3 Fundamentals to Truly Secure Remote Workers

By
Christian
Aboujaoude,
chief
technology
officer
at
Keck
Medicine,
USC

In
the
pre-pandemic
days,
security
solutions
could
be
more
basic.
Securing
the
perimeter
could
be
likened
to
locking
the
door
of
your
house.

[…]

3 Fundamentals to Truly Secure Remote Workers



By
Christian
Aboujaoude,
chief
technology
officer
at
Keck
Medicine,
USC

In
the
pre-pandemic
days,
security
solutions
could
be
more
basic.
Securing
the
perimeter
could
be
likened
to
locking
the
door
of
your
house.
But
with
remote
workers
taking
devices
off
premises
and
sometimes
using
their
own,
securing
the
workplace
requires
a
new
approach.
Sophisticated
threats
come
from
every
angle,
and
preparing
a
complete
defense
is
vital.

We
are
in
an
environment
of
constant
change
and
unexpected
events.
Just
when
many
people
began
welcoming
a
post-pandemic
world,
cases
started
rising
again,
and
the
need
to
apply
proper
controls,
governance,
education,
and
tools
for
remote
workers
once
more
became
top
of
mind
for
many
cybersecurity
leaders.

For
CISOs
and
their
teams,
the
challenge
is
to
build
a
culture
that
facilitates
the

ability
to
adapt

to
change
on
an
ongoing,
continuous
basis.
This
requires
a
new
mindset
in
securing
all
users

remote
users,
in
particular.
It
also
means
evolving
your
approach
so
that
cybersecurity
is
no
longer
viewed
by
business
management
as
a
cost
center,
but
rather
as
a
means
of
competitive
differentiation
and
innovation
for
the
organization.

In
my
view,
there
are
three
critical
aspects
to
changing
the
culture
and
mindset
to
adapt
to
current
and
future
cybersecurity
challenges,
particularly
as
remote
work
becomes
more
deeply
ingrained
as
a
business
requirement:


1.



Education:


Develop
a
deep
understanding
of
every
aspect
of
your
organization
and
spend
a
lot
of
time
and
attention
on
education

for
everyone,
whether
they
are
on
your
security
teams,
in
your
executive
suite,
front-line
workers
on-premises,
remote
workers,
or
anywhere
else
in
your
ecosystem.


2.



Technology:

Even
in
some
larger
organizations,
basic
technologies

such
as
multi-factor
authentication
or
secure
VPN

are
not
given
the
priority
necessary
to
allow
remote
workers
to
operate
in
a
more
controlled
environment.
It
is
important
to
have
the
basics
under
control
before
adding
innovations,
such
as

Zero
Trust
.


3.



Procedures
and
practices:

It
is
vital
to
maintain
a
philosophy
of
ongoing
education
along
with
continuous
evaluation
of
the
technology
your
organization
is
using
or,
in
some
cases,
not
using.
From
a
procedural
perspective,
you
must
understand
everything
in
your
environment.
Once
you
understand
it,
you
can
assess
and
address
its
impact
on
your
current
risk
and
overall
risk
profile.

1.
Leveraging
education
to
secure
remote
workers

The
reason
education
tops
my
list
is
that
over
80%
of
cybersecurity
events
relate
to
people.
Everyone
needs
to
truly
understand
what
cybersecurity
is

and
that
it’s
not
just
a
password
or
two-factor
authentication.
Cybersecurity
is
an
approach

a
mechanism.
It’s
how
you
go
about
conducting
work.
Achieving
a
strong
cybersecurity
posture
takes
cultural
change,
behavioral
change,
and
constant
learning.

When
users
were
largely
on
premises,
most
organizations
could
compensate
for
potentially
dangerous
behavior
by
having
multiple
controls
to
help
protect
them.
However,
when
those
same
people
go
remote,
there’s
a
bit
of
a
loss
of
control
and
governance.
There
are
technologies
to
help
cover
user
behavior,
but
it
is
better
when
the
behavior
doesn’t
exist
in
the
first
place.

This
means
that
we
must
educate
folks
on
cyber
hygiene,
making
sure
they
understand
that
the
steps
they
take
at
work
may
not
be
the
steps
they
take
when
they
are
working
remotely
or
from
home.
This
is
especially
critical
in
this
very
open-ended
environment,
where
a
user’s
device
may
be
used
by
other
people
in
the
home.

2.
Leveraging
technology
to
secure
remote
workers

Strong
foundations
are
also
important
from
a
technological
perspective.
You
must
make
sure
you
have
controls,
processes,
and
governance
for
multi-factor
authentication
and
secure
VPN.
It’s
those
things
that
pave
the
way
for
Zero
Trust.

