Looking back over the past two years, it’s hard to believe
that COVID-19 pandemic happened. When I
first say the headlines, I thought it would pretty much stay confined to China. But it did not, and it has impacted the world
we never thought were possible, for the good and the bad.
It was scary for those first few months, seeing the financial
markets literally melt and everybody getting sick.
Probably one of the biggest lessons learned from this whole
thing is the Remote Workforce. It seems
like that everybody wants to work from WFH, and in fact, the people that I know
of whom have received offers made WFH a condition of acceptance.
But there is one common denominator with this, and that is
remote workers (heck, really everybody for that matter) are now more glued than
ever before in front of their smartphone.
In fact according to recent surveys, the following trends
were discovered:
*Over 58% use their personal devices to do work related
matters when they know it is against company policy to do so;
*84% of the businesses polled said that they have literally
given up in trying to come with new strategies to keep employee’s personal
devices protected.
Given these trends, one could surmise that as long the Remote
Workforce is here to stay, employees will continue to use their own devices to
do their job. So what can, you the CISO, do to circumvent this from
happening? Unfortunately, there is not a
lot, unless you want to enter your employee’s home and do all of the upgrades and
patching to their personal device.
But we know that this will never happen. So here are some tips:
1)
Force to have meetings on Zoom or Teams:
These two video conferencing
platforms have come a long way since two years ago, especially Zoom with all of
the security flaws that it had at the time.
In fact, I have started to use Teams a lot more now, and I am astonished
as to all of the features it has with it.
For instance, you can dial directly to other coworkers, and even hold
private chat sessions. But back to the topic
at hand, whenever there has to be a meeting, make your employees login through
their laptop (or other company issued device).
If you discover that they have connected in through their personal
device, kick them off and don’t let them log back in again until they have
reconnected using the appropriate device.
2)
Try to make use of the Zero Trust Framework:
I have written about this before,
so not much more to say. From what I
have been reading about in recent articles, some 80% of business entities are trying
to adopt this framework. Although there
have been some setbacks, overall, it seems that there is some success coming
out of it. Heck, IMHO, it is far better
to make use of at least three layers of authentication or more, that just one
two, as the 2FA methodology prescribes. Note
that this kind framework is quite extreme, and you may not have all of the buy
in from your employees. But in the end,
you the CISO have the ultimate responsibility for the protection of your digital
assets.
3)
Implement the use of Mobile Device Management
(MDM):
With this policy, you are making
sure that each and every wireless device that is accessing the shared resources
on your servers has been authenticated through the channels your have set
forth. If your employees are still insistent
of using their own smartphone to reach such resources, then you have to tell
them that their personal device has to be registered through the MDM tools and
directives. If not, then its plain and
simple: They won’t have access to shared
resources. It’s their choice. In fact, many companies in Corporate America
are adopting the MDM framework, and this market is expected to a high of almost
$16 Billion by the year 2025.
4)
Make sure that only legitimate apps are downloaded:
This can be a dicey situation. If you have given your employees a company issued
device, then there is no worry about conducting random audits on them to make
sure that only legit apps have been downloaded. But if an employee is using their
own device, well then this becomes an issue of privacy rights violation. I really don’t have a definite answer on this
one, so it may be best to consult with your business attorney to see how you can
go about doing this.
5)
Train your employees:
If you expect your employees to maintain
good levels of Cyber Hygiene when it comes to using their personal devices for
doing work related stuff, then you need to give them the ammunition to do so. So in this regard, you need to be delivering
at least on a quarterly basis security awareness training programs, with a
focus on safe smartphone usage. No need
to keep these training programs hours on end, even just a simple 30 minute one
will do. Remember , you want your WFH
employees to remember and apply what they have learned. In fact, this has been
one of the key mantras of Cyber ever since COVID-19 hit. But quite astonishingly, only 50% actually
give any sort of formal training program for their employees, whether they are
remote or not. More information about
this can be seen here at this link:
https://newblogtrustlook.files.wordpress.com/2016/10/trustlook_insights_q4_2016_byod.pdf
My Thoughts On This:
This concept of employees using their own smartphones to
conduct work related matters is really nothing new, in fact I first wrote about
this back in 2012. It is called “Bring Your
Own Device”, or “BYOD” for short. In the
end, given the work climate today, you want to keep your good employees by
giving them certain freedoms that would not existed before.
But employees also need to come halfway in this regard, and
allow some sort of safety scrutinization of their personal devices by you and
your IT Security team, if they are going to use them for work related purposes. Once again, I am not sure about the legal
ramifications of this are, but I would say go ahead and try this policy the
best you can.
The worst-case scenario your employee that does agree with this
will probably just simply quit. But of
course, during this period of the so called “Great Resignation”, finding a new
employee that is willing to abide by your security policies should not be too
difficult either.
No comments:
Post a Comment