Our country finds itself in a completely unprecedented situation as we struggle to figure out how to best respond to the spread of COVID-19.
How we can keep our country, and our world, functioning while limiting human contact as much as possible?
Businesses have sent employees home in droves to work remotely, but in many cases, they are completely unprepared for the security implications of doing so.
As the keepers of sensitive intellectual property, data, employee and customer personally identifiable information (PII) and more, how can you navigate the tricky waters of securing both human and cyber health for your business?
We get questions like this all the time from our customers and partners, and in this article, I've attempted to answer the most common questions organizations have about shifting securely to remote work.
Want to see an organization that has transitioned successfully?
Read the case study: How ASSETT Seamlessly Transitioned Its Team To Securely Working From Home During the COVID-19 Pandemic With GoSilent.
“As part of the Defense Industrial Base Essential Critical Infrastructure Workforce, ASSETT has had to maintain full operations in support of our DoD contracts. Your devices have provided necessary security throughout while enabling us to meet our obligations more safely. Thank you for your continued partnership.”
- Wayne Jakubowski, President
Securing your organization, and updating your work from home policy, is not as simple as flipping a switch.
It's best to take a two-pronged approach to ensuring that your employees can work remotely without concern for security.
You’ll want to simultaneously start making changes to your technology while also educating your employees about what they need to be doing from their end. If you address one side without the other, you’ll be wasting your time. The technology you deploy is useless if your employees use it incorrectly or fail to use it.
The strategies you can employ as an organization to improve your work from home security policy include:
Now that you’ve taken steps to secure your network and put in place the technology you need to do that, it is time to ensure that your employees are doing their part to keep your data safe.
This is where training comes in. It will ensure that employees know what is expected of them and how to maintain all of the security measures put in place.
Training should be a integral part of your work from home security policy and encompass:
What is incredibly important to remember as you embark upon this journey is that it does you no good to blame your employees or give up on their ability to help keep you secure. Instead, recognize that it is your responsibility to help find solutions that will be as simple and effective as possible for them to use with as little training as possible.
Looking for guidance on how to train your employees effectively, and quickly?
Often viewed as “older” technology, hardware-based VPNs don’t get a lot of love. But if you are looking for a remote work solution that is highly secure, easy to use, with minimal set-up requirements, and cost-effective, you should absolutely consider implementing one.
In many cases, hardware-based VPNs actually provide better security, are easier to use, and require less maintenance than their software-based counterparts, meaning they are the perfect fit to help maintain security when employees work remotely.
Outfitting your remote work team with a hardware VPN is also the best choice to ensure that you maintain security when your employees work remotely, especially if they are using their personal devices to connect.
The benefits that set hardware-based VPNs such as Archon's GoSilent apart from software VPNs include:
There are some very clear use cases where a hardware-based VPN is the right choice in helping maintain security when employees work remotely. Some of those situations, specific to remote work, include:
There are quite a few categories of tools meant to support the security of end users.
In fact, you can look through a full list of cybersecurity providers offering discounts or promotions to help support companies working remotely during COVID-19.
Some of the most important tools that come to mind for remote work include:
If your organization is looking to implement a company-wide, secure solution for remote work that is not overly expensive, difficult to manage or maintain, and simple for end users, a combination of VDI and a hardware VPN may be the right fit.
Combining Virtual Desktop Infrastructure (VDI) with a secure hardware VPN allows your employees to securely connect to your internal network from their own devices.
A VDI allows you to work remotely through a virtualized environment that lives on your central server. End user devices connect via the VDI to virtual machines that you have set up on your server and users can execute work as if they are on your internal network.
With VDI, no data is stored on the end user device. Instead, the user simply sees what is on the screen of the virtual machine and can interact with it, but not store data from it. VDI supports a wide range of end user devices, from laptops and desktops to tablets or mobile devices.
Combining this environment with a secure hardware VPN, like the GoSilent Cube, protects all traffic and information flowing across the connection between the end user device and the central network.
