The Highly Distributed Workforce You Didn’t See Coming – Five Things Your IT Team Needs to Focus on Now

By Tia Hopkins, Vice President, Global Sales Engineering, eSentire

Distributed workforces, no matter how well thought-out, come with their own set of security challenges, challenges that come in as many forms as the devices that need to be secured. Laptops, home desktops, removable media, printers, routers, and more, all need to be protected, a complicated job when you factor in the number of devices times the number of employees working from home.

Adding complexity is the potential number of uses (everything from a work-related search to an Amazon order) and users (family members and roommates) those devices are exposed to. If that’s not enough, toss in the scores of file-sharing and cloud-based collaboration tools employees are using to make their jobs easier, and it’s enough to make any CISO throw up their hands in despair. It’s easy to see why many might see endpoint protection at this point as akin to closing the barn doors after the horse got out, but protecting your endpoints is far too important to be put on the back burner.

Don’t know where to start? Here are five ways to ensure you are effectively securing your endpoints:

  • Don’t wait to take action. The longer it takes an IT team to address issues such as work from home (WFH), borderless networks, and digital transformation, the longer attackers have to compromise their organizations. Start by assessing the real threats to the environment and their associated risk levels, then categorize them according to the level of criticality. From there, prioritize and build a roadmap to close gaps and continue to monitor, measure, and improve.
  • Bring clarity of focus to the table. Business continuity, user protection, and data protection should be a top priority for any CSO. If IT teams are focused on keeping the lights on and making sure users and corporate data are safe, the details that need to be considered will come as a byproduct of targeting these three things as the ultimate goal.
  • Be able to clearly identify (and articulate) your objectives. It’s important that all stakeholders have a solid understanding of the desired security outcomes and that everyone is on the same page regarding the identified risks and the best course of action for securing critical assets. At a high level, this directive usually comes in the form of statements such as “Keep us out of the media,” “Keep our data and intellectual property safe,” or “Make sure we don’t get breached” – easier said than done, especially when dealing with a highly distributed workforce. IT teams should articulate not only the risk but also the plan for securing the organization; it’s also helpful to define the metrics that will be used to measure security program performance.
  • Get buy-in from the bottom up. There needs to be a healthy balance between security and functionality. While it is important to have the appropriate security controls in place, it is also important to consider the potential impact on user productivity. If new security controls create a frustrating user experience, this could lead employees to find workarounds or avoid using company-managed devices altogether. It’s critical that CISOs get buy-in from all aspects of the company. Educate employees on their role in protecting the organization, as well as the importance of good security hygiene and strong security awareness. Explain new controls and what they are meant to accomplish; be open to feedback on the user experience as part of continuously improving the overall security program. Corporate leaders can drive the importance of good security hygiene and awareness and make it part of the company’s DNA.
  • Man the right ramparts. As organizations move from on-prem to cloud and work from home, security teams need to evaluate the risks associated with data residency and access in the cloud, borderless networks, and BYOD. While the attack surfaces, vectors, techniques, etc. will evolve, the approach from attackers and vendors will remain the same in terms of the desired outcome. Attackers will target low hanging fruit, and vendors will develop tools and technologies that solve the current issues. On both sides of the battle, there will definitely be more of a focus on cloud environments and the remote workforce, and less of a focus on the enterprise within the corporate walls.

Securing a distributed workforce isn’t easy, thanks to a lack of visibility and control. When users sit behind a corporate firewall, security teams can implement tools that provide visibility into things such as network traffic and endpoint activity. Tools such as content filters and email security gateways can also be implemented to control the user experience.

But when the workforce is distributed, users are often conducting business on their home networks and sometimes even on their personal computers. This limits a security team’s ability to maintain the same level of visibility and control as in an office environment and requires a different approach to identifying critical assets and the associated risk.

For example, if a user has historically only used a company-owned desktop at the office and is now using a personal laptop at home, they will be resistant to IT and security teams installing agents on their personal computer and manipulating their home internet traffic. In this case, does the IT team provide corporate laptops to all new work from home users? Spin up a VDI environment? Consider implementing a zero-trust model? The answer is, it depends. There are a number of variables to consider, including cost, logistics, timing, and resource availability.

Digital transformation, work from home, borderless networks, BYOD, moving to the cloud, zero-trust, etc. are all concerns that have been on the minds of IT professionals for years. If there is a silver lining to this pandemic, at least from a security standpoint, perhaps it is that endpoint security can no longer be pushed off until another day. That day has come, and it is now.

Ad
Join over 500,000 cybersecurity professionals in our LinkedIn group "Information Security Community"!

No posts to display