We’re facing unprecedented changes to social norms during the global coronavirus pandemic, including how and where we work. Mandatory social distancing means we’re working from home, even in organizations that previously didn’t embrace remote working or distributed teams. This new reality will bring permanent changes in attitudes towards remote work, and we need to shift our thinking about how we implement InfoSec, compliance, and cybersecurity in this new era of distributed teams.
Tools that support remote work, such as collaboration platforms and cloud-based software, require significant investment; CFOs and CTOs looking to maximize ROI will push continued use of these tools once pandemic restrictions are lifted. Investments in remote work equipment, including office supplies for employees working from home, coupled with cost savings from reduced rent, utilities, and other office costs will accelerate this trend.
Distributed tools offer significant financial savings, especially those delivered in cloud “as a service” models. Paying for cloud services involves a favorable change in accounting practice from capital expenditures (CapEx) to operating expenditures (OpEx), while shared infrastructure like data centers provide additional savings.
Organizations are also realizing they can tap into a global, geographically dispersed talent pool rather than the more limited set of local resources. People may not want to live in the same place that your organization is headquartered for a variety of reasons, including family, cost of living, or just cultural differences. A distributed work culture allows you to bring subject matter experts into your team regardless of where they live!
Despite the benefits, new cybersecurity, InfoSec, and compliance challenges face organizations as they transition to a distributed workforce model. Some important categories of enabling technology and their corresponding security challenges are detailed below:
Traditional cybersecurity relies on a secure corporate perimeter, which distributed workforces lack. Shared defenses like a corporate firewall or network-based monitoring tools are insufficient. Cloud- and web-based apps are often available in both desktop and mobile app stores, which creates a heterogeneous environment similar to the BYOD trend of the last decade but on a much larger scale. Securing this new environment requires new tools, but as the OWASP Top 10 shows us, misconfiguration is a serious issue. This demands new skills and abilities on your team!
Migrating to distributed work can create new compliance burdens as well. US Federal government agencies must address FedRAMP requirements, while private sector organizations may have privacy issues under GDPR or CCPA related to cloud data storage. Moving to the cloud also involves a loss of control, e.g., you don’t have physical access to or authority over the data centers where your data is stored/processed. This means your third party and vendor risk management practices must evolve to address these new, more complex risks.
Here are key issues to keep in mind as you deploy tools to support your distributed workforce:
There are a number of important points to consider when building a distributed workforce, particularly ensuring adequate security of data and information systems. First and foremost, identify the skills needed to adapt to this new reality – workforce development and training plans must include adequate resources for InfoSec and cybersecurity talent. You’ll need properly trained people to manage BCDR, secure cloud architectures, and assess & mitigate cyber risks. Certifications and skill building enhance the ROI of the new tools you’re deploying.
Once tools have been deployed to support the new distributed workforce, be sure to apply proper cyber risk assessment practices. Systems are being deployed ad hoc to deal with these extraordinary times, but don’t let them slip by without proper risk analysis. Identifying cyber risks and appropriate mitigations like data encryption is critical to ensure your organization’s continuity measures don’t lead to a cyber incident.