How long can you endure security challenges of a decentralized workforce?
Enduring the Security Challenges of a Decentralized Workforce in the Long Haul
Last year took us all on a roller coaster, watching workplaces swiftly shift from centrally located offices to decentralized work from home setups. But navigating the landscape of managing security challenges that have followed this new paradigm persists. With staff scattered, mainly at home and miles away from their colleagues, how does your company keep its defenses up?
As Linda Grinds - Vice President at McAfee suggests, it is time we dived into this pivotal question. Linda brings over 25 years of technology experience to the discussion and shares crucial insights on securing systems in a decentralized workforce.
The Decentralized Workforce: Embracing the Reality
Your workplace interactions have changed, and as we look to the future in a post-COVID environment, we're seeing workplaces are continually evolving. Companies have begun allowing their employees to stay virtual indefinitely, some have even started closing physical office locations.
But can you secure all these systems inside homes that may not meet the same security level you are used to within your companies or your office spaces?
Decentralized Workforce Security Implications
Security implications don't spare your company, whether you're just an employee or located in your security operations center. With most of us working from home or temporary locations, we must ask:
- Are our infrastructures ready for a remote workforce?
- Are we utilizing the cloud more or thinking about Identity and Access Management in this environment?
- Have you considered what tools your employees will need to do their jobs remotely?
- Is our approach to security flexible enough for the changing landscape?
These are questions we must address promptly as employees bring their devices home and work over potentially insecure networks.
The Long Haul: Navigating the Security Implications
Preparation to endure the security challenges of a decentralized workforce in the long haul begins with understanding your cybersecurity posture. According to Linda, the first step is to revisit your operating procedures, policies and security hygiene practices. You want to be diligent about updating your systems, keeping up to date with the latest patches and updates for all of your hardware and software.
Employee Education: An Essential Tool in Cybersecurity
While securing software and systems is pivotal, a significant part of cybersecurity lies in educating employees on best practices and ensuring they can react appropriately to cyber-related incidents. In the rapidly changing cybersecurity landscape, a progressive and proactive approach, which includes extensive leadership involvement in reviewing the company's security posture and holding frequent threat reviews, is essential.
You don't want to be the company on the headlines for the wrong reasons. Nor do you want to discover, too late, that your recent hire lacks the skills needed to secure your company against the latest threats. It's high time we started asking the right questions and taking appropriate actions.
Preparing for the Long Haul
Despite the challenges, the security of a decentralized workforce is not a hopeless case. In the short term, start assessing your current cybersecurity posture and begin to educate your family and employees on understanding their cybersecurity risk.
In the longer term, you should dive into a thorough evaluation of your cyber-related security postures and procedures. Educate team members on future threats and how to use the latest tools. It's time to start thinking about (and investing in) updating your cybersecurity posture and procedures.
The road to enduring the security challenges of a decentralized workforce in the long haul may not be a comfortable journey, but with the right approach and necessary steps in place, you and your company can navigate these challenges successfully.
Video Transcription
A welcome to. How long can you endure the security challenges of a decentralized workforce? Almost overnight, many companies went from having their workforces centrally located in offices to becoming decentralized and working from home as many of us. Remember all too well, last year.
But how long can you and your company endure those security challenges of that new decentralized workforce that we're going through and that's what we're going to touch on today. And please do enter your questions and chat and I will have some time at the end to discuss uh your questions and answer them. I'm Linda Grinds staff and I'm a vice president at mcafee. I have over 25 years of technology experience and I want to share some of that experience and learning that I have uh gained over the years with you today. So prior to COVID, we were in person for most of our meetings, they may have looked like this photo that you see here on the screen. And we didn't think twice about traveling across the country in the United States or maybe even to a different country. If you know, our countries are smaller for a half day meeting, turn around and then travel back home. We didn't think twice about that. And then in March of 2020 as countries started to shut down due to the pandemic almost overnight, we all started working from home and our meetings often look like this uh as we were looking at each other in various zoom pictures um or teams or whatever the collaboration tool of choice that you may be using.
