Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/19/2020
02:00 PM
Joe Payne
Joe Payne
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Long-Term Remote Work: Keeping Workers Productive & Secure

The pandemic has changed how we get work done. Now, data security must catch up.

In less than two weeks, our entire work culture shifted. In response to COVID-19, on March 19, 2020, California declared the first statewide stay-at-home order. By March 30, 26 states had joined California, sending millions to work from home. With that, COVID-19 forced companies to make rapid decisions to keep workforces safe and business moving forward.

Since that time, companies have plunged headlong into response and survival plans. Immediate concerns were focused on the health of employees and getting them set up to work from home. Security and IT teams worked around the clock to make sure employees had the tools they needed to stay connected and productive. Slack, Zoom, Microsoft OneDrive, and other collaboration apps were rolled out en masse, if they weren't already part of a work culture. All of this put a strain on security. Suddenly, security was on the hook to manage data risk beyond traditional company perimeters and do it at scale.

By now, other considerations are coming into focus. While employees are settling into home-office routines, companies are focused on making sure their businesses will exist. That may sound dramatic, but it's the same problem that Bob's coffee shop, JP Morgan, and a million other businesses continue to ponder. Business as we knew it is not going to be the same. With a nearly 100% remote workforce — and a world that is social distancing — how do we keep employees productive and teams innovating while keeping businesses secure?

Surveillance Approach
To make sure employees stay on task and don't waste time, some companies have chosen the Big Brother route. Since they can't see their employees working from home, they've installed monitoring software that collects screenshots every few minutes, logs keystrokes, and tracks website visits.

The challenge with this surveillance approach is that these types of monitoring metrics are not a measure of productivity or security. An engineer tallying up keystrokes won't tell you whether the lines of code for your new product release were finished on time. And a sales rep logging keystrokes and looking busy is not going to alert you to the fact that he was really uploading your customer records to a personal email account.

Not only does the Big Brother approach fail to solve productivity and security issues, it leads to a cultural problem: namely, a lack of trust and transparency. And that's certainly not the type of environment that fosters collaboration, creativity, and innovation.

Future of Work
The future of work has fundamentally changed. According to recent industry research, nearly three-quarters of CFO respondents plan to move more employees into permanent remote positions after the COVID-19 pandemic. The reality is that working from home and the collaboration apps that keep employees connected and productive are here to stay.

When it comes to securing a collaborative culture, covertly counting keystrokes or tracking how long workers are on their computers is antiquated police-state security. Surveillance of end users stands in stark opposition to what an open, collaborative culture is all about. If you accept these as truths, it is not a difficult leap to see that conventional approaches to data security must change.

There is a new way to think about data security. It starts by assuming positive rather than negative intent. It's based on trusting and verifying versus not trusting at all.

To solve the security challenge, new approaches to security need to take into account the implications of using collaborative apps and the increasing exposure of the endpoint. Rather than counting keystrokes, security should focus on out-of-the-ordinary file movements — for instance, when a remote worker downloads 20 files to a thumb drive or uploads financial records to a personal Dropbox. When someone abuses the trust that has been given to them, security can then investigate. That way, you don't let one "bad apple" ruin it for the rest, and the rest of the workforce can get their jobs done without interruption. Fundamentally, a trust-but-verify approach positions security teams as partners — not the police.

To address the productivity issue — well, for starters, security should not be a crutch for solving performance problems. Performance should be measured by achieving key business results. What security teams should be doing is enabling employees to work with apps that enhance productivity and help them do this safely. In our "new normal," it is more important than ever for security to be seen as enabling — rather than impeding — the very performance-based and collaborative culture businesses need to succeed.

Change does not come easy. And this new approach to securing a culture of collaboration definitely calls into question some holy grails of data security. The late Rear Admiral Grace Hopper, known as one of the foremost computer science engineers, said the most damaging phrase in the language is "We've always done it this way!" COVID-19 has unleashed unprecedented change on how we get work done. It's time that data security catches up.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

 

Joe Payne brings to Code42 more than 20 years of leadership and a proven track record with high-growth software companies. He has a broad experience base in delivering software and software-as-a-service (SaaS) solutions to enterprises across numerous industries. As President ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27225
PUBLISHED: 2021-03-01
In Dataiku DSS before 8.0.6, insufficient access control in the Jupyter notebooks integration allows users (who have coding permissions) to read and overwrite notebooks in projects that they are not authorized to access.
CVE-2021-27132
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
CVE-2021-3144
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
CVE-2021-3148
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.