Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/19/2020
02:00 PM
Joe Payne
Joe Payne
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Long-Term Remote Work: Keeping Workers Productive & Secure

The pandemic has changed how we get work done. Now, data security must catch up.

In less than two weeks, our entire work culture shifted. In response to COVID-19, on March 19, 2020, California declared the first statewide stay-at-home order. By March 30, 26 states had joined California, sending millions to work from home. With that, COVID-19 forced companies to make rapid decisions to keep workforces safe and business moving forward.

Since that time, companies have plunged headlong into response and survival plans. Immediate concerns were focused on the health of employees and getting them set up to work from home. Security and IT teams worked around the clock to make sure employees had the tools they needed to stay connected and productive. Slack, Zoom, Microsoft OneDrive, and other collaboration apps were rolled out en masse, if they weren't already part of a work culture. All of this put a strain on security. Suddenly, security was on the hook to manage data risk beyond traditional company perimeters and do it at scale.

By now, other considerations are coming into focus. While employees are settling into home-office routines, companies are focused on making sure their businesses will exist. That may sound dramatic, but it's the same problem that Bob's coffee shop, JP Morgan, and a million other businesses continue to ponder. Business as we knew it is not going to be the same. With a nearly 100% remote workforce — and a world that is social distancing — how do we keep employees productive and teams innovating while keeping businesses secure?

Surveillance Approach
To make sure employees stay on task and don't waste time, some companies have chosen the Big Brother route. Since they can't see their employees working from home, they've installed monitoring software that collects screenshots every few minutes, logs keystrokes, and tracks website visits.

The challenge with this surveillance approach is that these types of monitoring metrics are not a measure of productivity or security. An engineer tallying up keystrokes won't tell you whether the lines of code for your new product release were finished on time. And a sales rep logging keystrokes and looking busy is not going to alert you to the fact that he was really uploading your customer records to a personal email account.

Not only does the Big Brother approach fail to solve productivity and security issues, it leads to a cultural problem: namely, a lack of trust and transparency. And that's certainly not the type of environment that fosters collaboration, creativity, and innovation.

Future of Work
The future of work has fundamentally changed. According to recent industry research, nearly three-quarters of CFO respondents plan to move more employees into permanent remote positions after the COVID-19 pandemic. The reality is that working from home and the collaboration apps that keep employees connected and productive are here to stay.

When it comes to securing a collaborative culture, covertly counting keystrokes or tracking how long workers are on their computers is antiquated police-state security. Surveillance of end users stands in stark opposition to what an open, collaborative culture is all about. If you accept these as truths, it is not a difficult leap to see that conventional approaches to data security must change.

There is a new way to think about data security. It starts by assuming positive rather than negative intent. It's based on trusting and verifying versus not trusting at all.

To solve the security challenge, new approaches to security need to take into account the implications of using collaborative apps and the increasing exposure of the endpoint. Rather than counting keystrokes, security should focus on out-of-the-ordinary file movements — for instance, when a remote worker downloads 20 files to a thumb drive or uploads financial records to a personal Dropbox. When someone abuses the trust that has been given to them, security can then investigate. That way, you don't let one "bad apple" ruin it for the rest, and the rest of the workforce can get their jobs done without interruption. Fundamentally, a trust-but-verify approach positions security teams as partners — not the police.

To address the productivity issue — well, for starters, security should not be a crutch for solving performance problems. Performance should be measured by achieving key business results. What security teams should be doing is enabling employees to work with apps that enhance productivity and help them do this safely. In our "new normal," it is more important than ever for security to be seen as enabling — rather than impeding — the very performance-based and collaborative culture businesses need to succeed.

Change does not come easy. And this new approach to securing a culture of collaboration definitely calls into question some holy grails of data security. The late Rear Admiral Grace Hopper, known as one of the foremost computer science engineers, said the most damaging phrase in the language is "We've always done it this way!" COVID-19 has unleashed unprecedented change on how we get work done. It's time that data security catches up.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

 

Joe Payne is the President and CEO of Code42 Software. Joe is a seasoned executive with more than 20 years of leadership experience and a proven track record leading high growth security and technology companies. With a passion for identifying and solving emerging market ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-0532
PUBLISHED: 2021-06-21
In memory management driver, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-185196177
CVE-2021-0533
PUBLISHED: 2021-06-21
In memory management driver, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-185193932
CVE-2021-26461
PUBLISHED: 2021-06-21
Apache Nuttx Versions prior to 10.1.0 are vulnerable to integer wrap-around in functions malloc, realloc and memalign. This improper memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution.
CVE-2021-0478
PUBLISHED: 2021-06-21
In updateDrawable of StatusBarIconView.java, there is a possible permission bypass due to an uncaught exception. This could lead to local escalation of privilege by running foreground services without notifying the user, with User execution privileges needed. User interaction is not needed for explo...
CVE-2021-0504
PUBLISHED: 2021-06-21
In avrc_pars_browse_rsp of avrc_pars_ct.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: ...