And we all became separated from our colleagues. Everyone had to do virtual meetings for everything. And we also learned that not everything required a face to face trip as we sat at home, uh maybe in our slippers or maybe you're in your slippers now, um sitting at home as you're doing your work and those workplace interactions have changed. But as we look to the future in a post COVID environment, we're already starting to see that workplaces are changing and they're looking more and more like the photos that you see on the screen. Companies like Twitter, Nationwide, Insurance Square, Facebook and others are allowing their employees to be virtual forever. And some are closing physical office locations and with people being remote and potentially in person, how do you secure all of these systems that are inside homes that may not be at the same security level as which you might be used to inside your companies or inside your office place.
And how do you control things like your kids downloading things or clicking on things. Um, and, and just adjusting to all of that. So I'm curious how many of you, if you want to write and chat, how many of you are back to actually working in person? Um How many of you have no idea when, if ever you'll go back in person and I know this will vary depending on what your local conditions are like relative to the pandemic. Um And so I'm just curious if you would take a moment and, and put that in chat, I just want to see, you know, where things are at with where you're located in the world. And, and as, as you type that in chat, you know, regardless of what our conditions are like and maybe things open and maybe things close back up. Um As we go through the next several years, there are so many security implications of this decentralized workforce that we really need to consider whether or not you're just an employee at the company or you're located in your security operations center. So as we look to that, and, and we think about, you know, that remote workforce and most of us are working at home, um or maybe we're in a temporary location and we go through things. Are those infrastructures ready for a remote workforce?
Are you utilizing the cloud more or thinking about how you're going to do identity and access management across this new, new environment that you're working on? Have you considered what tools your employees will need to do their jobs remotely? Because when we went to working from home overnight, a lot of companies had to change and adapt. But did your company change and adapt? And is that ready for a long term haul to be working from home? And as that remote remote worker, you know, takes all those devices now at home, you might be on that same network as a vulnerable device. So for example, as you look at your home, have all of your internet of things, devices been secured. Have they been updated for the latest patches? When was the last time you updated your ring doorbell, for example, or maybe if you have some kind of a a smart scale or or whatever that IOT device is, when was the last time that you patched that? And and as we continue to think about our home environments, you know, that brings a security awareness, education with our employees and with the families that we have because everyone needs to be reminded to not click on that fishing link. And what is that fishing link even look like? And so it's important that people are educated and they're aware so that they know what's happening in the environment.
Um As we all you know, adjust to this new paradigm, your security operation centers in your companies may also receive more alerts due to these unsecured environments. So one of the things that we're seeing is that, you know, as you're starting to work from home and you bring these devices into your home network, your, your corporate devices or even a small or medium business device into your home network. Does the security operation center as they're starting to get more alerts, do they know what to do? Is there anyone that's watching all of that? Because you, you now your security Operations center employees are also at home. And so back to the tools, do they have the tools and do they know what to do and how to answer all of those various alerts that are coming in? And then last, the employees may not have the tools needed to do their jobs. So not just the security Operations Center for all of our individual employees, do they have the tools necessary to do their jobs to be successful or are they taking shortcuts, get the job done that could be putting your company at risk? Those are things to also take into account and to consider like, what do they need to do their jobs to keep your intellectual property and, and even your personal information. How do you keep that secure?
So as we look to that remote workforce, how do you handle that security now that everyone's remote, even if you're not in the security operations center or you're not working at a security company. So the first thing is we all went virtual almost overnight for most of, of the world, you know, and were you prepared? And when was the last time you revisited your operating procedures and your policies that you have? So ideally what you would want to do is you would want to revisit your policies and procedures at least at a minimum two times a year or when you have a major change within the company. Let's say that there's been a departure of key personnel, maybe there was a merger or acquisition at your company, a reorganization or some new regulations. Those kinds of things are things that you want to take into account that. So because we all went virtual, you still need to look at your policies and procedures. Do they work for that long haul? Do they work for that environment that you're in? Because things went quickly and are you still operating as they were a year ago or have you changed and modified them? Whoops. Too many clicks. Um How for the approach to security? How does your company approach it? Are you passive reactive or progressive?
