Disparate, But Secure: The Possibility of an Entirely Remote Workforce
As the COVID-19 pandemic forced the private and public sector workforce to relocate to a remote environment, the transition revealed the sobering fact that we do not yet have proper capabilities and infrastructure in place to support a fully remote state and local government workforce.
While the issue of securing a remote workforce has become a top priority for corporate organizations and federal agencies around the world, few national conversations have focused on how to truly address state and local cyber security concerns.
On June 8, I joined government officials and industry leaders at the federal, state, and local levels for a virtual panel discussion on what it takes to put the ransomware protections and cybersecurity infrastructure in place in order to have a secure, remote workforce.
Adapting to the remote workforce shift
The webcast from WWT and Cisco, Disparate, But Secure: The Possibility of an Entirely Remote Workforce, explored how federal, state, and local officials have leveraged budgets, policies, and personnel to respond quickly to cybersecurity threats during the massive shift to working from home.
As we have moved to an almost entirely remote workforce, one of the biggest security challenges that I have seen is the ability to scale — or better put, the lack thereof. To their respective credit, federal, state, and local agencies never expected nor could have anticipated a need to immediately transition one hundred percent of their workforce to a remote environment, especially not for a prolonged period of time.
Security stays at the forefront
There is no doubt that the immediate need to have to scale up that quickly caught many agencies off guard, particularly at the state and local level. We were suddenly faced with a bevy of security issues: device authentication, in a return to the worries of the ‘BYOD’ Era; a lack of security licenses readily available for each worker; and how to restructure firewall protections and increase VPN traffic to meet the needs of a scattered workforce. These used to be the kinds of basic issues that you would not otherwise worry about, let alone need to plan for. While the ways by which state and local agencies approach cyber security on a daily basis have not changed, the scale at which it is now needed has been flipped on its head.
That said, the ability to scale, particularly scaling up, is not the issue alone; it is making sure the security controls are in place to support it. Without these controls, remote workers are creating more unintentional risk for their organization merely by doing their jobs.
The question then becomes: How do we make sure the necessary security measures are in place without the need for security itself getting in the way of the greater mission, and prohibiting workers from doing what they are in place to do?
Basic cyber hygiene best practices have not changed dramatically from before the epidemic to present day; however, there is a renewed need for placing greater emphasis on ensuring these basic tenets are continuing to be utilized and implemented. Getting back to the basics of cyber hygiene will greatly assist in reeducating the workforce about many oft-overlooked actions they may be unknowingly doing that putt their organization’s security at risk.
Although their workforce may have transitioned to a remote environment, many state and local agencies in small towns and rural areas are still in varying stages of implementing a revised security strategy. It is important for state and local CIOs, CSOs, and CTOs to fully assess their digital environment to identify potential gaps and vulnerabilities.
In building their framework, agencies should be moving away from strictly compliance, and toward security. I could meet compliance standards all day and still not be truly secure.
How to protect against vulnerabilities
The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. It serves as a barometer for concern over potential looming security threats. When you take a look at a number of recent cyberattacks on state and local government agencies, many had low CVE ratings, and therefore were not prioritized. By the time the vulnerability of the threat raised compliance red flags, it was already too late.
What state and local agencies can do is to tie vulnerabilities to real world threats. At WWT, we can mimic the unique remote environment of a state or local agency workforce and simulate virtual proofs of concept to address potential areas of vulnerability and work with them to develop the right security solutions for their organization.
As I well know from my time serving as the State CISO for Maryland, what CIOs, CSOs, and CTOs are ultimately trying to help state and local governments do is allow their workers to work from any connection on any device securely. If systems are not protected properly, with every added connection from a different location, there are more opportunities for something bad to happen.
If we are to effectively realize the possibility of a permanently remote workforce — whether partially or completely — a remote workforce must remain a secure workforce.
If you want to experience how WWT leverages technologies from across the industry, I invite you to continue exploring the WWT Digital Platform to gain access to our state-of-the-art Advanced Technology Center (ATC). Via the ATC, we provide our customers an integrated collaborative environment to develop AI models, build them out and conduct proof-of-concept testing, and take them into development and production.
You can stream the virtual webcast its entirety here: Disparate, But Secure: The Possibility of an Entirely Remote Workforce.