The one thing that all chief security officers (CSOs) have in common is that we are risk owners. No matter the situation, even during times of extreme business transition and the need to maintain operational continuity, we’re all responsible for ensuring the confidentiality, integrity, and availability of data 24x7x365. Our job is to keep our heads during a crisis to make sure that things like rapidly transitioning an entire workforce from a fixed brick-and-mortar framework to a dynamic teleworker environment don't overlook critical security fundamentals that could expose the organization to risk.
The primary objective is to manage dynamic workforce risk. Regardless of how situational requirements might change, the goal is for the core functions of the organization to remain consistently available, reliable, and secure. Resilience is one of the critical elements of risk management – it’s all about delivering the same expected outcomes even when the environment producing and delivering those outcomes is experiencing rapid transformation and stress.
Of course, maintaining resilience in extreme circumstances is easier said than done. Here are some tips to ensure that security and productivity remain resilient irrespective of normal or extraordinary circumstances.
The first goal of the CSO when managing dynamic workforce risk is to ensure that all users and devices have access to the resources they need to do their jobs. And that also means ensuring that they can’t access resources they don’t need, as well as preventing unauthorized users and devices from exploiting a transition to a new networking model to gain access to network resources for malicious purposes. Ensuring this access required two things.
Next, CSOs need to understand the abilities and limitations of the resources they have in place so they can quickly determine what can and cannot be done with those resources. For example, it is not enough to know that an installed NGFW platform, for example, can terminate remote connections. The chief security officer should also know, or be able to find out quickly, the capacity of that device – such as the number of connections per second and simultaneous connections it can support, its capacity to inspect encrypted VPN traffic, its ability to scale to protect a new networking paradigm, and how much effort is involved in setting up those functions.
These and similar details need to be understood before additional technologies are brought in to shore up any gaps. And frankly, these contingencies should have been considered long beforehand to a) make sure that as many of the required tools and capabilities are already in place, and b) understand the ability of existing tools to support and collaborate with third-party systems and technologies. That requires having already deployed tools designed around things like common standards and open APIs.
If these precautions have been taken, then there is little need for panic when you need to transition your traditional workforce to a teleworker strategy. When looking to manage dynamic workforce risk, chief security officers should consider the following types of workers:
Likely representing the majority of your workforce, general users only requires access to email, internet, teleconferencing, limited file sharing, and function-specific capabilities (Finance, HR, etc.) from their remote work site. This includes access to Software-as-a-Service (SaaS) applications in the cloud, such as Microsoft Office 365, as well as a secure connection to the corporate network. Most organizations should have most of the technologies needed to accommodate these users already in place. The biggest issue for these remote users is likely to be one of scalability.
Power users are employees who require a higher level of access to corporate resources while working from a remote location. This may include those who operate in multiple, parallel IT environments, such as system administrators, IT support technicians, and emergency personnel. They will need secure remote access to fixed, high-performance, and secure tunnels back to core- and cloud-based resources. Addressing the needs of these remote users will likely require the distribution of a secure access point or even a desktop-based NGFW that supports zero-touch provisioning.
A super user is an employee who requires advanced access to confidential corporate resources, even when working from an alternate office such as their home. This includes administrators with privileged system access, support technicians, key partners aligned to the continuity plan, emergency personnel, and executive management. In addition to the resources required by power users, these types of workers will also need access to advanced VoIP telephony and secure video conferencing.
It is critical as you move employees to a more autonomous and exposed remote worker status that you also heighten their security awareness. While you can compensate for many of the new risks they pose to the organization (such as updating or upgrading your secure email gateway and web filtering solutions), it is also essential that you understand that these workers have become, in many ways, both your most vulnerable targets as well as your front line for defending the network.
Because of the widespread transition to employees working from home, bad actors are now explicitly targeting remote workers with phishing attacks designed to prey on their concerns about their health and well-being, or their novice status as teleworkers. End-user training, therefore, is critical in helping them spot, avoid, and report suspicious emails and websites.
Additional measures you should take to manage dynamic workforce risk as more work is done remotely:
In addition, you will need to identify your systems administrators, executives, executive assistants, and others with elevated access privileges to not only implement additional layers of authentication and validation but also to actively monitor and log their connections for anomalous behavior
There is an adage used by carpenters that goes, "measure twice and cut once." The same goes for cybersecurity. It is essential that all plans and strategies are double-checked, and that things like data and process classification are under constant review to ensure that everything is up to date. All dependencies also need to be noted and followed up on.
And finally, make sure that you review your BCDR plan to ensure everything is up to date and accurate, including the contact information for your extended crisis and event response team.
Risk management and resiliency require careful planning, combined with an experienced team trained to deal with critical situations in flux. It is essential that teams keep their heads, understand their objectives, and execute strategies with a common goal in mind – maintaining operational consistency, including ensuring that your organization does not compromise on security for the sake of expediency.
Learn about six things an organization should consider to secure a remote workforce at scale: Six Steps for Securing Your Remote Workforce at Scale.
Find out how Fortinet’s Security Fabric delivers broad, integrated, and automated protection across an organization’s entire digital attack surface from IoT to the edge, network core and to multi-clouds.