So if you're passive, that's a company environment where you assume all the threats are just going to go away. They're not really a big deal. A reactive environment is where you think that the cybersecurity responsibility is only inside the it department and you'll react as things happen or maybe you'll adjust as things are seen in the news. So this type of environment is always playing catch up proactive is really where you're seeking to avoid issues and you're paying attention to them on a regular basis. You may also consult with third party companies to ensure that your security posture is high. If you're a progressive company, there's extensive leadership involvement in reviewing your company's security posture, you're going to hold frequent reviews knowing that that attack can happen at any time. And again, you may also consult a third party um to look at those security weaknesses.
So as you can imagine, a passive approach has a much, much higher risk level than those of a progressive approach. And that doesn't mean though that if you have a progressive approach that you're necessarily risk free, it just means that you're doing everything that you can to ensure that you're prepared. So one of the things that I mentioned that, you know, Twitter, um employees are starting to work from home. And if you remember last year, last summer, there was a Twitter incident where many accounts were hacked and it was discovered that after the incident, Twitter actually had no chief information security officer since December of 2019. So seven months before they were breached, they had nobody really watching, watching the the environment. And so one of the things that also happened during that Twitter analysis and all of this is out on the internet, you can read about it is that Twitter really also exploited that shift to working from home during the pandemic.
And so, you know, again, you don't want to be that next company that shows up in the headlines. So how, you know, when have you reviewed your, your policies and procedures and what is that approach that you have? So you can make sure that the hackers are not taking advantage to how you approach security. The next way is around security hygiene. So the approach that you have to your security are you also being very proactive at it? But then maybe do you have poor security hygiene? So for example, security hygiene is, are you diligent about updating your systems? Are you keeping up to date with the latest patches and the updates for all of your hardware and your software? Not only as you look to working from home and making sure that your home employees are doing that, but also in terms of your infrastructure because if you're logging into a server from home, but that server has not been patched, they're still vulnerable. So you need to make sure that all of your infrastructure is, is being taken care of. Are you requiring strong passwords in your environment? And are you having frequent backups of your data? Because if you were to be attacked with ransomware and you had a nice backup, you could say I'm not paying you that money, you could reinstall your hard or reinstall the software on those systems and continue on. Um the next area is around employee education.
It's very, very important, important that how often are you educating employees on those best practices? Are you also holding simulations of what to do if a cy cyber related incident were to occur? We have fire drills all the time at companies when we're in person and we even at home, we may prepare for a fire. But are you prepared to what to do if a cyber attack was to break out? Do employees know what to do? Do they know who to call, do they know how to react? Um And also do they know what to do to make sure that they're prepared so that they don't click on that link and that they tell their kids don't click on that link and they tell everyone in their households not to click because it's really, really important that there's education on all levels of what can happen because many times as humans we think, oh, that won't happen to me.
That's not going to happen to my company. We're good, but it's important that you review those policies and procedures and you really think about that education so that, you know, oh my goodness, this is what it looks like. The hackers have gotten a lot more sophisticated as time has gone on and they're staying one step ahead of us as individuals. And so we need to make sure, you know, that we are up to date on all of those latest um things that's going on. And the last is there still is a cyber skills shortage and that skills shortage continues on so many levels. So if you, if you have kids, this is definitely an area to, to have them go into or if you as an individual are interested, highly recommend it. Um but as a result of that cyber skills shortage, you get so many alerts for our security operation center and it's too many for the teams to handle. And so do they have that training that they need to do their jobs? So it's important not only to educate our employees on what's going on, but we also need to continue to educate those in our cyber teams at our various companies to make sure that they know how to look for the latest threats that are out there to protect us. And so how do we prepare for that long haul? So, within the next week, some things that I want you to do is really go back to your companies and say, what is our current cyber cybersecurity posture?
