A CISO's Guide to WFH Security
As more and more companies are planning, and now executing, their emergency remote workforce strategies, we see an influx of articles with helpful WFH tips to stay productive. Here today, we are filling in some gaps other articles seemed to overlook. This short list of Dos and Don'ts geared for IT and Security teams will provide some helpful insights; however, for more a comprehensive list, I recommend this resource. Now lets get to the Dos and Don'ts.
- Do work with HR and Finance to establish guidelines for what you will and will not provide or pay for. What office equipment and devices, if any, will you buy, reimburse for, or let people take home? Beyond monitors and keyboards, think about the various job functions and what they need to be efficient from home. Things like headsets and small dry erase boards are often overlooked.
- Don't be surprised to learn that one or more people in your organization have poor internet bandwidth, don't have any internet access, or even "borrow" their neighbor's unsecured network while at home. Like equipment, it's best to plan ahead for this situation.
- Do establish a backup communication platform for IT and Security. If you use Slack, Microsoft Teams, or a similar service, what will you fall back to if they become disrupted? At Cybrary, we heavily rely on Slack and use Keybase.io as our failover.
- Don't assume everyone knows the policies. Review, revise, and re-communicate your Mobile Device and Remote Work policies. If you don't have them, now is the time to create them. If they're the typical policy documents that read like end-user license agreements, consider providing the "Cliff's Notes" version with some humor mixed in.
- Do test your VPN and make sure everyone can and knows how to connect to it. Larger organizations should consider stress-testing their VPN to ensure it's up to the 9 AM challenge.
- Don't underestimate the challenge of providing IT support to a remote workforce. Expect hardware to fail. Establish clear lines of communication and make it as easy and stress-free as possible for people to ask for and receive help. Stay connected to your team with periodic, but not overly frequent, check-ins.
- Do use this as an experiment for potentially expanding your team's or organization's work-from-home/remote policies. When this is all done, expect people to use this as evidence as to why they can be as, if not more, productive when working remotely. Take note of what works and what could be improved.
- Don't expect everyone to be able to work remotely. Remote teams/companies interview for the skills and traits necessary. More seasoned team members tend to handle it better than their less experienced colleagues. Not everyone will know what to do without the buzz from being in an office. Stay connected to individuals and hold them accountable.
Do you like to write about your infosec knowledge, skills, opinions, or exploits?
Publish your original research, tutorials, articles, or other written content on Cybray's blog to be seen by thousands of infosec readers daily!