The COVID-19 pandemic caused a disruption in the working landscape, forcing organizational leaders, shareholders and other stakeholders to activate disaster preparedness plans and shut down their physical office spaces, transitioning to a remote workplace. Now, approximately a year later, remote work is, and remains, a mainstay of professional life. A recent survey by Upwork revealed 42.8% of the American workforce remains fully remote, and HR and managers believe that 26.7% of the workforce will be continue to be fully remote in one year.
What challenges have security leaders navigated since the pandemic?
Remote Work Challenges for Security Operations
The “new normal” has challenged physical security departments to rethink how to protect workplaces, its perimeter, as well as the health and safety of employees and overall assets.
In March 2020, the immediate focus for Richard Amburgey, Chief Security Officer (CSO) at the Bureau of Labor Statistics (BLS), was to keep employees, assets and critical components of the BLS safe while ensuring continuity of critical services at the BLS, which includes producing and distributing gold-standard data for public and private decision making.
As CSO, Amburgey leads, advises and coordinates security operations, protects the life and property of the BLS National Headquarters building in Washington, D.C., a 1.2 million square feet multi-tenant facility that houses more than 2,200 occupants.
Due to his background as chief of regional security operations in Chicago for the Federal Emergency Management Agency (FEMA), Amburgey was prepared for this and various other challenges. At FEMA, Amburgey was specifically charged with developing effective physical security countermeasures to protect employees, facilities and assets so that FEMA personnel could carry out their daily operational mission.
“Having the familiarity with security and emergency management and how pandemics work in terms of incident commands, how to respond and how to mitigate risk was a huge advantage for me, but also to bring to the table to BLS during the COVID-19 pandemic,” he says.
Early on, he recognized the need to establish a pandemic management team: The Coronavirus Response Team. Ultimately, the goal of the team is to provide guidance in terms of health and safety and security to the staff and to those out in the field, as well as maintain compliance with health and safety guidelines established by the Occupational Safety and Health Administration (OSHA). The guidelines include implementing and promoting basic infection prevention measures; developing, implementing and communicating workplace flexibilities and protections; and implementing workplace controls such as engineering controls, administrative controls, safe work practices and PPE.
Another key focus for Amburgey was to ensure security monitoring capabilities were adjusted to meet the transition to work-from-home as well as the expanded operating network given the remote workforce. Monitoring capabilities give Amburgey and his team the ability to have a record of requests and responses, but also give the visibility needed to identify vulnerabilities and attacks, and provide real-time visibility into the organization’s overall security posture. In addition to basic employee monitoring, the solution includes insider threat detection, third-party vendor monitoring, data loss prevention, risk management, legal and compliance features as part of the monitoring suite.
“A challenge has been the fact that we’re collaborating with the IT security team to establish network-ready security systems,” Amburgey says. All systems have been placed on government servers and into the firewall, so the security teams can access and remotely log in to those systems from anywhere at any given time. The process allowed Amburgey, his team and the agency as a whole to successfully and smoothly transition all operations remotely.
The biggest priority was having security-related systems placed on the networks to be able to respond to any incidents or events in real time, as well as have the ability to lock out card readers, or pull footage from the camera systems to aid in the investigation.
To help continuity of operations, Amburgey developed a security services metrics software program that acts like a “help desk and a SharePoint feature combined together.”
The software program allows the security team to track every server, every call for service — whether that is a simple request to get a PIB pin reset, to process a security clearance, or to service a card reader experiencing connectivity issues. “Every single thing we do is tracked, including phone calls and emails that request calls for service. Ultimately, at the end of the day the report comprised of daily data tells a story, but also gives us the advantage to receive buy in from senior leadership,” he says.
The data allows security to show that security is more than just what Amburgey calls the three G’s: the guards, the guns and the gates, which is often what security leaders receive funding for. Not only does the data show what is working with security operations, it also shows what isn’t working and lessons learned to help prevent other emergencies and be better prepared for crisis. “The data is definitely telling our story when getting the C-suite to buy in; it’s showing results and helping us in ways that I knew would happen for the security team.”
Eyes on the Target, Boots on the Ground
While managing incident response was imperative to address for Amburgey and the security team amid the COVID-19 pandemic, one challenge even more difficult for many security leaders is protecting facilities and assets from afar. Not having eyes on the target, specifically the BLS National Headquarters building in Washington, D.C., a 1.2 million square feet multi-tenant facility that houses more than 2,200 occupants, has proven to be a growing pain for Amburgey and his team.
