Maintaining security control in the age of the mobile workforce
The Polar Vortex caused extreme weather across the U.S. in recent weeks, and along with it, an uptick in the number of remote workers.
The ability to do our jobs from outside the corporate walls keeps workers productive and helps businesses remain operational. Or in some cases, saves the organization travel fees – especially those caused by rescheduling or canceling hotels and airfare during inclement weather.
Beyond the seasonal spikes, many organizations are adopting more flexible work policies. The number of U.S. mobile workers is expected to grow to 105.4 million, or more than 70 percent of the population, by 2020.
The composition of the modern workforce is changing. Not to mention that, as an always-on society, we have a problem disconnecting. Fast forward from this brutal winter and 42 million people are expected to travel over Memorial Day weekend, with a majority of them still tethered to work communications on their devices.
When only 11 percent of end users access business applications from the corporate office 100 percent of the time, the growth of the mobile workforce places a lot of strain on data security. Data now sits on endpoints spread around the globe.
Sensitive data like personally identifiable information (PII) and protected health information (PHI) has become unbounded, the attack surface is mutating, and hackers are taking advantage of habitually poor endpoint security, according to the 2018 Verizon Data Breach Investigation Report. This scenario requires CISOs and CIOs to shift their approach to security and risk management to support all the benefits of a distributed workforce.
To protect data, IT and security teams are returning to the fundamentals to drive efficiencies while ensuring data security. Focus areas include what could happen (your security posture), what should happen (your security policy), what would happen (directs your attention to security modeling to prepare for certain circumstances), what is happening (security monitoring by hovering over the entire endpoint population), and what did happen (digital forensics and security investigations).
Specific actions organizations can take to address the challenges posed by devices and mobile workers, and establish control, include:
- Conduct, and respond to, regular risk assessments that look both at how data is stored and how data is accessed.
- Harden access: Ensure access to internal systems requires strong authentication and apply strict limits on information available to the outsider. Experts recommend two-factor authentication techniques, such as a combination of a token and a password, for external access.
- Isolate access: Cordon off externally-accessed systems and networks from the rest of the internal network using internal firewalls (similar to a network DMZ used to isolate sacrificial servers). Log and review traffic that traverses the internal firewalls to the externally-accessed systems.
- Log and audit: Maintain and review logs of external access. Unexpected access may turn out to be a false alarm, but check and verify.
- Regularly review: Business partners, freelancers and contractors come and go and their IT needs may change over time. Restrict or revoke access as necessary.
- Be prepared for a breach, with a data breach response plan and a trained team to handle the incident. This can help both mitigate the breach and its fallout.
Protecting PII and PHI is hard. Protecting PII and PHI on far flung devices is even harder. But when you have line of sight, continuously monitor all the pockets where PII can hide, and control access, it creates a security posture that can better support and evolve with the demands of today’s mobile workforce.