Tim Mackey, principal security strategist at the Synopsys CyRC (Cybersecurity Research Center), says it's essential to identify areas of IT weakness before the bad guys do...
As the impact of COVID-19 has forced businesses to move to remote work models, there are some real considerations businesses, managers and workers should realize – particularly when dealing with a technical or engineering workforce.
First and foremost is that more jobs can be effectively performed remotely than you might expect, you may just need to adjust the parameters for a project a bit. I can say this with confidence as for most of my career I’ve worked remotely and managed remote teams.
The trick is to recognize that it’s less about how a manager manages their team and more a recognition that everyone approaches managing their work differently.
For teams accustomed to working in office environments where their co-workers are close by, being remote will naturally create challenges.
This by definition will present some challenges to those engaged in Pair Programming or those whose teams have structured their work around ideation pods, as examples.
It’s also critical to note that when someone is a remote worker, they are by definition going to be working outside of the control of their IT organization. This means that IT needs to facilitate remote work rather than attempting to limit access as any speed bumps with inevitably create the proverbial workaround.
Of course, some people aspire to be remote workers and develop their individual work practices around either time shifting or being productive despite their physical location. This choice is precisely opposite to those workers who prefer working in an office environment and build their work practices around social collaboration.
Recognizing the attributes of these work styles is key to maximizing productivity when remote work styles are forced on everyone.
For example, if you’re a remote worker like me, you look at work as a series of tasks, not as time spent. This means that I break my work up over the course of the day and usually don’t put in a consistent eight hours.
Considering that I spend a fair amount of my time in differing time zones throughout the month, this model allows me the flexibility to be productive regardless of flight schedules, projects or speaking engagements.
For those forced into a remote work model, they haven’t had to think about precisely what makes them productive and what is fundamentally a challenge.
For example, their “home office” environment is likely far from ideal. It might be shared with children or pets who are demanding attention. It might be a corner of a room, on the kitchen table, or perhaps even in a closet.
Managing distractions will itself be a new muscle to be exercised for those accustomed to predictable office environments.
From a work management perspective, those managers who thrive on knowing precisely what each employee is up to will experience a level of angst they aren’t anticipating.
Employers may even seek out remote monitoring software to ensure that employees “are actually working.” Ignoring the privacy and employee morale implications such software solutions might achieve, it’s important to recognize that managerial angst does impact employees directly.
With each worker having independent schedules and change in feedback models – both positive and negative – can result in employees becoming anxious as to whether they are performing to expectations.
It then falls to managers to both reassure their staff that they are indeed meeting expectations aligned with their new normal, but also to ensure that assignments are properly scoped based upon the unique situations of their employees.
For example, if a remote worker has children who are expected by their school system to engage with their teachers daily and continue their school year from home, that worker isn’t likely to be free to complete all the work they normally might in a full work day.
Quite simply, such workers are now both full time employees and minimally part time educators. For those accustomed to focus on technical problem solving, the changes in environment along with increased and novel distractions can easily lengthen the time it takes to deliver their product changes.
When defining new management and task paradigms, it’s important to also look at the cyber security and IT aspects of remote workers.
For example, consider remote workers having access to customer data as part of their job; if they are now using a home computer as their work computer, how is that customer data being secured?
If the employer has provided a corporate managed laptop for the remote worker, that laptop is likely secured assuming it’ll periodically be on the corporate network.
This means that items such as security policies and password resets may be deferred while the laptop is off the network. Such assumptions will need to be revisited when there are extended “stay at home” directives as we’re seeing state governors issue.
Of course, home networks are unlikely to be as well secured as their corporate cousins and with entire families sharing bandwidth those home networks will be challenged to support concurrent video conferencing activities.
Of course, public crises attract the attention of criminals seeking to profit from the pain of others. With even IT and security response teams operating as a remote workforce, what constitutes a normal network pattern is no longer normal.
For example, VPNs designed for emergency access or for a limited number of remote workers are quickly overloaded, as are the networks supporting them. Malicious groups can then directly impact an organization by mounting a denial of service attack against their VPN link.
Looking beyond supporting a general workforce, each team should identify security changes to their processes.
For example, software developers working outside of corporate governance walls could accidentally include code enabling supply chain attacks.
Supply chain attacks occur when an attacker poisons popular legitimate software with malicious code. Such attacks prey upon the reality that when downloading software, it’s often difficult to distinguish from a legitimate source and one containing code the authors didn’t include in their official releases.
Each of these scenarios are the types of questions business leaders should be asking their IT and cyber security teams as part of threat modelling exercises. While all security vendors are busy promoting their tools and presenting their variants of a doomsday scenario, the reality is that it’s impossible to properly defend against the unknown.
When you recognize that the attackers are the ones setting the rules of their attacks, you want to ensure that you’re not easy prey for them.
Building threat models to assess your cyber security team is something any team can do, it just starts with asking some questions and being willing to be a bit paranoid.
With an uncertain end to the various stay at home orders, identifying areas of IT weakness before the bad guys do is an excellent investment.