How is your office holding up to the new work-from-home reality?
If yours is like most other offices right now, a large assortment of people that have never previously been based outside the office—perhaps that have never even worked outside the office—are now doing full-time work from largely unvetted, unprepared locations and networks.
For many organizations—not to mention security staff—this is a very uncomfortable reality.
Home environments and public environments are very different from office environments. Offices tend to be physically secured, single-use spaces, so there is a far greater chance that the presence of strangers or equipment misuse will be spotted rapidly or prevented.
Now, your workforce is dispersed across a large geographical area and your employees are generally out of sight, near people and connected to networks—and possibly even devices—that you neither control nor can observe.
Cover the Basics
Given this state of affairs, it's important that some basic security best practices now be put into place, even if they've been overlooked or a bit slack in the past.
Time sessions out. Login sessions should expire regularly. Once a day is a bare minimum, but several times a day is an even better idea, particularly if other measures are slow to be implemented. This goes for OS sessions (if you control them), VDI sessions, and cloud applications alike.
Get everyone new passwords. In the office environment, shared accounts, widely-known passwords that are for that reason kept easy to remember, and other similar sins can tend to proliferate. Now that everyone is remote, it's time for all of that to stop. Implement password policies if none existed before and force a general password reset event wherever possible. Consider providing password managers to enable users to create and safely manage multiple secure passwords.
Deploy MFA, stat. Passwords—even with draconian password policies—are not enough for a remote workforce. If you haven't previously configured every system and service to use multi-factor authentication, race to get it done now, whether this means hardware authenticators, OTP services and apps, behavioral biometrics, or other strategies.
Survey your regulatory landscape. There may be some slack in the system for cases in which users unexpectedly have to begin remote work with only hours' warning, but that won't last. Be aware of common requirements about where data is stored, how it's transmitted, how systems are secured, how privacy and disclosure are managed, and so on. Adjust work habits, equipment, software, and policies rapidly in light of new realities.
Clarify policies. Your employees are experiencing new realities as well, and these include being surrounded by different people and different equipment during work hours. Clarify policies surrounding how and on what devices workplace tasks can be completed, and—if BYOD is allowed—whether and how shared devices are to be allowed and managed. Implement software solutions to enforce these policies.
The faster you can get these basics into place, the better off you'll be—these items represent the largest risks for early cases of work-from-home going off the rails.
But Don't Wait Long to Do More
Unfortunately, handling the basics only gets you halfway to "safe" when it comes to remote work, particularly if you're in a regulated industry with significant liability, safety, or financial impact concerns. If this is you, once the basics are covered, it's time to reduce risk.
Establish alternate chains of responsibility. Remote work naturally includes connectivity, bandwidth, and availability issues that don't exist in office environments. Meet with major stakeholders to identify the key players in every facet of your critical operations areas. Then, plan what to do—and who is to step in—if these key players are hampered by connectivity, bandwidth, or availability issues in an emergency like a major outage, ongoing attack, or breach.
Stand up a VPN infrastructure. For most organizations, the goal should also be to stand up a VPN for workplace use and access if one isn't already in place. The SaaS era has made it easy for companies to erect large webs of software and work without a VPN or intranet, but putting work tasks and all applications on the same encrypted network, isolated from the rest of the world, is a best practice that reduces risk across the board.
Discuss and document everything. Somewhere in the midst of these steps—the earlier, the better—get key stakeholders involved in a transparent discuss and document initiative to enumerate and solidify the steps being taken, the steps still to be taken, the decisions made, and the new standing policies—so that within a reasonable time frame, you have a well-oiled remote work security universe, and not a growing pile of uneasy ad-hoc decisions and solutions that nobody really understands or remembers.
These items are about coming to terms with the "new normal" of widespread remote work, and not getting caught flat-footed as facts on the ground change and unexpected things happen within this new reality.
Stay Mindful of Risks and Realities
As you do all of these things stay mindful of the different reality that a work-from-home situation embodies and how the choices that you make play within that reality. Here are the kinds of things we mean.
SMS- and OTP-based MFA are among the most simple, rapidly-deployable MFA solutions. But does your workforce already have company-assigned mobile devices, or are you about to put your trust in BYOD devices and SIMs?
YubiKey is another very popular solution that's relatively easy to stand up. But what kinds of environments do you think your remote employees will be working in, and how valuable is the data that they access? Remember, YubiKey devices range from about a centimeter to about an inch in size—and if they're lost or stolen, anyone can use them for access.
Making use of fingerprint or face ID scanners that many users already carry may seem like a good idea, but again—will they be using these on BYOD devices? Can you be sure that their personal biometric data is safe should you mandate its use?
You normally have a handful of people in key ops positions with staggered shifts, so that someone is always available. Do you have methods for reaching out to them with urgent needs now, and a priority list of whom to try first, whom second, and so on if a crisis should emerge and whomever is on duty isn't available?
Are all of these people using the same local providers for connectivity in the area(s) where they'll generally be, so that if a local outage occurs, the entire team is at risk of becoming unavailable?
Do they have other dependencies, like third parties or a sign-off chain in certain circumstances or for certain tasks? Have contingency plans been made to reach these as well, and policies enumerated about when and how to act if these are unavailable?
Consider Behavioral-Biometric Solutions
Finally, though we're biased on this point, we believe that the sudden shift toward a remote workforce marks a good time for organizations to consider deploying behavioral biometrics if they haven't already done so.
This is because in remote work situations traditional MFA, no matter how technically robust, creates certain risks that can't be avoided in any other way.
Malicious or inadvertent substitution. Whether a matter of personal devices at home or work devices in a public or semi-public environment, open sessions don't disappear if for some reason your employee and their machine are separated. When open, anyone at the keyboard can use them. You can't control remote circumstances, but with behavioral biometrics you can configure said machine to rapidly recognize the presence of a stranger and log out.
Increased workflow importance. Remote workers are already under strain having to manage equipment, ill-suited furniture, and non-work environs in ways that they don't when they're in the office. This goes double if they're at home with children or an also-working spouse. Adding extra authentication hardware or steps to this mix in particular is a recipe for frustration and lost productivity.
Relaxed user security postures. It's impolitic to say out loud, but one of the reasons we traditionally require employees to work onsite, even in the information economy, is because this makes it easier to supervise things like adherence to critical policies. Remote working is the last circumstance in which you'd like to see passwords on post-it notes or devices left unlocked for bio-breaks—yet is also the circumstance in which these are least likely to be caught and rectified.
Centralized, software-only deployment. Most of the other authentication methods in widespread use have a hardware dependency of some kind, whether that amounts to issuing phones, distributing YubiKeys, or marshalling BYOD devices and their configurations. All of this means face-to-face meetings, extended support calls, FedEx envelopes, or other forms of overhead that are particularly inconvenient during enforced remote work. Behavioral biometric solutions, on the other hand, require none of this.
Settle in for the Long Haul
Whatever decisions you make in each of the little cases we've outlined here, it's likely that the most important thing you can do right now is make a bigger decision: the decision to treat work-from-home not as a temporary state of affairs but as the new reality—and to dedicate to this reality the appropriate level of attention and resources.
Even if your organization's current work-from-home situation is the result of unusual immediate circumstances, the fact is that remote work is a decades-long trend that will continue to accelerate no matter what's in the news over the years to come.
Organizations that understand this will enjoy not just a more robust, resilient security posture and apparatus, but also resulting better retention, morale, and compliance. ■