And are we prepared for the future and really educate your families on what they need to know and how to understand their cybersecurity risk? There's a lot of information online um about this. You can uh hire 3rd, 3rd party companies to help bring that education if you're not sure where to start within the next month, what I'd like you to do is really dive into those cyber related security postures and procedures. Have a thorough evaluation. Do they still make sense for what threats are out there today or do you need to look at things differently? And it helps to often have fresh eyes, um, to dive in and see? Oh, that probably doesn't make sense or maybe, you know, hey, this is good. We're, we're all set because we just reviewed it and then educating those team members on what those future threats are and how to use the latest tools. Are they turning on all of the security features that they could be turning on and then within the next three months update, your cybersecurity posture and procedures as necessary and make sure that you hire accordingly. And I know you may be thinking, well, why didn't you tell me to hire right away? But it's important to, to, you know, take time and find the right talent. Um And so make sure that you're hiring and adjusting those needs properly.
And so thank you, I look forward to answering your questions in our remaining time and what do we have first here in the chat? Um So I see lots of people saying that they have no ideas when they will um be, be going back to work and that's something that we absolutely see as well. Um And Lou says that Gartner estimates late last year that 75% of the devices and corporations are not monitored or registered with security operations. And that happens, that happens a lot where companies will, you know, the employee brings a device, plugs it into the network, logs on and starts doing their day to day operations. And so absolutely, that happens, which is why it's important for us as companies, you know, to go out and even if you're not at a security company to go look and see what's actually sitting out there on my network, even your home. Have you looked at how many devices are on your home network? It's probably a lot more than you think. And is it somebody else's neighbor device on your home network or, or do you also know what, what's on your own?
Um Lou asked regarding backups, how are you to know when the malware was installed? So that when you do the backup, you don't reinstall malware? Great question Lou. So one of the things to do is as you take those backups is making sure that you're scanning the content that's on those backups. Um Making sure your security software has all the latest and greatest features turned on. If you're scanning it with something that's, you know, five years old, probably not going to find the latest things. And so it is important that you are using all of those latest and greatest features. So that way when you do reinstall it, that you know that it is not present, um Lou also says, thanks Lou for being active uh on chat. Um on the skills storage, there's a catch 22 experience. People are complaining that they can't get through hr and people want to enter the profession don't have a clear idea of how to start or where to train. So how does mcafee approach that? Yeah, so that's a great, great question, Lou again, um One of the things that's important in terms of the skills shortage is educating hr on what skills you need.
Cybersecurity is a huge, huge topic, a huge area we have within Cyber, you could be a software developer, you could be somebody doing ethical hacking. Um You could be in terms the security operations center and all of those and I just picked three off the top of my head, but those are all requiring different skills. And so when you speak to hr and your staffing, you want to make sure that you're educating them on the very specific skills that you need. Not just saying I need somebody in Cyber that's like saying I need a manager. And if you say I just need a manager, you might not get the right manager. And so the same thing applies in Cyber is really focusing on what do you need and what are your current problems so that you can get the right people on board to solve those problems. And so that's one of the areas that I recommend is is educating that and then educating your teams on and maybe they don't exactly know either, um, on what they need, uh, as well.
Um, and with that, uh, I probably have time for one more question because I know we're scheduled to end here, uh, in about one minute. So if anyone else has another question, I'm happy to take that. Um, and while, while you're typing that last question, thank you everyone for joining the conference today. And I hope that you have a great week and I hope that you're enjoying everything. Um Karen is looking for, um Are there any entry level opportunities in the field? Absolutely.
Um Again, there is a cyber skills shortage. So what I would do is, is look at opportunities for the various companies that you're interested in working. There are many cyber skills training that you can take if you, you know, have really never taken any of those trainings. Um There's overview training classes you could look at linkedin learning. Um There's things on youtube that I have seen. There's been various TED talks. Um And then you can get into much deeper um uh training classes uh involved. Uh Harvard, Harvard uh also has some free online training classes that you can take related to cybersecurity. So I would take, you know, some of those classes, figure out what's interesting to you because it is a very large field and just go with your passion and go with your gut and I'm sure that you'll do great. Thank you everyone for taking time and I wish you all the, the have a great, great day. Thanks. Bye.