The primary benefits of executing a solution like this are:
Prior to COVID-19, government agencies would typically identify a core group of individuals that needed remote work capabilities for continuity of operations. This group was primarily selected due to a role that required them to be connected whenever they work from home or on the road, in the course of normal life circumstances.
Another deciding factor in allowing remote work for specific government employees hinges on what kind of data they access in the execution of their job. The more sensitive the data, the less likely that they would be allowed to access it remotely.
Agencies might also have determined an additional percentage of staff that they want to have prepared to work remotely should the need arise. In this case, they would have procured the equipment for an additional, say, 10% of their team to be covered. They might not have deployed or set-up all of this equipment, but would have had it available in case the need arose.
In most cases, the combination of the two groups above would have allowed for a percentage of a particular agency’s staff to be up and running remotely. The remaining staff would then be placed on administrative leave and their work halted.
In all of the above cases, the amount of government remote work that can be supported relies 100% on the ability to supply government-furnished devices to employees.
And therein lies the problem.
In general, the costs associated with having enough government-furnished devices ready for every employee of a government agency are simply not feasible.
More specifically, in the situation, we've experienced recently with the Coronavirus, where remote work needed to be ramped up very quickly, and with little involvement from central IT support staff, this approach is not only impractical but completely impossible.
As I mentioned previously, combining VDI with a secure hardware VPN can allow government employees to securely connect to the internal network from their own devices, at home, with very little hassle.
Because VDI does not allow the end user to download or store any of the data they are accessing, it is ideal for BYOD situations and environments with insecure Wi-Fi connections, especially when used in conjunction with a secure hardware VPN like our GoSilent Cube.
The events of the last few months have exposed some serious shortfalls in how businesses and governments approach remote work.
As a result, I expect we'll see some widespread and lasting changes to address those issues in the months and years following COVID-19.
Some of these have already begun to happen.
For example, earlier this year, the US Department of Defense released its Cybersecurity Maturity Model Certification (CMMC) framework. CMMC is a set of cybersecurity requirements that private contractors must meet in order to be eligible to bid on defense contracts -- and their compliance must be audited and certified by an approved third party.
I predict that, similar to the expansion of worker health and safety requirements for private sector businesses with the establishment of OSHA in 1971, you’ll see the private sector roll out requirements similar to those detailed in the CMMC framework.
We will eventually see a centralized government body, like OSHA, that will manage and certify businesses to an expected level of cybersecurity, and that centralized body will require that supply chain partners adhere as well.
In the meantime, there will more than likely be an audit into the shortfalls and gaps amongst US Governmental agencies in meeting their missions and objectives during the COVID-19 pandemic.
A Government Accountability Office (GAO) Audit will likely be conducted to understand what our gaps were in dealing with remote work for such a large portion of government employees and provide recommendations to Congress to fix them. These recommendations will ultimately inform a plan, or policy, on how to approach a pandemic or similar experience in the future.
There will likely be new mandates that come out of this process that requires government agencies to be set up to maintain a certain level of operability remotely in the event something like this happens again. Regardless of those requirements, I believe we will see a concerted effort across the board within the US Government to find a way to mobilize a much larger remote workforce quickly should the need arise.
If you are looking to build a CSfC approved solution specifically for remote work during the COVID-19 pandemic, the CSfC office has specifically prioritized the review and certification of solutions for addressing remote work.
In an effort to help government organizations get up and running faster, the CSfC office launched an initiative in March to focus on remote work initiatives already in their pipeline for review. Any remote work solution has been moved to the front of the line.
If you are looking into CSfC-level solutions for remote work, a combined VDI and VPN solution may be a great fit as long all portions of the architecture are using approved components from the CSfC Component List.
Bottom line -- remote working security policy will never be the same after COVID-19 is over.
The organizations that will thrive in the future will be those that have a solid plan for allowing remote work at levels that could include the entire organization. That plan will require a combination of security tools, policies, and practices, as well as a robust and ongoing employee training program.
In short, the time to begin is now.