Over the past year, working from home has gone from a temporary necessity to the new normal for many industries. United States federal government and Department of Defense (DoD) workers are no exception. The only difference is the highly sensitive information that federal agency workers handle, making work from home data handling particularly risky.
Back in March, Acting Director of the Office of Management and Budget Russell Vought sent out a memorandum stating that all “federal executive branch departments and agencies are encouraged to maximize telework flexibilities to eligible workers” in response to COVID-19. Since then, work from home continues to be the norm for many — if not most — federal personnel.
And the harsh reality is that security controls that have traditionally worked in the office won’t necessarily translate to the remote, work from home environment. In fact, it’s sometimes hard to define what “home” is for some workers, in addition to myriad other short and long-term challenges.
The good news is that by understanding the new cybersecurity risks posed by federal work from home, federal IT and cybersecurity professionals can begin adopting strategies and solutions to make work from home safe and secure.
- Facing trends influencing federal security
- Long term trends taking shape
- Potential work from home IT risk
- Solutions to mitigate work from home risk
1. Facing trends influencing federal security
There are a number of immediate trends that federal agencies and departments need to be aware of that will significantly impact cybersecurity risk. These range from the nature of online communication and collaboration to re-thinking what adequate access control measures mean for the day-to-day activities of personnel.
First, IT departments will actually need to re-define what “home” actually means. Even during lockdowns, employees might still carry devices that contain confidential information outside of their home office. Therefore, work from home should actually be conceived of as working from a coffee shop or co-working space. If a hacker or cybercriminal manages to get ahold of a smartphone that’s not adequately protected, critical data could potentially be exposed or stolen.
That’s why tracking access location is already becoming critical for monitoring federal work from home activities. Having technology in place that can accurately track the geo-location of any login and access activity is something that all federal departments are going to need to implement in the near future for all employees. Along with that, stronger device authentication should become more prevalent. Two-factor and biometric authentication being just two examples.
And in the event a device does go stolen or missing, IT departments will need to cope with shifting risk factors and determine what exactly constitutes a data breach and what doesn’t. In a traditional office setting, hackers and breaches are incoming, so it’s clear what constitutes a cyber attack or breach. But if a worker loses or leaves a phone at the gym, agencies will need to decide whether or not that constitutes a breach.
Acceptable use policies are also becoming blurred with the uptick in work from home. Especially as most departments and vendors ramp up for the implementation of the Cybersecurity Maturity Model Certification (CMMC), it’s going to be critical for departments to codify and communicate how employees should handle sensitive information at home. Personnel should know not to use their departmental issued smartphone for extensive personal use, for instance.
2. Long term trends taking shape
Agencies also need to be aware of the longer-term technology factors that will heavily influence cybersecurity risk over the next several years. Even post-pandemic, work from home will likely continue to rise. Anticipating these factors today will help departments cope with tomorrow’s cyber risk environment.
Recent data indicates that as of September, a full 60 percent of federal workers expect to remain in work from home status at least over the next six months. Over half of those workers also feel that work from home hasn’t significantly impacted their operations or productivity. However, maintaining effectiveness under work from home conditions necessitates shifts in technology strategy that introduce potential risk factors.
Like most other industries, federal agencies will continue to adopt more robust online collaboration applications and platforms to help workers carry out their day-to-day team activities. One side effect will be the decrease of on-premise hardware and software used to store and manage data. This will only serve to accelerate Federal CIO’s overarching Cloud Smart Strategy outlined in 2019.
And according to Accenture, peer software collaboration platforms will prove central to this cloud migration. Peer collaboration meaning that disparate departments and agencies will be able to work more seamlessly. Inter-departmental collaboration software will also be critical for scalability, as agencies add more staff over time. And public agency leaders agree, with 85 percent of service executives saying that peer data sharing platforms will be critical for automation and efficiency at scale, per Accenture.
3. Potential work from home IT risk
Federal agency IT leaders need to get real and become informed about the cybersecurity risks the right way in order to assume an effective defense posture. These risks include endpoint vulnerabilities in collaboration platforms and Bring Your Own Device (BYOD) teams. Then there’s the risk of Shadow IT, where people use personal accounts or devices to handle sensitive information.
The issue with open collaboration applications and platforms, from communication tools like Slack to project management software like Asana, is multi-layered. First, information is dispersed not only across multiple work from home endpoints along with cloud servers. Data isn’t centrally controlled within an agency, and therefore more vulnerable. Second, the element of human error may rear its ugly head as workers may not be adequately trained on things like password strength and multi-factor authentication.
This ties in with BYOD and Shadow IT security risks. As mentioned, workplace devices in the home are at risk for being lost, stolen and broken into. Not to mention the fact that hackers may target someone’s in-home wifi network. And some workers may innocently use things like their personal Dropbox account or household tablet to conduct work activities, not knowing that these accounts and devices are less secure than government issued ones. Often it’s impossible to know exactly how many other devices or accounts workers use in addition to their standard issued and approved ones.
4. Solutions to mitigate work from home risk
Fortunately, there are a number of measures, strategies and technologies that federal agencies can — and should — implement the many additional cybersecurity risks posed by the work from home environment. Agency leaders should consider a mix of robust tech, enhanced employee education and adoption of fed-specific regulatory frameworks.
Any solid federal work from home cyber risk mitigation strategy needs to include a technology platform — or multiple applications — that conduct endpoint vulnerability scans. More at home workers mean more devices and networks that a potential hacker can access, and you’ll want software that can proactively monitor your entire ecosystem around the clock. And as a supplement, you’ll want to enlist a cybersecurity and compliance partner to conduct regular penetration testing on critical systems.
And what many public sector entities fail to realize is that a great number of breaches are actually the result of internal user error or carelessness. This can range from leaving their devices unlocked in a public setting to falling for phishing attacks to their government email address. You’ll need to develop and conduct cybersecurity training and education programs specific to work from home risks. Make sure everyone knows how to do things like configure their personal firewall settings and enable multi-factor authentication on all devices.
Your training program is just one piece of what should be a larger information security policy tailored to address risks like BYOD breaches and Shadow IT hacking. What’s more, this policy should be based on a proven and accepted regulatory framework applicable to federal agencies. The National Institute of Science and Technology (NIST) cybersecurity framework is one such example. An experienced federal compliance partner can help you select the most appropriate framework and tailor its implementation to optimally reduce the risk of your specific work from home environment.
Federal agencies shouldn’t expect work from home to taper off anytime soon. The pandemic situation remains in flux, and governmental team members are becoming acclimated to maintaining productivity away from the office. The first key to preventing breaches, hacks and data leaks is to get clear on the short and long term trends like cloud collaboration platform use and BYOD that will only grow. And bring that knowledge into focus with specific risks like device loss and at home wifi hacking.
The bottom line is federal agencies need to take a unique tact towards work from home cybersecurity due to the sensitive nature of the information they handle, from social security numbers to military communications. Agencies need to make work from home cybersecurity a team effort, from personnel training and education to regulatory framework implementation with experienced cybersecurity and compliance partner.