Your New Era of Cybersecurity Part 2: A Three-phase Roadmap for Implementing Your New Cybersecurity Paradigm
Part one of this series reviewed how new workforce strategies that allow remote work have rendered traditional perimeter-based cybersecurity obsolete, and created the need for organizations to transform their cybersecurity architecture in alignment with access-from-anywhere for their remote workforce. We introduced how policies, technology and education must be addressed to realign, re-architect and reorient cybersecurity programs for long-term remote workforces. Let’s take a closer look at how organizations can successfully accomplish this transformation.
I. Policy: Realign and Be Prepared
Before acquiring new tools and technologies, organizations should review and revise their security and employee policies and create a comprehensive remote work policy. The goal is to have procedures in place before issues arise. New policies should be rolled out before employees and managers need the answers. Policies must also be reviewed with compliance requirements in mind. If your organization has remote workers, you need to begin with remote work policies that your security, IT, compliance, legal, HR and management teams support.
Successful policies are specific and reasonable with fair and equally enforced consequences. What types of remote work questions should these policies address? Here’s a sample list of some of the things to consider:
- What networks are remote workers allowed or required to use? Provide specific guidance on options such as home, company VPN, a phone hot spot and public networks (airports, coffee shops, etc.).
- What geographies are people allowed to connect from? Only domestic locations? Or from some or all foreign countries?
- What devices may employees use to access corporate data from remote locations?
- What data is allowed on a company device that goes outside domestic borders?
- May family members or housemates use devices used for employee work?
- What non-work activities may be done on a device that accesses corporate data?
II. Technology – Re-architect to Protect the Device
Once the groundwork of creating and implementing remote work policies has been accomplished, the IT security team can create and implement a new cybersecurity approach based on anywhere-access for remote work and the criticality of protecting devices wherever they are located. Every aspect of cybersecurity should be looked at, and choices need to balance usability with security need, because it won’t help defenses if usability is so poor that a remote workforce loses productivity or seeks out workarounds. Taking a programmatic approach to maintain and advance cybersecurity maturity with prioritizations for the most effective measures is recommended best practice.
One highly effective measure that organizations should implement as part of their remote work policies and re-architecture is multi-factor authentication (MFA). Let’s look at MFA as a practical example:
Policy: Review information security policies and remote work policies, and update to account for MFA. Document the specific situations that will require MFA (e.g., email, applications, VPN, admin access) and the requirements for using a personal device for authentication (e.g., Google Authenticator, Microsoft Authenticator).
Technology: Implement MFA on the applications and systems designated in policies and which support MFA (SaaS applications, email, VPN, servers, SharePoint, etc.). Solutions may have to be developed for legacy applications. Teams may need to bring in Identity Access Management (IAM), a proxy server, or other technology to protect all systems with critical data. Find a balance between usability and security (e.g., you may require MFA on email and IAM once a week from the same device, and every time for administrator access and network access).
Education: When the user login experience changes, educate the workforce on why and what to expect. Give users the opportunity to understand why they must use MFA and how they can efficiently comply with the requirement. Explain that usernames and passwords are for sale on the dark web, and social engineering attacks to steal usernames and passwords are frequent. Educate users that risk is significantly reduced if bad actors have to face MFA protocols. Also, provide easy-to-understand user resources on setting up MFA on their phones and navigating the requests they will receive when logging into services. Ensure these training, videos and documents are available when MFA is rolled out, so users have immediate access to the relevant information.
III. Education – Reorient and Improve User Experience
The above example for MFA is an excellent example of why education needs to be a pillar of transforming your cybersecurity program. Users are directly affected by many cybersecurity tools and technologies. However, users have at best an average understanding of the risk and reasons the IT team has implemented these new measures. Regular security trainings with explanations of the importance of new security measures reduce risk. Users who have been trained in advance on how they can most easily comply will experience less of a burden than users who don’t get the information and must figure out how to access their applications. A better user experience means higher compliance, less user dissatisfaction and reduced risk.
Don’t underestimate the importance of educating users. The success of creating and updating policies and designing and implementing tools and technologies still ultimately hinges on users as the first line of defense —especially in the new era of remote work.
The above MFA example gives you the high-level process for addressing the policies, tools and technologies you will need to evaluate, as well as the training and resources you need for users. However, MFA is just one specific technology. You’ll need to use a similar approach for all the tools and processes used to protect your users and devices: endpoint protection such as firewalls and virus protection, patch management, vulnerability management, home internet protection, employee on-boarding and off-boarding, remote access, identity and access management and more.
Start now to strengthen your defenses for 2022, and prepare for the work-from-anywhere, access-from-anywhere era.