Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/19/2020
02:00 PM
Joe Payne
Joe Payne
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Long-Term Remote Work: Keeping Workers Productive & Secure

The pandemic has changed how we get work done. Now, data security must catch up.

In less than two weeks, our entire work culture shifted. In response to COVID-19, on March 19, 2020, California declared the first statewide stay-at-home order. By March 30, 26 states had joined California, sending millions to work from home. With that, COVID-19 forced companies to make rapid decisions to keep workforces safe and business moving forward.

Since that time, companies have plunged headlong into response and survival plans. Immediate concerns were focused on the health of employees and getting them set up to work from home. Security and IT teams worked around the clock to make sure employees had the tools they needed to stay connected and productive. Slack, Zoom, Microsoft OneDrive, and other collaboration apps were rolled out en masse, if they weren't already part of a work culture. All of this put a strain on security. Suddenly, security was on the hook to manage data risk beyond traditional company perimeters and do it at scale.

By now, other considerations are coming into focus. While employees are settling into home-office routines, companies are focused on making sure their businesses will exist. That may sound dramatic, but it's the same problem that Bob's coffee shop, JP Morgan, and a million other businesses continue to ponder. Business as we knew it is not going to be the same. With a nearly 100% remote workforce — and a world that is social distancing — how do we keep employees productive and teams innovating while keeping businesses secure?

Surveillance Approach
To make sure employees stay on task and don't waste time, some companies have chosen the Big Brother route. Since they can't see their employees working from home, they've installed monitoring software that collects screenshots every few minutes, logs keystrokes, and tracks website visits.

The challenge with this surveillance approach is that these types of monitoring metrics are not a measure of productivity or security. An engineer tallying up keystrokes won't tell you whether the lines of code for your new product release were finished on time. And a sales rep logging keystrokes and looking busy is not going to alert you to the fact that he was really uploading your customer records to a personal email account.

Not only does the Big Brother approach fail to solve productivity and security issues, it leads to a cultural problem: namely, a lack of trust and transparency. And that's certainly not the type of environment that fosters collaboration, creativity, and innovation.

Future of Work
The future of work has fundamentally changed. According to recent industry research, nearly three-quarters of CFO respondents plan to move more employees into permanent remote positions after the COVID-19 pandemic. The reality is that working from home and the collaboration apps that keep employees connected and productive are here to stay.

When it comes to securing a collaborative culture, covertly counting keystrokes or tracking how long workers are on their computers is antiquated police-state security. Surveillance of end users stands in stark opposition to what an open, collaborative culture is all about. If you accept these as truths, it is not a difficult leap to see that conventional approaches to data security must change.

There is a new way to think about data security. It starts by assuming positive rather than negative intent. It's based on trusting and verifying versus not trusting at all.

To solve the security challenge, new approaches to security need to take into account the implications of using collaborative apps and the increasing exposure of the endpoint. Rather than counting keystrokes, security should focus on out-of-the-ordinary file movements — for instance, when a remote worker downloads 20 files to a thumb drive or uploads financial records to a personal Dropbox. When someone abuses the trust that has been given to them, security can then investigate. That way, you don't let one "bad apple" ruin it for the rest, and the rest of the workforce can get their jobs done without interruption. Fundamentally, a trust-but-verify approach positions security teams as partners — not the police.

To address the productivity issue — well, for starters, security should not be a crutch for solving performance problems. Performance should be measured by achieving key business results. What security teams should be doing is enabling employees to work with apps that enhance productivity and help them do this safely. In our "new normal," it is more important than ever for security to be seen as enabling — rather than impeding — the very performance-based and collaborative culture businesses need to succeed.

Change does not come easy. And this new approach to securing a culture of collaboration definitely calls into question some holy grails of data security. The late Rear Admiral Grace Hopper, known as one of the foremost computer science engineers, said the most damaging phrase in the language is "We've always done it this way!" COVID-19 has unleashed unprecedented change on how we get work done. It's time that data security catches up.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

 

Joe Payne brings to Code42 more than 20 years of leadership and a proven track record with high-growth software companies. He has a broad experience base in delivering software and software-as-a-service (SaaS) solutions to enterprises across numerous industries. As President ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20898
PUBLISHED: 2020-07-13
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to access sensitive information without being authenticated in the Global permissions screen. The affected versions are before version 8.8.0.
CVE-2019-20899
PUBLISHED: 2020-07-13
The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. The affected versions are before version 8.5.4, and from version 8.6.0 before 8.6.1.
CVE-2019-20900
PUBLISHED: 2020-07-13
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the Add Field module. The affected versions are before version 8.7.0.
CVE-2019-20897
PUBLISHED: 2020-07-13
The avatar upload feature in affected versions of Atlassian Jira Server and Data Center allows remote attackers to achieve Denial of Service via a crafted PNG file. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1.
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...