My
best
advice
is
to
approach
everything
from
the
bottom
up,
understanding
not
just
your
inventory
but
every
single
behavior
that
takes
place
from
a
public-facing
standpoint.
This
is
especially
important
for
remote
workers.
I
good
place
to
start
is
by
asking
yourself
and
your
team
key
questions:

  • Do
    we
    know
    what
    our
    environment
    actually
    contains?
  • Are
    we
    aware
    of
    all
    the
    devices
    and
    services
    running
    in
    our
    environment?
  • Do
    we
    have
    an
    inventory
    of
    all
    of
    our

    IoT
    devices
    ?
  • Do
    we
    understand
    the
    needs
    and
    potential
    risks
    of
    all
    of
    our
    users?
  • Do
    we
    know
    the
    needs
    of
    each
    application
    and
    user
    based
    on
    key
    criteria
    such
    as
    performance,
    availability,
    resilience,
    data
    usage,
    and,
    of
    course,
    security?

Fundamentally,
you
need
technology
tools
that
can
exist
on
your
network
and
identify
all
connected
devices.
I’m
talking
about
tools
that
are
able
to
actually
interrogate
the
network,
understand
packets,
and
capture
specific
metadata
for
each
device
to
determine
how
it
lives
on
the
network.

3.
Leveraging
procedures
and
practices
to
secure
remote
workers

If
you
haven’t
figured
it
out
by
now,
I’m
a
huge
stickler
for
inventory.
From
a
process
standpoint,
you
must
understand
your
inventory:
what
it
is,
what
it
means,
and
why
it
matters

as
well
as
its
impact
on
your
business
and
your
security
posture. 

So,
from
a
procedure
standpoint,
you
need
something
in
place
that
is
able
to
identify
what
you
have
in
your
environment.
Then
you
must
relate
and
correlate
that
information
to
any
situation,
to
the
point
where
you
can
say
about
any
device:
“This
device
is
connected
to
this
application
that
lives
here
and
does
that.”

From
there,
you
can
build
a
configuration
management
database
(CMDB)
approach
to
really
understand
your
environment
and
have
processes
in
place
to
integrate
with
your
ITSM
tool
so
you
can
execute
the
specific
actions
you
need
to
take.

Maintaining
ongoing
processes
also
relates
back
to
my
first
point:
education.
CISOs
need
to
ensure
training
and
education
are
continuing
when
people
work
from
home
or
remote
locations,
and
they
need
to
have
tests,
controls,
processes,
and
governance
to
continuously
identify
and
correct
non-malicious
but
potentially
dangerous
behavior.
Quick-hit
training
without
repetition
rarely
are
effective.

My
advice
for
CISOs
and
other
cyber
leaders

If
I
could
leave
CISOs
and
other
cybersecurity
leaders
with
a
key
takeaway
from
this
article,
it
would
be
this:
Every
CISO
should
figure
out
how
to
balance
the
business
operations
of
their
organization
with
a
security
mindset
that
is
not
destructive
to
the
business
but
is,
in
fact,
built
into
the
fabric
of
the
business.
In
order
to
do
that,
I
urge
all
security
professionals
to
take
the
time
to
understand
as
much
as
they
can
about
the
business
in
which
they
work.

Note
the
emphasis
on

the
business
,
not
cybersecurity.
Most
security
professionals
know
security
exceptionally
well.
But
if
they
don’t
have
an
equally
exceptional
understanding
of
their
business
or
organizational
needs,
they
are
potentially
setting
themselves

and
their
organizations

up
for
failure.

Whether
you
are
the
CISO
or
anyone
on
the
security
team,
you
need
to
be
able
to
go
to
the
people
in
any
department
and
have
detailed
conversations
with
them
related
to
their
protection
and
their
business
needs.
It
may
start
with
something
simple:
“We
saw
that
you
have
these
devices.
They
are
not
in
compliance
with
our
security
posture,
and
we
need
to
take
this
action
or
we
will
be
forced
to
put
it
offline.”

Of
course,
the
immediate
reaction
will
be:
“You
can’t
do
that!”
And
the
response
is:
“Yes,
we
know.
That’s
why
we
have
to
fix
the
problem.”
A
solution-focused
and
service-focused
mindset
is
key.

The
opportunity
ahead

Remote
work
is
here
to
stay.
To
make
it
successful,
you
have
to
make
it
secure.
Cybersecurity
leaders
and
their
teams
have
an
opportunity
to
make
huge
contributions
to
their
organizations
over
the
next
few
years
by
developing
cyber-aware
cultures
that
are
both
agile
and
responsive
to
the
changing
needs
of
their
organizations.

By
focusing
on
the
fundamentals,
CISOs
can
prepare
themselves,
their
teams,
and
their
organizations
to
be
ready
for
whatever
comes
next.
As
we’ve
learned
all
too
well
over
the
past
few
years,
change
is
the
only
constant
in
cybersecurity.
Be
ready.

For
more
perspectives
on
cybersecurity,

visit
us
online
.



About
the
author
:


Security
Roundtable
author,
Christian
Aboujaoude,
is
the
chief
technology
officer
at
Keck
Medicine,
USC.

About Author

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.