Keeping employees secure and productive has been a constant balancing act for IT administrators. It has never been ‘easy’ but there were certainly fewer variables when most employees worked from an office. With so many of us now working remote for the foreseeable future, it’s more important than ever for IT teams to revisit their firm’s policies and best practices to keep up with the changing work environment.
When you ask remote workers what burdens them the most, poor connectivity, the lack of mobile-optimized applications, the constant need for re-authentications, and restrictive security policies almost always top the list.
But for IT and decision makers higher up the ladder, security concerns almost always top the list. Fortunately, there are several decisions that CISOs and IT administrators can make that will keep their organizations safe without damaging the employee experience.
These are the top five considerations:
1. Security training for employees
Security training is often the most overlooked and undervalued aspect of keeping a business safe. Given the appropriate knowledge and tools through security awareness training, employees can be equipped to recognize threats, which will in turn greatly reduce the risk of a successful cyberattack. It’s particularly important that employees learn how to handle information on their devices and when using cloud services, especially if the information is proprietary or involves a client’s personally identifiable information (PII). Ensuring that employees take this training regularly also contributes greatly to the success of security practices.
Employees also need to be made aware of the important of proper password usage and management. It’s always eye-opening to learn that 53 percent of people admit to using the same password across multiple accounts, and often reuse passwords for both business and personal use. Getting employees to break this habit – perhaps by encouraging the use of a password management tool – is a vital part of any security initiative.
2. Device management solutions
This tip is a no-brainer. IT teams managing a remote workforce with devices such as laptops and smartphones need to adopt some form of mobile device management (MDM) solution, or its more modern counterparts, unified endpoint management (UEM) and enterprise mobility management (EMM). These offer varying degrees of very useful features, including the ability to locate, lock and wipe misplaced or stolen devices, while greatly streamlining notoriously tedious functions such as frequent software updates.
Multi-factor authentication (MFA) should also enter into the mix. Although not a device management tool, it is a feature that can be deployed to help secure applications. Employees may see this as an annoying extra step, but MFA (or 2FA) has become widely used among consumer services and is recognized as a simple yet effective enhancement to security policies (as long as it is not required too frequently).
Speaking of devices, keeping a firm grip what a device can do – and the services that the device can and cannot access – is often viewed as a critical part of security. This desire for control can lead IT teams to err on the side of locking down smartphones and laptops, subsequently providing employees with a limited number of approved applications.
As we’ve seen with the rapid rise of video conferencing platforms such as Zoom, or even the widespread adoption of WhatsApp around the world, applications that are popular with consumers can quickly find their way into the business world, even if they do suffer from underlying security flaws.
The important thing for IT teams to remember is that locking devices down too strictly generally leads to Shadow IT. Employees want to be productive at their jobs, and don’t want to juggle multiple devices. If they can’t access the features they want, they will find creative ways to circumvent security, whether by accessing cloud-based applications through a browser, or by sharing data with unsecured (and often unpatched) devices.
It can take considerable effort to work with employees to roll out the kinds of applications that they want to use while ensuring that security is maintained. But taking the long-term view, having employees working with IT rather than against it will ultimately help to reduce the kind of shortcuts that lead to Shadow IT, and lower the risk of security breaches.
4. Use an enterprise VPN
Contrary to what many people have been saying, the VPN is not dead. Unlike legacy VPNs that were developed 20 years ago, IT teams today have the option to use mobile-enabled VPNs that actually enhance the user experience, particularly for remote workers.
Many people rightly complain that using a VPN can slow a network down, that it requires frequent re-authentication, and that it is unable to distinguish between data that must go down the ‘tunnel’ and data that can be sent directly to the internet. But perhaps worst of all from a security perspective, that VPNs aren’t smart enough to weed out bad actors from legitimate users because anyone with the right credentials is automatically trusted.
All of these criticisms are no longer true, should you choose the right enterprise VPN, which today are capable of features such as split-tunneling, application persistence and data compression and encryption. IT administrators now have the ability to apply granular policies that add layers of conditional access on top of the authentication process and doing so on a VPN that works seamlessly across operating systems and networks.
5. Update and patch religiously
There are other ways that an IT team can keep its organization secure without burdening employees. One of the most crucial is to ensure that devices are patched and kept up to date. In 2019, for example, we saw a huge jump in the number of state and local governments becoming the target of ransomware attacks. In many of these cases, employees were targeted via some kind of email or phishing attempt, which would not have been successful if these employees had not been using old, outdated or unpatched software. Microsoft, Apple and others have become much better at issuing patches and updates for vulnerabilities, so make sure that automatic updates are enabled, or manually push them out as soon as they are available.
The balancing act between security and worker productivity will continue, but it can often be a win-win. The key takeaway from all of this is that security is never optional. It must, however, be usable in order to succeed.