.

Over half (55%) of cyber experts across all industries believe remote working is making their companies more or much more vulnerable to cyberattacks. Notably, 31% said that employees’ lack of awareness and reluctance to adapt to new technologies was one of their main challenges in implementing good cybersecurity practices within their business.

The following are a few basic and essential steps that all companies should take to help protect their business from cyberthreats:

  • One of the most important steps that business leaders need to take is to provide regular cybersecurity awareness training for employees. Virtual training and scenarios are a simple yet effective way to reinforce cybersecurity policies and best practises – and working with an external advisor on this can save time when it comes to building training modules.
  • Accept that human error is a part of life and take every necessary step to intercept cyberthreats before they reach employees. For instance, now that employees are relying on company-supplied or BYO devices, from signing up to virtual conferencing platforms to downloading huge presentations and files, it is crucial to protect these devices from loss, theft or impersonation. Our survey found that 22% of businesses have not increased security to protect employee endpoints such as laptops and mobile phones. That is an essential step that can be quickly implemented to help protect against potentially crippling cyberattacks.
  • Finally, as organisations increasingly turn to digital and cloud solutions to enable Business Continuity, such as video conferencing and file sharing platforms, IT departments must address the risks associated with these technologies. There is a lot that cybersecurity experts need to monitor, such as public cloud environments, web applications and even software risks, so investing in the right tools and solutions can help streamline this process. For example, implementing a global security gateway provides highly secure access and unified protection against web-based threats across all users.

Now is the time for investing in and implementing technologies. The way businesses operate is changing, and IT departments, and their cybersecurity teams, will need to keep pace. This is no time for misplaced confidence. Cybercriminals, having seen an opportunity, will continue to find ways to expose new vulnerabilities. 

Browse our latest issue

Intelligent CISO

View Magazine Archive