Pre-crisis, most assumed the reason we didn’t work from home en masse was because we didn’t know how to or that it would take too much investment. We now know that’s simply not true.
A fully remote workforce is possible and probably has been for awhile. However, it does require a shift in IT structure, cultural norms and business and security practices. As business leaders across the country grapple with the same question — Do we return to the office or maintain remote work? — security is an important component of that discussion.
This massive, forced work-from-home experiment has highlighted two important points. First, most businesses can seamlessly operate without being tethered to a physical location.
Many businesses actually experienced an uptick in productivity from this migration even if macroeconomic conditions limited the results.
And second, while securing teleworkers is different than securing an office, it is certainly possible. In fact, it could be argued that if done right, a work-from-home or even a work-from-anywhere setup is even more secure than an office environment. It all boils down to what security measures an organization is taking.
Should your business be contemplating a fully remote workforce, a la Twitter or Square, here’s what you’ll need to make that environment secure:
Non-work device protection
This is an area that often goes unaddressed in securing a work-from-home environment. Employer-issued devices, such as laptops or mobile phones, are top of mind. But employees often have several devices in their homes that create vulnerabilities for a network. Home devices such as Amazon’s Alexa or Google Home, for example, are constantly recording conversations and could be an entry point for bad actors. Wireless printers are another example of a point of vulnerability.
So is the shared home WiFi and the family iPad. This is not to say that employees can’t own such devices, but rather a business must include them in its security protocol to create the most secure environment for its enterprise.
Now more than ever the workforce is relying heavily on their mobile devices. They of course have played an important role in work execution for the last decade at least, but the role has expanded exponentially in the last few months. It’s now sometimes an employee’s main work device — the portal through which they read emails, edit PowerPoints and perhaps even access and write code.
Because of this, mobile device security is even more pertinent. It isn’t solved by simply bringing the right solution to the phone. Businesses should consider four levels of security here: the chip set and stack (or hardware), which is typically secured by the manufacturer but is in need of improvement; mobile device management (MDM), mobile application management (MAM) or enterprise mobility management (EMM); classic controls such as strong authentication, antivirus and patching level; and finally, endpoint detection and response, and general monitoring for advanced attacks.
An internet cafe mindset
Internet cafes were built on the idea that most people can meet all their digital needs without having a dedicated space or personal equipment. The same mantra should hold true for today’s businesses. Business processes can no longer be connected to a physical location. Instead, build an “internet cafe” for your employees so they can work from anywhere, including their homes.
To avoid such attacks and ensure the login process is secure, make the authentication process central to your security setup. This is achieved with a few tactics. First, each endpoint (laptop, mobile device, Wi-Fi connection, etc.) must stand for itself, be self-reliant and have the needed security controls all by itself.
Second, access to sensitive services must go through clear and designated gates. There should be no “open ports” from any segment in the network directly to any sensitive service or component. Third, do not rely on centralized network controls, and fourth, services should be un-meshed. This means every service has to be well-defined, understood, filterable, etc. And finally, management from everywhere must be possible. Security and management services should be applicable no matter where the endpoint is.
As a final word of advice, be leery of the phrase “the new normal.” We will only really know what the new normal is when the crisis is in the rearview mirror for a while. Just because the work-from-home trend has taken hold so quickly right now and is possible doesn’t necessarily mean it’s here to stay. The real reasons we didn’t do it sooner, just like choosing to not get on airplanes or finally having a paperless office, are not clear and are deeply rooted in corporate cultures and behaviors. As an analogy, World War II, for example, plunged women into the workforce at the highest rates in history. At the time, we predicted this drastic shift in the workforce was going to be the new norm. But women’s participation in the labor force remained nearly stagnant for a decade after the war. It wasn’t until the 1960s that the rate at which women were working began to increase, which continues to the present day.
The same pattern could hold true for working from home: The practice might be a long-term trend or short-term progress that doesn’t stick post-crisis.
Either way, enterprises must be secured and devices protected for employees to be productive and successful, and we owe it to ourselves to remove IT and security concerns from the ability to just work-from-home or work-from-anywhere when the new normal finally does arrive.
This article first appeared on Entrepreneur.