Pandemic underscores the importance of security, agility for remote work
- By Jim Richberg
- Aug 10, 2020
Events like extreme weather and 9/11 provided opportunities for government agencies to work out the logistics needed to remain up and running, but the emphasis in those cases was on enabling essential employees to continue working on-site or from officially designated alternate worksites. The COVID-19 pandemic has forced governments to determine how to make the most efficient use of the entire workforce with the bulk of employees working offsite -- typically from home -- for an extended period. For many, the trick lay in scaling up the remote work capabilities already in place.
The ease with agencies were able to migrate to remote telework varied significantly. In the best cases, agencies had core capabilities such as next-generation firewalls and Trusted Internet Connection-compliant policies in place to allow employees to download client software onto their remote devices, establish secure connections and resume work. In other cases, a lack of modern firewalls, adequate bandwidth or telework-friendly IT or security policies made it labor-intensive to establish and sustain remote connectivity.
While most agencies ultimately implemented remote telework for the majority of their workforce, some did so by granting waivers or by putting ad hoc technological solutions in place.
But what about security? Remote telework in the “new normal” is likely to be based on an organization’s current practices. It’s especially important for those agencies that struggled -- and which may have had to cut security and IT policy corners -- to review their current remote telework posture going forward.
The remote security challenge
Securely supporting a remote workforce is essential for any government business continuity and disaster recovery plan.
Grappling with a sudden and large number of remote workers presents numerous cybersecurity challenges. For one, an agency may not have operational control or even insight into the remote worker’s computing environment -- a home network -- that may contain vulnerable internet-of-things devices and family members running applications that potentially introduce threats into government networks. Further complications arise if the employee is using a personal device rather than a government-issued and owned computing platform. For agencies, the challenge is isolating the remote worker’s device -- or at least the IT resources and processes that are doing remote telework -- to ensure the integrity of government networks and data.
Human error accounts for the majority of security breaches, and in a remote computing environment such as a home network, the consequences of user error -- which may stem from activity not even conducted by the employee -- are magnified. Agencies need a secure, reliable communications solution that’s easy to implement, effective and adheres to privacy best practices.
The private sector has similar needs and concerns, but government agencies must address them on a greater scale and with larger stakes at risk. The federal government has over 2 million full-time employees and thousands of contractors who access electronic resources. It also maintains some of the largest IT networks and controls some of the world’s most sensitive -- and coveted -- data. Achieving adequate cybersecurity protection at this scale would be a challenge at any organization, but for government, compromised systems could lead to disastrous consequences.
How to support distributed workforces
Not every government employee requires the same level of access to IT resources when working remotely. Agencies should look to solutions that can address security at different levels, including:
- Standard government workers. Most employees need access to internet, email, teleconferencing, limited file sharing and function-specific capabilities (HR, accounting and so on) from their remote work site. This includes access to software-as-a-service solutions in the cloud, such as Microsoft Office 365, as well as a secure connection to the government network.
- Power users. Employees who require a higher level of access to government resources while working remotely – such as system administrators, IT support technicians and emergency personnel. -- may need the ability to operate in multiple, parallel IT environments.
- Super users. Some employees require advanced access to sensitive government resources, even when working from an alternate office location. They frequently process organizationally sensitive information and may need access to classified data and networks as well. This employee profile includes administrators with privileged system access, support technicians, emergency personnel along with government executives such as agency heads, governors and mayors and key staff. For these super users, their alternate work site should be configured as an alternate office location.
Searching for silver linings in the pandemic work experience
When the pandemic ends, the massive remote work experiment it created will have a continuing dramatic effect on how work is done. As the RAND Institute pointed out, once the work-from-home genie has been let out of the bottle, it’s difficult to put it back in. An entire workforce will have experienced a commute-free day and other benefits. Organizations will have sorted out the technical logistics of telecommuting and discovered that productivity can continue -- in some cases, increase -- without having everyone in the office every day. Distrust in letting people work from home other than by exception will have largely evaporated.
If there’s another silver lining to the pandemic’s global dark cloud, it’s that IT agility and resilience have migrated from the category of “nice to have” to “must have.” Cybersecurity is also in the spotlight, especially for organizations that may have been putting off security upgrades or which have identified new requirements for secure remote work. State and local governments are already facing a financial meltdown as a result of COVID-driven revenue shortfalls, and the federal budget will likely contract significantly too. Unfortunately, when funding gets tight, security is too often one of the first spending priorities to be sacrificed.
Improving security, improving culture
Government does a good job defining standards, but it often lags industry in its pace of implementation. Businesses quickly executed a COVID-driven pivot to remote telework, and as agencies move forward, they should leverage experience and lessons from the private sector. Agencies are used to looking to industry for ‘not invented here’ IT solutions, but exploring applicable best practices and lessons learned beyond government may require a cultural shift.
The move toward telecommuting triggered by COVID-19 is likely to result in significant evolutionary changes to cybersecurity, the government workforce and society. Less commuting and secure, remote work environments open the door to recruiting and retaining a more diverse and motivated government workforce. By implementing the needed tools and cybersecurity strategies, agencies can support distributed workforces, enhance productivity and ensure continuity of operations.
Jim Richberg is public sector field CISO and VP of information security at Fortinet.