We're facing unprecedented changes to social norms during the global coronavirus pandemic, including how and where we work. Mandatory social distancing means working from home, even in organizations that previously didn't embrace remote working or distributed teams. This new reality will bring permanent changes in attitudes toward remote work. We must shift our thinking about implementing InfoSec, compliance, and cybersecurity in this new era of distributed teams.
Drivers & Enablers of Remote Work
Tools supporting remote work, such as collaboration platforms and cloud-based software, require significant investment; CFOs and CTOs looking to maximize ROI will continue using these tools once pandemic restrictions are lifted. In addition, investments in remote work equipment, including office supplies for employees working from home, and cost savings from reduced rent, utilities, and other office costs, will accelerate this trend.
Distributed tools offer significant financial savings, especially those delivered in the cloud "as a service" models. Paying for cloud services involves a favorable change in accounting practice from capital expenditures (CapEx) to operating expenditures (OpEx), while shared infrastructure like data centers provide additional savings.
Organizations also realize they can tap into a global, geographically dispersed talent pool rather than the more limited local resources. People may not want to live in the same place that your organization is headquartered for various reasons, including family, cost of living, or just cultural differences. A distributed work culture allows you to bring subject matter experts into your team regardless of where they live!
Distributed Workforce Enablers and Associated Security Challenges
Despite the benefits, new cybersecurity, InfoSec, and compliance challenges face organizations as they transition to a distributed workforce model. Some crucial categories of enabling technology and their corresponding security challenges are detailed below:
Security & Compliance challenges in Remote work
Traditional cybersecurity relies on a secure corporate perimeter, which distributed workforces lack. Shared defenses like a corporate firewall or network-based monitoring tools are insufficient. Cloud- and web-based apps are often available in desktop and mobile app stores, creating a heterogeneous environment similar to the BYOD trend of the last decade but on a much larger scale. Securing this new environment requires new tools, but as the OWASP Top 10 shows us, misconfiguration is a severe issue. This demands new skills and abilities on your team!
Migrating to distributed work can create new compliance burdens as well. For example, US Federal government agencies must address FedRAMP requirements, while private sector organizations may have privacy issues under GDPR or CCPA related to cloud data storage. Moving to the cloud also involves a loss of control, e.g., you don't have physical access to or authority over the data centers where your data is stored/processed. Your third-party and vendor risk management practices must evolve to address these new, more complex risks.
Here are key issues to keep in mind as you deploy tools to support your distributed workforce:
- Distributed IT Issues: You'll need remote IT deployment, management, and troubleshooting. Assess risks posed by these new tools, including increased social engineering attacks like fake password resets and potential abuse of remote control software for data theft or malware installation.
- Business Continuity & Disaster Recovery (BCDR): The current pandemic should have all of us reviewing our continuity of operations. Plans for continuing business operations in the event of an incident are often shelfware, but organizations should invest in maintaining this capability, including adequate testing and training.
- Focus on Availability: InfoSec deals with the confidentiality & integrity of data and the availability of data and systems. Distributed workforce tools have a side benefit of increased availability - find ways to leverage your investments to increase your organization's continuity abilities, such as globally replicated data or highly available architectures that can keep systems up and running during a business interruption.
There are several essential points to consider when building a distributed workforce, particularly ensuring adequate security of data and information systems. First and foremost, identify the skills needed to adapt to this new reality - workforce development and training plans must include adequate resources for InfoSec and cybersecurity talent. You'll need adequately trained people to manage BCDR, secure cloud architectures, and assess & mitigate cyber risks. In addition, certifications and skill building enhance the ROI of the new tools you're deploying.
Once tools have been deployed to support the new distributed workforce, apply proper cyber risk assessment practices. Systems are being deployed ad hoc to deal with these extraordinary times but don't let them slip by without proper risk analysis. Identifying cyber risks and appropriate mitigations like data encryption is critical to ensure your organization's continuity measures don't lead to a cyber incident.
This piece was originally posted on April 20, 2020, and has been refreshed with updated styling.