The first day was like a snow day. Maybe sleep in late. Maybe handle a few hundred e-mails and phone calls. It was either very hectic, or very slow. It was anything but normal. By day three it has already gotten old. You’re not really into the telecommuting routine. You’re not quite “at home” but you also aren’t “at work.” You’re in limbo. This may be the new “abnormal” for the foreseeable future. But, no big deal, right? I mean, you have worked from home before. This is no different. Right?
Many enterprises have prepared for a “mobile workforce,” through remote access to e-mail, telephone, files, data and services. Many of these services and data sets are cloud enabled, permitting remote access. But even enterprises that are mobile enabled had not anticipated that all functions — including critical security functions — might have to be provisioned and delivered remotely. Moreover, not all workers have the tools, technology, knowledge and skills to work remotely. Finally, not all functions are capable of being delivered remotely. For some things, you have to have human beings present. So for the near term, it’s about adapting and being resilient. And secure.
Both the National Institutes of Standards and Technology (NIST) and the Federal Trade Commission (FTC) have promulgated basic guidance on data security when working remotely. They include some of the basics. Use WPA-2 or WPA-3 enabled Wi-Fi routers at home. Have enterprise grade anti-malware and anti-phishing software running and up to date. Use VPNs or MDM solutions for remote access. Don’t share passwords on the machine. Very basic stuff.
The NIST and FTC guidances are fine for what they are, but they are hardly enterprise level security for a remote working environment. Security includes continuous monitoring, continuous assessment, access control, software mitigation and a host of other controls. If your third grader is using the same machine you are using to play Fortnight then you can expect to have problems. While you are logged into a VPN, you might have the advantage of intrusion detection, log monitoring, alerting, access to SOC services and the like, but when you are not logged into the VPN, you’re on your own.
Just like your physical workspace, your electronic workspace becomes and uncomfortable compromise between being “at home” and “at work.” You may use the same computer for Excel spreadsheets or access to SalesForce that you use to watch Spencer Confidential on Netflix. It’s like the world’s worst “take your kids to work” day. Or month. Or spring.
In addition, we have entire classes of workers who have never had to telecommute before. One owner of a 500+ person non-profit told me yesterday that they only had laptops for about ⅓ of the workforce — the rest access through desktops. Remember desktops? It’s like the coelacanth. For budget reasons they couldn’t afford to provide users with laptops. A local computer repairman told me that there was a run at the local MicroCenter on laptop computers, with enterprises gobbling them up and providing them to workers. For better security, companies should provide users with remote access devices with a “standard build” of hardware and software necessary for their job functions, and limited ability to add programs or features without approval. All of those “anomaly detection” programs may need to be revamped as logging in remotely at 2:00 AM may no longer be “abnormal.” VPN’s and other remote access ports may need to be enhanced for much greater capacity, and resilience against dDOS and other denial or disruption of service attacks should also be enhanced. And someone has to continue to mind the store — there’s no substitute for physical presence — even on behalf of the cloud provider. The best time for attackers to attack is when you are distracted by other challenges.
The good news — if there is any good news — is that by preparing for a mobile, “always on” workforce, you are also preparing yourself for a 5G enabled workforce. You may find out that you can reduce travel and commuting expenses, and that your fear that people who “work from home” will just be lazy and goof off may be misplaced. That which doesn’t kill us makes us stronger. Sometimes.
So stay alert. Stay resilient. Stay mobile. And send the kids to the basement.
Mark Rasch is an attorney and author of computer security, Internet law, and electronic privacy-related articles. He created the Computer Crime Unit at the United States Department of Justice, where he led efforts aimed at investigating and prosecuting cyber, high-technology, and white-collar crime.