For those who haven't gotten the memo yet, offering work from home — or at the very least a more flexible approach to off-site employment — is essentially table stakes in the post-pandemic job market.
To adequately satisfy both employee demands and the concerns management has over productivity, collaboration, and security, organizations must start thinking about a long-term, comprehensive remote work strategy, as well as the IT and IT security infrastructure needed to support it.
Related: The Future of Work Is Hybrid
The executive team, with input from HR, should be the key drivers in developing a company's remote work strategy, according to Shiran Weitzman, CEO of regulatory technology specialist Shield.
"Work-from-home policies are meant to provide a better work/life balance, but that shouldn't come at the cost of productivity."
— Shiran Weitzman, CEO, Shield
"While employee productivity will take precedence, you'll also want to consider company culture, employee retention, and recruiting considerations when deciding a company's work-from-home policy," he said.
New tech tools are being developed rapidly to meet the demands of today's work-from-home economy, so when considering solutions, organizations must ensure they are tailored for today's work atmosphere, Weitzman explained.
"Work-from-home policies are meant to provide a better work/life balance, but that shouldn't come at the cost of productivity," he said.
In today's work-from-home world, electronic communication apps such as WhatsApp and Zoom are becoming commonplace, despite causing massive data, risk, and compliance challenges to the enterprise, according to Weitzman.
"Organizations, especially those in regulated industries, are in immediate need of workplace intelligent platforms, powered by modern technology, that can securely monitor work communication channels in order to avoid financial crime, privacy risk, misconduct, harassment, and other nefarious activities," he said.
IT Closes the Gap, but Issues Remain
The experience of going through the COVID-19 pandemic, where IT teams were suddenly dealing with infrastructure issues like firewalls and VPN connections — not to mention training employees in these areas — has helped prepare them for the long-term shift to distributed workforces, according to David Lewis, CEO of HR consulting firm OperationsInc.
"I think that gap is far smaller today than it was a year ago, but those issues need to be at the forefront of anybody in the IT profession, so they can look at the day-to-day existence of the company and say far more comfortably today than they said 18 months ago how safe, secure, and complete the technology infrastructure is right now," he said.
However, the onus is on organizations to move forward with ways to integrate this remote work reality on a permanent level.
"Anybody who's in an IT position will tell you operating in an environment where you're controlling almost everything within the four walls of your office is infinitely different than saying most of your users are going to have their own individualized access point and setup into your network shop filled with all sorts of vulnerabilities," Lewis said.
This poses the twin challenges of ensuring that the technology supports that distributed workforce and that users understand how to properly use the technology so as not to become individual security risks across the entire network.
"People are now the new attack surface, and they are particularly more vulnerable working outside of the security bubble of their corporate offices."
— John Checco, resident CISO, Proofpoint
Another challenge when addressing the need for constant, seamless connectivity and availability: At the end of the day, the expectation is that companies want people to be able to operate effectively and efficiently on a remote level.
"You can't have people sitting around and waiting for emails … or not being able to access files seamlessly," Lewis noted. "There can't be any disruption. There is no acceptable level of the network being down."
Work from Home Opens 'Pandora's Box' of Security Issues
In fact, many organizations have had to refocus their technology and security efforts from on-premises work environments to an all-remote workforce, resulting in myriad new security issues that need to be addressed.
From the perspective of John Checco, resident CISO at Proofpoint, remote work opens a Pandora's box of potential cyberthreats.
"The last two years have seen remote work options take off, which in turn has increased the potential attack surfaces of an organization," he said. "People are now the new attack surface, and they are particularly more vulnerable working outside of the security bubble of their corporate offices."
Home networks are not as secure as office networks, and devices may be shared with others, Checco said.
In addition, new external pathways to access corporate systems are a huge danger, giving threat actors more ways to break in but also making it harder to track what workers are extracting out.
Checco pointed to recent findings from Proofpoint and the Ponemon Institute, which show that regardless of whether it's negligent or malicious, insider threats are costing organizations $15.4 million annually, up 34% from 2020 when the pandemic hit.
"It's critical that security teams place people at the center of their security strategy as remote working continues into 2022," he said. "Users truly are both the first and the last line of defense against all methods of social engineering."
The focus for many organizations with a remote workforce should be on creating a toolbox of security measures that includes security awareness education in tandem with dynamic phish testing — this provides a foundation to ensure everyone can identify a phishing email and easily report it.
Organizations also need layered defenses at the network edge, including a secure email gateway, a cloud access security broker (CASB) for cloud-based application access, and a VPN for on-premises application access, Checco said.
Browser isolation would allow for frictionless, safe, and secure access to untrusted and/or unknown external sites, while data loss prevention (DLP) would help protect information from being exchanged across unsanctioned physical as well as logical borders, giving protection beyond the traditional network edge.
Email authentication protocols such as DMARC, DKIM, and SPF can help determine the validity of any emails sent from an organization's domain, Checco added.
It takes the cooperation of the business, infrastructure, technology, and security teams to address long-term remote workforce security and resiliency, he said.
"At first blush, securing the remote workforce may fall solely upon the CISO and security teams, but that would not be a prudent strategy," Checco said. "Once a strategy is defined, the deliverables of the implemented tactics — such as MFA [multifactor authentication], CASB, and DLP — must be communicated to all teams to temper expectations and provide feedback."
Policy Implementation: Feedback, Transparency, Communication
"We've found that transparency is the best approach when it comes to working-from-home policies," Weitzman said. "Executives should communicate reasoning behind a company's work-from-home policies, as well as what's expected and how work productivity will be monitored."
He added that the ability to communicate with peers and clients is an important part of maintaining good working relationships, pointing out that security issues crop up here too.
These could include a lack of control for non-registered, unwanted, or hidden participants, and a lack of control over file- and/or screen-sharing of confidential data.
Overall, for an effective remote work strategy, there must be more communication between remote workforces and management, including consistent communication touchpoints with the organization's various teams, said Brittany Nisenzon, metro market manager at Robert Half Technology.
"We've seen some companies using employee feedback to shape additional policies and put together guidelines and to make sure that the work is getting done and is coming through," she said. "When we talk to candidates and employers that have remote policies, they're almost all having meetings and more communication over [Microsoft] Teams or over Zoom — you need to make sure people are dialed in and available and getting through in their work."
That level of communication also needs to extend through to the hiring process, as many potential employees are now demanding in writing that they will never be required to come into the office — something many employers are still finding difficult to accept.
Nisenzon recalls a recent experience trying to place a candidate whose demands included a permanent remote work setup — the employer countered with a $20,000 salary bump, in addition to a generous benefits package.
"The company checked all of those boxes, but they would not put in writing that it would be 100% remote," she said. "Ultimately, the candidate walked away."
About the authorNathan Eddy is a freelance writer for ITPro Today. He has written for Popular Mechanics, Sales & Marketing Management Magazine, FierceMarkets, and CRN, among others. In 2012 he made his first documentary film, The Absent Column. He currently lives in Berlin.