In the early days of the Covid-19 pandemic, when organizations rapidly shifted their employees to remote work, the focus was typically on maintaining business continuity first and foremost. Cybersecurity was important, too, but because cybersecurity teams assumed that widespread remote work would be a temporary affair, they didn’t always invest extensively in securing remote workforces.
Fast forward to the present, however, and it’s clear that challenges that once seemed temporary have become permanent. Like organizations across all sectors, government agencies are now committed to remote or hybrid work environments for the indefinite future. Indeed, in July 2021 — before the full onset of the Delta variant of Covid-19 threw yet another wrench into return-to-office plans — Gartner predicted that more than 80 percent of employees would work totally remotely or on a hybrid basis after employees returned to the office.
The takeaway here is that, for agencies that haven’t yet implemented the security controls necessary to mitigate cybersecurity threats against distributed workforces, now is the time to do so. Remote work has become the new normal, and security for remote workforces must enter the same category.
This article walks through four key points to bear in mind when securing the IT resources of remote and hybrid workers.
Point 1: Remote work means more risks
The most basic point to understand is that — to put it bluntly — the more remote workers you have, the more cybersecurity challenges you are likely to face.
That’s due in large part to the fact that remote employees are more likely to intermix personal applications and data with those that they use for their work. When employees work from home, you can’t use on-premises firewalls to segment work resources from the Internet, for example. Nor can you block malicious websites or scan for phishing emails at the network level.
Along similar lines, remote work and the pandemic have created what Forrester depicts as the “perfect conditions for insider threat[s]” to materialize. As employees bring sensitive data and applications into their homes, cyber criminals wishing to harm the agency or access the data more easily do so in the absence of in-office cybersecurity safeguards.
This is not to say that agencies should avoid remote work altogether. That’s no longer a realistic proposition in the age of Covid-19. But they should recognize that the pandemic and the shift toward distributed workforces has sharply increased the number of cybersecurity risks that originate with employees and their personal computing devices.
Point 2: The government target faces especially steep risks
While the cyber threats described above may harm organizations of all types, recent breaches suggest that government agencies are especially likely to end up in the crosshairs of attackers.
Consider the SolarWinds breach that was disclosed in late 2020, for instance. A main goal of the attackers was apparently to compromise SolarWinds’s monitoring software in order to gain unauthorized access to the IT systems of organizations that use that software — a list that includes a variety of major government agencies, such as the departments of State, Homeland Security, Treasury and Commerce.
It’s clear, then, that attackers are actively seeking out government agencies. Combine that fact with the increased risks of cyberattack born out of the shift to remote work, and you end up with the perfect storm for cyberthreats against government agencies.
Point 3: Third-party software must be vetted carefully
Managing these cybersecurity threats requires tools that can systematically verify, identify and manage every third-party resource that accesses a government network.
After all, as the SolarWinds attack demonstrated all too well, attackers today may not try to breach government networks directly. Instead, they’ll compromise the resources of third-party suppliers to the government, and use the latter resources as a backdoor into government networks.
What this means is that “front door” defenses like firewalls, VPNs and internal malware scanners aren’t enough. Agencies also need software that can vet every third-party application, service or database that they use and ensure it came from a trusted source.
Point 4: Zero trust is key
At the same time, agencies must adopt a cybersecurity strategy oriented around the concept of zero trust in order to add another layer of defense to their sensitive, highly distributed networks.
Zero trust means disallowing access to third-party resources by default, and granting it only after those resources have been deemed trustworthy and secure. It’s the opposite of trusting third parties until you deem them insecure, which is the approach that many organizations default to today.
In the context of distributed workforces, zero trust means practices like ensuring that employees’ personal devices are blocked from the network until and unless those devices are deemed secure. It also means segmenting personal home networks and public Wi-Fi networks from government agency networks that employees log into.
Finally, zero trust entails adopting an “alert mentality”: Agencies should be constantly vigilant and on the lookout for cyber threats, even when they don’t have reason to believe there is an active threat against them.
In short, the pandemic, combined with a growing focus on government targets, has made cybersecurity a more serious concern than ever for government agencies, especially for ransomware. The solution needs to balance the need to protect the organization, while maintaining the privacy of the employee or supplier when they are not connected to the organization’s domain. The keys to a successful response include deploying Remote User Protection solutions that can apply a zero trust security approach to the sensitive IT resources on which distributed workforces depend. To see a demo of the zero trust platform, please contact us and hear more about how we protect organizations with remote employees.