“Worrying about this 1.2 million square feet building is a challenge, even more so as of late,” he says. Despite the threat of the COVID-19 pandemic, lockdowns and the imminent threat, protests defined 2020, specifically in the U.S., where demonstrators took to the streets in many cities in the aftermath of the killing of George Floyd. The pandemic, as well, was a key protest driver in 2020, as public health measures shifted into political discourse.
Beyond protests, other unplanned events and emergencies pose a great challenge for organizations and agencies, such as the BLS, whose main priority is to safeguard their facilities, assets and other business-critical operations remotely.
“Our building, as well as our Security Operations Center (SOC) have remained open from day one. We never closed; we just reduced our staffing numbers even if our remote posture expanded.” At the same time, Amburgey notes, not being able to communicate freely with on-site contracts and security guards, particularly as crises ensue is taxing. “It falls back on not having eyes on the target and boots on the ground,” he says.
He adds, “We face every uncertainty during the pandemic. This is why it’s now more important to check in with my team, keeping team focus, and keeping them motivated, and healthy in terms of their physical and mental health. Work-life balance is critical, and I let them know that they are essential and very important in what they do every day to maintain security.”
Distractions and Work-Life Balance
Another big challenge for those security teams working remotely, not unexpectedly, according to Amburgey, is the numerous distractions that arise while working from home. “Security for me has never been conducted via telework,” he adds. “Now, aside from running security operations from home, we have to account for the bigger picture as well, including children, spouses, homeschooling and even family members. These are all factors that no one expected, and it’s a growing pain as everyone is starting to get a bit of ‘cabin fever’ and would like to get back in the building.”
Research conducted by the Statista Research Department in June 2020 revealed that the greatest sources of distractions while working from home were kids (33.8%), pets (18.1%) and partners (12.3%), as well as technology, such as social media, smartphones, gaming, news media and online shopping.
In addition to distractions, preventing burnout is a barrier to remote work as well, Amburgey says. Left unchecked, burnout can not only wreak havoc on health, happiness and relationships, but also job performance.
As the pandemic persists, especially, frontline and other essential workers face particular risk of burnout and poor mental health outcome, according to a Kaiser Family Foundation June 2020 survey. High rates of burnout and adverse mental health impacts were reported among people working remotely during the pandemic too, as they face new stresses and additional responsibilities at home and a fading work-life balance.
I like to take the first 30 minutes of the day and the last 30 minutes of the day to focus on the team. I check in with everyone to reassure them that we’re all on the same team. It’s a “one team, one fight” to get everybody on board so no one is feeling isolated or unimportant,” Amburgey notes. “If I get a sense that someone is starting to get burned out, then I will force them to take a Monday or a Friday off, so they can have a three-day weekend. It goes a long way in terms of helping rebalance work-life health.”
Research published in the MIT Sloan Management Review in June 2020, found that six in 10 remote workers reported feeling isolated before COVID-19, and the pandemic has helped bring this issue into focus. To battle isolation, regular check-ins by managers to see how their employees are doing personally and professionally has proven to be effective, according to the report.
Other strategies suggested by the study to help employees maintain work-life balance while working remotely include:
- Provide flexibility to work throughout the day or evening when it works best for employees, rather than a traditional 8 a.m. – 6 p.m. schedule.
- Encourage taking time off and time-blocking during the day to allow for taking care of kids.
- Allow every single team member an extra PTO day to promote rest and relaxation. This is important for managers to promote because it’s easy to log onto the computer and keep working when you should have mentally transitioned to personal time instead of professional time.
- Set the tone and expectations for new productivity. It’s OK to get work done over the course of a day rather than during traditional work hours.
- Nudge employees to stop work at the designated log-off time to maintain work-life balance.
Remote work presents myriad challenges for information security, as remote work environments do not possess the same safeguards as in the workplace. David Levine, Vice President Corporate and Information Security, CSO, Ricoh USA, Inc., a digital services and information management provider, says his main priority early in the COVID-19 pandemic was to ensure all 15,000+ Ricoh employees had the right set of tools and equipment to work remotely.
In addition to tools and equipment, providing relevant guidance and reminders is crucial, because well-intentioned employees can inadvertently pose a significant risk to the organization. To that point, working at home is not the same as being in the corporate office. Most people simply do not have the caliber and depth of tools protecting their home networks. You also have to consider issues that just don’t exist in the office, such as not sitting close to any smart devices while discussing confidential information during calls or only using secured Wi-Fi in public and at homes, Levine says.
