Re-assessing Workplace Risk in a Pandemic
Demetrios Lazarikos (Laz)
December 8, 2020
The COVID-19 pandemic has affected the world over. Countries and regions have taken measures to curtail the spread of this infectious disease. As a result, many organizations have implemented work-from-home measures.
While the vaccines reveal a glimmer of light at the end of the tunnel, case numbers across the country continue to reach record highs and remote work remains the normal mode of operations for the foreseeable future. The IT team that hastily accommodated a sudden remote workforce in March now faces the reality of making remote operations sustainable for the long run. Unless you are Google, or a handful of other organizations, that thoroughly practiced zero-trust long before COVID, you are most likely using some patched-together infrastructure and makeshift access model to accommodate a distributed workforce.
Though these circumstances are extraordinary, organizations are still being measured by the same workforce risk metrics as before COVID. Following any significant change to your business, your processes, or your environment it’s best to reassess and create a baseline for future planning. How do you make sure that you are not exposing your organization to undue risks? Has your organization’s business model changed to this new norm and has your security program followed suit?
For the business executives, especially CISOs, unrelenting in their efforts to secure their organizations, it is probably time to consider a light-weight workforce risk assessment plan to understand gaps in your current security program.
Establishing a Remote Workforce Assessment Plan
While your business has changed, so should your method of conducting an assessment. A successful evaluation will cater to your new work from home model, and drive efficiency by:
- Completing the assessment online to support your remote workforce
- Easily allowing distribution across the organization to ensure the right people are participating
- Creating fast time to value, with results visualized and understood in weeks, not months
Your assessment can focus on key areas that directly impact a remote workforce or your new business model. The results create the opportunity for a relevant and time-appropriate discussion with your executive team and board around:
- What prevents our workforce from being fully productive? Is it due to any issue to do with infrastructure or security measures?
- Are we employing new processes due to a remote workforce or how we have to conduct business that could expose our company to unnecessary risks?
- How has our business strategy and priorities changed in a post-COVID world and how can our security efforts support these initiatives while planning for any unforeseen risks?
Conducting a light-weight workforce risk assessment can not only help you understand your risk posture but also promote greater collaboration company-wide. This assessment should cover areas that are most impacted by this change and can include: access management, asset management, business continuity and impact, endpoint protection, data governance, incident response, and crisis communication.
With roughly 42% of employees now working from home businesses are encountering challenges they have never faced before. Organizations familiar with secure on-site practices struggle to secure a distributed workforce. While others experienced with traveling and remote employees are finding their security program priorities shifting with little to no documentation or planning.
Workforce Risk Example 1: Fast-growing fintech company
Before COVID: Fintech company had 95% of its employees working at offices across four different locations in the US. (a call center on-site). Most employees had workstations, allowing them to service clients on multiple screens with heavy integration to financial data feeds. The company relied on its perimeter controls to prevent unauthorized personnel from accessing the corporate network. Many in-house applications did not require multi-factor authentication because of direct access to the private network.
During COVID: The company had to immediately shift to a remote workplace. Laptops were pulled out of closets and mailed to homes with a focus on speed to ensure business continuity. Call center employees were no longer taking calls from office telephones on recorded lines but instead were issued corporate mobile devices.
Questions that arise from this shift:
- Employees now have critical company assets – laptops and mobile devices. Did you have an asset management strategy in place, potentially with a CMDB, where each endpoint is effectively tagged and cataloged?
- Before distributing laptops, did the company ensure that each endpoint device has the latest security upgrades and appropriate encryption methods (in the case of a lost or stolen laptop containing sensitive information on it)?
- Do you have a mobile device management (MDM) strategy and solution in place? The company needs to think about its procedures for ensuring compliance, controlling remote access to highly sensitive data, and backup and recovery if a device is lost, stolen, or inoperable.
- Remote access to the corporate network should be a concern. Is access to the network properly managed? Is a VPN in place, has the VPN connection been load-balanced, and is the server patched and protected?
Workforce Risk Example 2: Cloud-native technology company
Before COVID: Tech company was built on a culture of innovation, bringing new ideas and features to market with velocity as its competitive advantage. The company’s infrastructure was based on a fluid architecture where employees can access applications through a simple internet connection. Most development training was based on trips to the water cooler and tribal knowledge since processes were heavily automated.
During COVID: The tech company easily transitioned to a remote workforce since it was used to a more distributed environment. However, with the financial impact to its core business, the company had to abruptly shift efforts on a new application with an accelerated time-to-market. This proved challenging due to the lack of documentation around policies and standard operating procedures. The new application would drive more touch points with their customers, making application security a focal point of potential risk since web application attacks are the most frequent patterns in breaches, yet application security spending was historically only a small portion of the security budget.
Questions that arise from this shift:
- How mature is your company’s application security program today? And do you have a clear understanding of what areas you should invest in?
- Have you invested in the appropriate documentation whether for a specific policy like application encryption or vulnerability scanning or developing application hardening guides?
- How is application security part of your development lifecycle, including the change management process? Are security reviews baked into each part of the application lifecycle?
- Have you revisited your access control policies and procedures?
- Have you conducted regular user access reviews and employed least privilege principles to developers, mitigating risks to IP?
- Has the team been trained to follow the proper procedures based on their roles, and do they know where to find the proper documentation for reference?
No matter how secure your organization was before COVID there is a good chance you need to stop and reassess your team’s plan for the immediate future and the long term. While many businesses are eager to get back to their offices, there is a growing portion of the population that will remain working from home, and businesses must adapt.
Now is the time to not just get the bare minimum done, but the time to be more strategic and lead the company to leapfrog what you were before, ensuring that whatever comes your way in 2021 and beyond, you will be prepared.
Ready to get your new baseline and start a workforce risk assessment?
See how Blue Lava arms security leaders with actionable data that helps them to measure, manage, and communicate their security program with confidence and ease.
Jen Sanford is an innovative marketing professional with over 15 years of experience in branding, digital, content, and product marketing, as well as project management. She is currently working with Blue Lava as their Senior Product Marketing Manager.