Levine notes his team at Ricoh was fortunate to already have had a great starting point from a security perspective and the capacity to work from home. “Over the years, we’ve been moving more and more to be laptop-based as Ricoh had employees with the ability to work-from-home part time. We had also recently deployed a comprehensive advanced endpoint solution across the full user base,” he says. “When the pandemic hit, many companies went through a tremendous rapid push to the cloud. We were fortunate in that we were already on a cloud-first strategy, so for us, it was about keeping that momentum going.”
The benefits of switching to the cloud are numerous, Levine explains, such as faster deployment of apps and services, automatic backup and logging of key metrics, greater flexibility and collaboration for staff, and enhanced security features. He adds, “By utilizing the cloud, you’re reducing the strain on the data center, especially during the pandemic.”
Cloud migration and strategy, of course, are not without cybersecurity concerns. A Deloitte poll found respondents were concerned about third-party risk management, workforce risk management (e.g. remote workforce, insider threats), and data privacy risk management to their organization’s cloud strategy.
“Third-party risk management dovetails right into the cloud. However, we’re putting the right security controls from a third-party risk management perspective, and vetting cloud solutions and our partners to understand what their security posture looks like and the risks associated with those solutions. A key part of managing risks associated with the cloud is to understand how and which types of data are utilized and managed through those,” Levine notes.
At AvidXchange, provider of accounts payable (AP) and payment automation solutions for the middle market, Christina Quaine, CISO and SVP, Technology Operations, says her immediate priority was to ensure proper asset management was done to give employees the right security tools.
Quaine says, “It involved understanding the types of vulnerabilities that exist while employees are connected to their own home networks, in addition to minimizing the risks to the organization. It was very dependent on people’s roles and their functions within the organization. For example, AvidXchange specialists that make payments for organizations manage sensitive data. We ensured that they were using a virtual desktop infrastructure (VDI) or a virtual private network (VPN) to secure every transaction.”
Key to securing transactions, customers and employees is the secure management of data, she notes. “The goal is to protect the organization from cybersecurity threats, not only externally but internally as well. Unwillingly and unknowingly, employees could be sending data to places that it shouldn’t be.”
Proactively assessing the impact of remote work on an enterprise’s IT infrastructure is also critical, and early identification of accounts, permissions, sensitive data locations and the controls in use go a long way in preventing insider threats before they begin, Quaine says.
Education and Training
In addition to leveraging technology to assist in the transition to remote work, Levine and his security team — which comprises more than 20 people focused on Cyber, Access Management, Governance, Physical Security and Trade Compliance — relied on good cybersecurity education and training.
Before the pandemic, Levine says, Ricoh migrated to quarterly cybersecurity training that is delivered in roughly 15 minutes. “We run three to four different segments; each animated video runs between three and four minutes each and are all based on real-world security events. We have found that this method is highly effective. Now, employees go out of their way to say they like and enjoy the training and even look forward to it.”
Because the segments are short, the trainings can touch on a variety of subjects, such as remote work, data breaches, payment card industry (PCI) compliance and standards, and third-party risk management, he says. “By assigning training on a quarterly basis on a variety of short topics, we’re able to plug and play relevant training material as needed.”
Quaine, who leads a team of more than 100 individuals, also ensured that education and training was a key aspect of the transition to work-from-home for all AvidXchange employees. She says, “Some of the best practices to keep remote employees and their data safe start with education and training your workforce on what to look for and how to prevent being tricked into phishing campaigns and malware attempts.”
Typically, AvidXchange employees complete annual compliance training every October. With engineers, however, additional training is done to ensure they are developing secure code. “During the pandemic, we have upped our internal phishing campaigns. It has gone a long way in demonstrating to the organization the improvements we are making and the thoughtfulness of all employees as they show an understanding of the cybersecurity risks. Overall, the entire organization is understanding that managing risk is critical to what we do,” Quaine says.
A year after the coronavirus pandemic drove organizations to quickly adapt, transition their employees to work remotely, and keep business operations running continuously, one major lesson has emerged: the importance of business continuity plans.
“We all learned a valuable lesson that our business continuity plans are not ‘check the box’ activities. They are there for a reason: they need to be iterated on, they need to be practiced with different crisis and emergency scenarios, so we can move in an agile way, while continuing our business and minimizing any risk to the organization,” Quaine says.
For Levine, his organization’s business continuity plan, for instance, was predicated on certain functions moving work from one region or location to another, if and when the need arises. “And that’s always worked great. But those plans didn’t necessarily contemplate everyone working from home,” he says. “Now, we are certainly making sure business continuity plans contemplate future events that could have the same or similar impact to our business.”
When business continuity planning fails when crisis strikes, however, having the right security controls (both physical and cyber), continuing to educate you workforce, and reinforcing basic security principles can go a long way in helping to enable the business and mitigate risk.